Agentless workload scanning brings better visibility without new security risks
By: Nolan Karpinski, Principal Product Manager
September 8, 2022
Note: This functionality is now generally available
When it comes to securing the cloud, it’s crucial to implement a solution that works with your unique environment. At Lacework©, we want everyone to have the flexibility to choose the right approach for their organization. We also know that deciding between agents and agentless solutions is a false choice — and our Polygraph® Data Platform delivers comprehensive security through a combination of methods.
Whatever your needs, we want to provide our customers with every method available to collect data for their security program. For instance, some scenarios require agents to get true visibility into a cloud environment. For other use cases, such as vulnerability assessment and secrets detection, agentless capabilities are an excellent option.
Our agentless workload scanning, now available in public preview for all customers, allows you to scan your entire runtime environment (hosts, containers, application language libraries) in just a few minutes to detect vulnerability risk.
But not all agentless solutions are created equal. With our agentless workload scanning solution, we’re empowering you with cloud-native capabilities that protect your environments and data. The Lacework approach is cost-effective and secure by design so customers can quickly operationalize security with no additional overhead or resources.
Prioritizing privacy: your data is your data
When you’re using any security solution, it’s natural to be concerned about your own privacy. Receiving protection is critical, but how much of your information can the solution itself access?
The Lacework Platform never has access to raw customer data or volumes outside of the customer account. With our agentless workload scanning capabilities, our analysis of raw customer data runs within the customer account, so it’s completely self-contained.
Lacework only sees the results of this analysis, and you don’t ever have to share your snapshots directly with Lacework. Your data should always be under your control—and we make every effort to keep it that way.
But that’s not the only step we take to ensure the safety of your information. We believe that security solutions should help you reduce risk, not expand your attack surface. In practice, we operate according to the principle of least privilege. We do not need admin access to “auto deploy” infrastructure into your cloud environment. We believe those privileges should be 100% customer-controlled.
Since everything we run in the customer environment is self-contained, Lacework requires very few permissions to operate in your cloud. All we need is read-only access to a single S3 bucket that stores the results from the analysis engine (which, again, is running in the customer account). The only other privilege we have is to execute the ECS Fargate task that performs this analysis. We have no ability to deploy new infrastructure or otherwise manage your cloud environment.
In a worst-case scenario, your organization is separated by our implementation of least privilege and your customer data is safe. Instead of ingesting raw customer data into our cloud service, Lacework ensures we are always in the business of reducing the risk for your organization while minimizing your IT burden.
Additionally, we protect your privacy by ensuring auditability. Any assessment results that Lacework receives are fully and easily auditable, so you can clearly understand what you’re sending to Lacework.
The simplicity of this architecture enables our customers to understand exactly what Lacework can view from their environment. All you have to do is go to the single S3 bucket we can access, view the JSON analysis files, and presto — there you have it. That’s the only data Lacework can ever see outside of the customer environment.
A commitment to cost savings for you
With our commitment to your privacy, we now offer the industry’s most cost effective way to perform agentless scanning. Here’s how it works:
When Lacework runs its service (more specifically, a serverless ECS Fargate task) within the customer account, this service runs on a schedule the customer defines. It will read through your snapshots, block by block (only those blocks with data), to discover the installed host packages. If it’s a Kubernetes node, the service will also determine what container images might exist on that snapshot.
For example, let’s say you have an EKS cluster that’s a set of 50 or so EKS nodes, all running Kubernetes with a container operating system. On each of those nodes, you’ll have a set of container images that are actually executing the application. We’ll use our agentless approach to scan all of those images for vulnerabilities.
Here’s one more unique aspect of our agentless workload scanning capabilities: Instead of creating a volume from the snapshot and attaching that physical volume to our analysis engine, we use AWS APIs to query the snapshot directly and “stream” it through a patented analysis engine. Since this method eliminates the need to create additional infrastructure (i.e., volumes or instances), it has the additional benefits of saving you money and reducing unnecessary complexity. And we’re the only solution out there that offers this capability.
Flexibility across the board
Whatever your security requirements, Lacework offers a comprehensive, user-friendly, and cost-effective solution. Thanks to our new agentless workload scanning capabilities, our solution just got even better. We’re keeping your privacy, as well as your financial needs, at top of mind.
An agentless method is one part of the bigger picture. For more information on how we use a layered approach, please check out our white paper on the topic. Only a multifaceted solution can give you the full level of visibility you need to protect your business.