Once we got down to create a cloud-based software for configuration monitoring, we used the instruments we knew and wrote Cybersecurity utilizing JRuby. For our software, JRuby had many good qualities: getting began solely required a one line set up, the agent solely wanted to speak out on port 443, and it was platform agnostic. Utilizing JRuby we demonstrated the worth of system visibility, attracted our first cohort of consumers, and raised the funds to broaden Cybersecurity. Now we’re not solely scrapping that agent, we’re transferring away from agent-based structure altogether. Here is why.
As we have discovered extra about configuration monitoring and discovery, each from our personal R&D and from working with our prospects, we have realized that an agentless connection supervisor is best than a per host put in agent. Given the funding in JRuby as a expertise, our first try was to make use of the JRuby agent as a connection supervisor. Since increasing to deployments of tens of 1000’s of nodes, the efficiency and reminiscence necessities of JRuby shortly grew to become problematic. (If you wish to argue about JRuby, here is the put up the place it’s best to do it.) Given the place of the corporate on the time, we had the uncommon luxurious of selecting between optimizing the 2-3 12 months previous code base in an effort to meet the wants of our prospects or rewriting all of it collectively. Fairly than accepting the boundaries of JRuby, we rewrote our software in Go to realize the purpose of an agentless connection supervisor with the very best expertise obtainable.
We’re proud to announce two nice issues concurrently: the launch of our absolutely featured agentless connection supervisor, and a tech refresh that improves Cybersecurity’s benchmark’s throughout the board.
The Argument for Agentless
1) Upkeep prices. Far and away, the largest argument for an agentless design is to slash upkeep prices. Cybersecurity is meant to make giant infrastructures simpler to handle and to extend the server/admin ratio. An put in agent means further prices for customers every time updates are rolled out. There may be completely no approach round that drawback with put in brokers. Extra subtly, since these updates should make it by a change administration course of, it additionally signifies that (probably many) totally different variations of Cybersecurity shall be deployed at any given time. Extra supported variations = increased chance that one thing will break and wish fixing. Supporting fewer variations additionally means we are able to present a better degree of help for the present connection supervisor and ship requested options extra shortly.
2) Higher efficiency. That is an impact of Go relatively than of the agentless structure, however it’s nonetheless a very good factor. In efficiency checks, the connection supervisor has doubled in velocity whereas utilizing at the least an order of magnitude much less reminiscence and (clearly) incurring no set up footprint.
3) On premise deployments. Packaging Cybersecurity as a digital equipment for on premise deployments is a well-liked possibility and we wished to enhance the standard of that providing. As described in our put up on utilizing Golang, one of many preliminary causes for the rewrite was to get away from the unnecessarily giant footprint of the JVM required for on premise installations. The connection supervisor is now simply packaged for deployment behind the firewall and can self-update with new variations.
Okay, so these are the arguments for an agentless connection supervisor. Lowered upkeep prices = better return on funding and fewer complications. Plus, it is quicker and lighter as a result of it makes use of applied sciences like Golang that weren’t as nicely developed two years in the past.
The Argument for Brokers
We additionally seemed on the arguments for brokers and consider that the connection supervisor addresses all these factors. Information Canine wrote a put up a while in the past explaining why they use an agent. Their arguments may apply for efficiency monitoring, however for inspecting configurations and constructing a system of file they do not make as a lot sense.
1) Enough API entry for cloud apps. Not an issue right here. If something, extra configuration gadgets can be found by the API, as within the case of CloudFlare, and there is no purpose we might bump towards the speed restrict for API requests.
2) Sampling price. Efficiency monitoring wants one second intervals. Configuration monitoring doesn’t. We all know you are a steady supply rockstar however you aren’t pushing modifications out each second. And in case you are, Cybersecurity supplies focused testing that may be executed far more shortly than the whole state scan.
We additionally thought-about the virtues of the previous Cybersecurity agent.
3) Effort to put in. We’re working to make set up of the connection supervisor as straightforward as attainable however even with barely extra work upfront, the long run financial savings on upkeep in a short time outweigh the preliminary advantages of the agent’s one line set up. For instance, a technique we’ll be enhancing Cybersecurity distribution is to bundle it with Docker, providing a good easier, trusted set up.
4) Platform help. The connection supervisor helps each OS that the agent did and, as a result of it’s a lot lighter, can be appropriate for deployment on techniques with tighter reminiscence and disk constraints. For instance, Cybersecurity will quickly be shipped on light-weight parts like enterprise IoT units.
Conclusion
All issues thought-about, our new connection supervisor is a big step ahead for Cybersecurity. Simply as Ansible has made the case for agentless configuration administration, we see an agentless connection supervisor as the way forward for system state monitoring.
Prepared to save lots of time and streamline your belief administration course of?
