ELIMINATE
SECURITY BLIND
SPOTS WITH THE
VENAFI AGENT
Agentless discovery
can’t find all keys
and certificates
www.venafi.com
‘‘
Key and certificate
management is no longer
just an IT function. So
it cannot be treated the
same way IT generally
thinks about installing
applications, servers,
and services.
When deploying security within any environment, one choice
that always comes up is whether to deploy an agent-based or
agentless solution. There are positives and negatives to both
approaches. This white paper aims to help you choose which
method will best protect the foundation of your security, keys
and certificates, based on the problem and level of security
you want to solve for. This is a significant issue that impacts
most global 5000: 54% don’t have visibility into where all their
keys and certificates are—many of which are not network
discoverable.
Agentless Key and Certificate Discovery
Is Not Enough
Most organizations prefer agentless security platforms, services,
and solutions because they typically require less configuration, less
administration, and have minimal impact on system resources. For
network discovery, most tend to believe that agentless discovery meets
their requirements to secure keys and certificates. However, the problem
they are solving for has changed. The problem is not a simple PKI
management issue: “where are all of my keys and certificates and how
many do I have?” The problem is now a security issue where attackers
are using encryption to hide their malicious activities within your traffic.
‘‘
Key and certificate management is no longer just an IT function. So it cannot
be treated the same way IT generally thinks about installing applications,
servers, and services. It has become a security program, and as such, it
requires continuous monitoring, compliance, and regulation. This does
not mean that IT security teams need to install and maintain an agent that
is burdensome and system resource intensive. Rather, the ideal discovery
agent will have minimal system impact, be discreet, reliable, and agile
enough so that it can be installed anywhere. At the same time, it should
be robust enough to leverage automation, receive updates, and enforce
polices from the management platform.
Venafi Agent and Agentless Discovery
The Venafi™ Trust Protection Platform features agentless discovery that
provides a very comprehensive view into your encryption posture to help
you eliminate any security blind spots that are caused by unknown or
rogue keys and certificates. Consistent monitoring and discovery for
network discoverable keys and certificates helps eliminate a majority
of these blind spots. However, there are still some locations where keys
and certificates cannot be found with agentless discovery.
The Venafi™ agent is a client/server application that works within the
Venafi Trust Protection Platform to provide constant visibility into the
blind spots where agentless discovery cannot see. The Venafi agent
www.venafi.com
Page 2 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT
continuously monitors for any changes to your SSL/TLS keys and
certificates and SSH keys on any supported system in your network.
‘‘
The Venafi agent
continuously monitors
for any changes to
your SSL/TLS keys and
certificates and SSH
keys on any supported
system in your network.
The Venafi agent is installed on local systems where it performs scheduled
protection for encryption assets found in designated keystores and directories
that are not network discoverable. In addition, the Venafi agent enforces
SSH security policies, adds and removes access keys, and ensures the
reliable rotation of both user and authorized SSH keys. The agent enables
you to change SSH source restrictions, forced commands and other key
options to harden your SSH security and enforce customized SSH policies.
The chart below compares use cases where either an agent-based or
agentless approach is best suited to the discovery of keys and certificates.
AGENTLESS DISCOVERY
AGENT-BASED DISCOVERY
•• Any Network facing based TLS/
•• Certificates using TLS protocols
SSL Keys
‘‘
•• Any Network facing SSH servers
•• Network Appliances
•• SSH Keys on Linux, HPUX, AIX,
Solaris (credential to log in the
box using SSH required)
that are not discoverable
•• Certificates where SNI is
being used
•• Certificates that are being
used for client authentication
•• PEM Store
•• PKCS12 Store
•• PB7 Store
•• Java Key Store
•• CMS Key Store
•• iPlanet Keystore
•• SSH Keys on Linux, HPUX,
AIX, Solaris
•• SSH Keys on Windows
•• SSH Key Usage Monitoring
How Lightweight Is the Venafi Agent?
The Venafi agent only requires 40 MB of free disk space, 30 of it for the
Agent software, and only 10 MB to queue data to be sent to the Trust
Protection Platform server. The agent utilization profile (both memory
and CPU) is impacted by the number of keys and certificates on a system.
The only requirement for ports to be opened is 443 back to the Trust
Protection Platform server. The agent supports Linux, Solaris, HPUX,
AIX, and Windows.
The agent was designed to minimize both CPU usage and overall system
resource impact. For example, the agent has a feature called “Randomization”
that randomizes the times the agent communicates with the server or
performs a scan on a host system. The “Randomization” feature will
reduce the impact on a host’s virtual hypervisor with multiple guest
systems running on it.
www.venafi.com
Page 3 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT
‘‘
With an agent, you avoid
having a single device
perform hundreds of
tasks. Instead, you have
hundreds of devices
performing a few
tasks each.
