IBM Cloud Docs
Connecting Workload Protection

Connecting Workload Protection

When you integrate an instance of IBM Cloud® Security and Compliance Center Workload Protection with Security and Compliance Center, you can run scans that validate your level of compliance to a specific predefined profile. Then, you can view all the results and a history of those results in a single location.

You can pull results from multiple environments, including Amazon Web Services and Microsoft Azure, into the Security and Compliance Center by connecting an instance of Workload Protection to the service. In your Workload Protection instance, create a connection that contains the compliance data that you want to see so that you can see both IBM Cloud and Workload Protection results in one view.

To learn more about how the integration is configured, check out the following diagram.

The image shows the sequence of events that a user follows as part of setting up the integration.
Workload Protection integration flow

  1. Register an Cloud Object Storage bucket to store results.
  2. Create an instance of Workload Protection from the IBM Cloud catalog.
  3. In your Security and Compliance Center instance, register your Workload Protection integration.
  4. Create an attachment between the scope and the profile. A scope is the set of resources that you want to evaluate, and the profile contains the controls that you want to evaluate. For AWS and Azure, you specify the filters that you want to get fine-grained results.
  5. Navigate to the dashboard in the Security and Compliance Center UI to view your results.

Before you begin

Before you get started, be sure that you have the following prerequisites:

  • An IBM Cloud account. For more information, see Setting up your IBM Cloud account.

  • An instance of the Security and Compliance Center service.

  • A Object Storage bucket to store results. For more information, see Setting up data storage and processing for Security and Compliance Center.

  • An instance of IBM Cloud Security and Compliance Center Workload Protection. For more information about creating an instance from the IBM Cloud catalog, see Getting started with Workload Protection.

    Make note of the values of your resources (for example, cluster name and region) from your Workload Protection instance.

  • The required level of access to create and manage integrations in Security and Compliance Center. To pull results from Workload Protection, you must have the administrator platform role or higher for the Security and Compliance Center service. For more information, see Assigning access.

You must select a profile that targets another environment. For example, Azure Kubernetes Service (AKS) profile or Amazon Web Services (AWS) profile. If you want to use controls from multiple profiles, you are able to create a custom profile that contains only the controls that you want to evaluate.

Registering the integration

Register an integration with the Security and Compliance Center.

  1. In the IBM Cloud console, go to the Resource list page and select your instance of Security and Compliance Center.

  2. In your instance of Security and Compliance Center, go to the Integrations page.

  3. In the Workload Protection tile, click Connect.

  4. On the Connect your Workload Protection account panel, provide a name for your connection.

  5. Set up service-to-service authorization, which allows Security and Compliance Center to communicate with Workload Protection.

    1. When you are prompted for service authorization, click Authorize.
    2. For the target service, select Workload Protection. Security and Compliance Center is the source service. Reader access is automatically selected. Click Review.
    3. On the Review page, ensure that the target service and role are correct, and then click Assign.

    Alternatively, you can use IAM to create an authorization to allow the Security and Compliance Center service instance access to the Workload Protection service instance.

  6. Select the Workload Protection instance, and then click Connect.

After the connection is successfully created, click the Connected tab. If you want to open the Workload Protection instance dashboard, click Dashboard URL.

Creating the attachment

To evaluate your resources, you create an attachment. An attachment is the association between the set of resources that you want to evaluate and a profile that contains the specific controls that you want to evaluate. An attachment is how you target a specific grouping of your resources to evaluate against a specific profile.

You must have already have a Object Storage bucket available. Be sure to use a bucket that's located in the same region that your data is processed.

To create an attachment, complete these steps:

  1. In the Security and Compliance Center UI, navigate to the Attachments page and click Create. A flat list of all of the attachments in your account is displayed.

  2. Provide a name and description for your attachment. Be sure to be as descriptive as possible so that it's easy for other members of your team to understand what is being evaluated. Then, click Next.

  3. If you don't already have Cloud Object Storage bucket configured, you will be prompted to Connect one. You must connect a Cloud Object Storage bucket to store your evaluation results. As a best practice, it is recommended that you use a bucket that is located in the same region in which your data is processed.

  4. Select the Profile and Profile version that you want to use for your evaluation.

    You must select a profile that targets another environment by using wp-rule evaluations in order to scan other cloud platforms. For example, Azure Kubernetes Service (AKS) profile or Amazon Web Services (AWS) profile target other environments. If you want to use controls from multiple profiles, you are able to create a custom profile that contains only the controls that you want to evaluate.

  5. Customize the underlying evaluations in your scan by editing the default parameters to match your specific use case.

  6. Target the resources you want to evaluate by defining a scope. If you are working with IBM Cloud resources, you can also specify resources that you want to exclude from your scope. If you are working with resources from other environments, you must connect an instance of the Workload Protection service and provide the requested information to move forward.

  7. Select the frequency at which you want to evaluate your attachment. Options include every day, every 7 days, and every 30 days. Additionally, you can pause your scans if you need to. Then, click Next.

  8. Indicate whether you want to be notified if evaluations fail during a scan. For more information about setting up the notifications, see Creating an attachment.

  9. Review your settings, and ensure that all of the configurations are correct for your targeted scope. Then, click Create.

Based on the schedule that you defined in your connection, Workload Protection pulls the data in your account to the Security and Compliance Center.

Viewing the results

To view the results of your scan, go to the dashboard in the UI of the Security and Compliance Center instance that you are working with. For more information about the details in your results, see Viewing results.