If you’re one of the 43.4% of IT professionals who have been involved in the rollout of an endpoint agent, you likely have strong feelings about the experience. That’s according to a survey of over 200 IT leaders conducted by the Cloud Security Alliance (download a free copy here). As enterprises begin to grapple with the architecture needed to secure cloud services in a world without a perimeter, endpoint agents are one approach being discussed to provide coverage for employees accessing cloud services from off the corporate network. But they are not without their drawbacks. In addition to IT hiring trends, security skills, and alert fatigue, CSA’s survey asked IT professionals about their experiences in rolling out endpoint agents in order to understand how agents will play a role in securing cloud usage.
Among IT professionals who have been involved in an agent deployment, 100% report they have experienced at least one significant issue and 52.8% would characterize the prospect of rolling out a new agent to devices as “difficult”. Just 11.1% say the rollout would be easy. When asked about the challenges they have faced, 63.6% report that they have experienced slower device performance and 44.3% have had challenges with device and driver conflicts that break device functionality. Perhaps due to the wide variety of endpoint agents in use today, 42.9% say that it is challenging to test cross-agent compatibility for each new version of each agent, and 27.1% have had issues with system crashes and the dreaded “blue screen of death”. Finally, 36.4% of respondents said they had experienced concerns about user privacy and liability.
Perhaps due to the challenges of rolling out agent software on thousands of corporate-owned and employee devices with many operating systems, organizations today have procured endpoint agent-based security solutions but have only partially deployed them and have solutions they have procured but never deployed. At the same time, enterprises use a wide variety of different endpoint agents including ones for firewall/VPN/NAC (e.g. Cisco, Juniper, Check Point, Palo Alto Networks), secure web gateway (e.g. Blue Coat, WebSense, Zscaler, Intel-McAfee, Cisco), endpoint data loss prevention (e.g. Symantec, Guardian, Websense), antivirus (e.g. Symantec, Intel-McAfee), endpoint detection and response (e.g. Bit9 Carbon Black, Cisco SourceFire, Mandiant), PC configuration management (e.g. Tanium, IBM Tivoli, Microsoft SCCM), and mobile device management (e.g. Airwatch, MobileIron, Citrix, Good Technology).
Recognizing the complexity of managing multiple endpoint agents and ensuring they interoperate together, as well as privacy concerns, 67.5% of IT professionals themselves are hesitant to roll out a corporate endpoint agent on their own personal devices. When asked if they would personally want a new agent-based security solution installed on their mobile device, 41.0% of IT professionals flatly said no. Another 26.5% said they would install it only if their company required it. It’s clear more effort needs to be made from security vendors to address issues that IT security teams face with endpoint agent deployments. The good news is there are agentless approaches to gaining visibility and enforcing policies for off-network usage of cloud services. Read about the functionality and access coverage for different CASB deployments options in our cloud security reference architecture.