Once the agent performs its initial discovery and submission of discovered
certificates and keys to the Trust Protection Platform server, in subsequent
updates it will only submit data that has changed to the server. The times
when the agent is actively performing scanning or remediation operations
is centrally configurable (e.g., hourly, daily, weekly, monthly, time of day,
etc.). This gives administrators complete control of the operating footprint
of the agent.
Using the Venafi Agent can also reduce the amount of work required to
configure and manage trust between Trust Protection Platform and the
agent-enabled devices where you plan to deploy certificates. This is
especially true if you do not use similar configurations across devices
where you want to install certificates. As certificates are discovered,
Trust Protection Platform creates the necessary objects so that it can
manage the discovered certificates almost immediately, regardless of
their configuration.
‘‘
The agent-based method also helps with load distribution because installed
Server Agents use the system resources on the devices where they are
installed—as opposed to an agentless approach, where all of the work
performed is on the Trust Protection Platform server. With an agent, you
avoid having a single device perform hundreds of tasks. Instead, you have
hundreds of devices performing a few tasks each.
Venafi Agent Benefits
GROUPING
Allows you to logically group agent-enabled devices so that you can
easily assign different configurations to those devices within each group.
Grouping devices also lets you more easily delegate groups to other
administrators to coordinate and complete various types of work.
NO REQUIREMENT FOR CREDENTIALS
Eliminates the challenge of managing multiple credentials. Agentless
technologies, in some cases, require administrative credentials for
agentless discovery. This makes it challenging to find the correct people
to get the credentials, and then keep those credentials in sync when
credentials are changed.
With the Venafi agent installed it is easier because the server agent runs
as a system service/daemon with administrative access. The connection
back to the Venafi Trust Protection Platform is protected leveraging
TLS encryption/authentication that includes a rolling code that changes
on every agent check-in. With the Venafi agent, administrators do not
need to worry about gathering and managing credentials, because the
authentication between the platform and the agents is automatic once
they register.
WORK ASSIGNMENT BY GROUP
Lets you define group membership rules for each agent group. Rules allow
you to specify criteria that determines which systems become members
www.venafi.com
Page 4 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT
Venafi helps you eliminate
blind spots
No single discovery method will
help you locate all of our keys and
certificates. And any key or certificate
that you don’t know represents a
blind spot in your security that
hackers could leverage to infiltrate
your business. The Venafi Trust
Protection Platform helps you
maintain visibility and control of
all your keys and certificates with
both agentless and agent-based
protection. So you can leverage the
approach that works best in your
business: lightweight agentless
for your network-based keys and
certificates, and agent-based
protection for keys and certificates
that are not network discoverable.
ABOUT VENAFI
Venafi is the market-leading
cybersecurity company that secures
and protects keys and certificates
so they can’t be used by bad guys in
attacks. Venafi provides the Immune
System for the Internet, constantly
assessing which keys and certificates
are trusted, protecting those that
should be trusted, and fixing or
blocking those that are not.
©2016 Venafi, Inc. All rights reserved. Venafi and
the Venafi logo are trademarks of Venafi, Inc.
Part Number: 160603-WP-Venafi-Agent
www.venafi.com
of which groups. Work can then be configured and assigned to the systems
within each group. There are several different types of work that can be
configured within agent groups, including agent registration, SSH
configuration, certificate discovery, and agent upgrades. For example, you
might assign agent registration work to one group and SSH configuration
work to another group; or you could assign all work types to one or more
agent groups.
Additional Features
Discover SSH encryption assets located on the file system, rotate
authorized keys and user keys for SSH, and utilizes client REST API(s)
over HTTPS. In addition, the agent can be used to audit key usage by
gathering information from SSH server logs.
Example Scenarios
CONSIDERATION
RECOMMENDATION
If you have a Unix or Linux system and you
need CMS (GSK), JKS, PEM, or PKCS#12
Agent or Agentless
Depending on which method
best fits your organization
If you have a network appliance like F5 Big-IP
LTM, Citrix NetScaler, A10 vThunder, IBM
DataPower, etc.
Agentless
If you have a Windows system and you need
CMS (GSK), JKS, PEM, or PKCS#12
Agent
If your security policy does not allow exposing
sudo/root credentials to remote systems for
SSH key scanning
Agent
Strict Network restrictions
(and associated architecture)
If Trust Protection Platform is able to
connect to a device on which you plan to
install a certificate but the device cannot
contact Trust Protection Platform
Agentless
If a device cannot connect to the
Trust Protection Platform, then
an agent would not function.
During Agentless certificate
installation, Trust Protection
Platform initiates the network
connection.
If you have strict restrictions on SSH access
to the device (e.g. all external connections to
the device are workflow enforced)
Agent
Devices have dissimilar configurations
(use many different management
credentials, keystore locations vary from
server to server, etc.)
Agent
Your servers cannot have software installed
Agentless
Device operating system version is not
supported by the Venafi Agent
Agentless
You want to perform routine scanning of trust
assets on all of your devices
Agent
Page 5 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT