While the idea of enabling zero trust network access (ZTNA) without needing to install new client or agent software across endpoints sounds great from a deployment, management, and training perspective, the reality is that there are serious limitations that come with an agentless ZTNA approach. As an admin entrusted with providing the highest security and best user experience, understanding these compromises should be considered essential in deciding whether an agentless approach should be used for employees or third parties.
The first limitation to be considered is whether you can live with restrictions on which applications and resources can be used and accessed. Some resources are a natural fit for agentless or browser-based connectivity. Internal web applications are a prime example. However, more interactive web applications may not work terribly well on smaller form-factor devices like mobile phones or tablets. Moreover, web applications that have Java applets or other older technologies may also not work that great after being reformatted in the agentless delivery method. Other resources such as RDP or VNC may be practically impossible to use on mobile or tablet devices, with browser-based on-screen keyboards or other methods of input. There are also limitations to what you can do from a browser-based solution. Thick applications on the end user device cannot be used, as they can’t communicate with the back end through the web browser. Also, functionality such as local drive mapping to external data stores is not possible if the only connection is via a browser. Furthermore, while it is common to have multiple monitors for physical system, most agentless solutions cannot support this, imposing unproductive limits on the end user’s work environment and their productivity.
The next limitation to be considered is the limited or unavailable device identity and device posture assessments. Since agentless methods are using the browser, the only reportable system information available to the browser is source IP and user-agent string. This fails any reasonable expectation of non-repudiation as both bits of information can be easily faked by the average user. The Source IP can be tweaked by using a browser like Tor or by using a VPN to hide your real location. Geo-location based on IP addresses is often wrong since some organizations, like hotels, centralize their traffic for inspection purposes. Furthermore, user-agent strings can be easily modified using a browser’s built-in development tools. Both methods can be easily used to bypass security policies. Beyond limited device posture assessment, most agentless methods don’t allow for remediation once an issue is discovered that bring a device out of compliance, which may result in more calls to the IT Helpdesk.
Last, most agentless methods have scale and performance limitations since they are likely built around HTML5 rendering of tools like RDP and SSH sessions. Often this HTML5 rendering, sometimes called brokering, is done using open-source software like Guacamole. These types of solutions require lots of memory and CPU to be allocated to the virtual machines and typically do not scale up linearly – so more users will require the creation of more virtual instances. Users will have to be load-balanced across these instances, which means yet another layer of appliances to deploy and manage. Also, each user’s specific activity and bandwidth use directly impacts the scale and performance experienced by others. For example, resource-intensive functionality such as video and audio rendering reduce performance greatly. In today’s world, 4K displays are common and many of these systems cannot handle many users at that resolution level.
As with many things, having flexible options is ideal. A ZTNA vendor that offers both client and clientless options along with clientless workflows means being able to take advantage of the benefits of both. It also means being able to deploy, at scale, a variety of solutions based on the device being used, the devices being connected to, and the type of users (employees vs. third parties).
Visit the product editions section to learn more about Banyan Security’s flexible feature set.