IBM Cloud Docs
Architecture pattern for integrating IBM Cloud Security and Compliance Center Workload Protection with VCF as a Service

Architecture pattern for integrating IBM Cloud Security and Compliance Center Workload Protection with VCF as a Service

This architecture pattern describes how to use IBM Cloud® Security and Compliance Center Workload Protection with an IBM Cloud for VMware Cloud Foundation as a Service instance.

This pattern is suitable for your workloads that are hosted in both a single-tenant or a multitenant instance.

Security and Compliance Center Workload Protection offers functions to protect your Microsoft Windows® and Linux® virtual machines (VMs) that are hosted on your VMware® by Broadcom environment. These functions include compliance, vulnerability scanning, and threat detection.

Although Security and Compliance Center Workload Protection offers functions for your other IBM Cloud services, these functions are not discussed in this pattern. For more information, see Getting started with IBM Cloud Security and Compliance Center Workload Protection.

IBM Cloud Security and Compliance Center Workload Protection implements Sysdig Secure functions. Information that is provided by the Sysdig Secure documentation also applies to Workload Protection.

After you provision an instance of the Security and Compliance Center Workload Protection service, you can deploy the Host Shield Agents on your Windows or Linux VMs. The agents collect data that is used for intrusion detection, posture management, and vulnerability scanning capabilities.

Overview of IBM Cloud Security and Compliance Center Workload Protection for VMware by Broadcom workloads

Security and Compliance Center Workload Protection enables the following three practices for your VMware by Broadcom workloads:

  • Threat detection - Threat detection is managed by defining policies, which consist of rules to detect and respond to security violations, suspicious behavior, or anomalous activities within your Windows and Linux VMs. Security and Compliance Center Workload Protection provides customizable, prebuilt policies, which are created and maintained by Sysdig’s Threat Research team. These policies can detect and prevent various security threats, such as: malware, intrusions, and DDoS attacks. The results of these policies can be viewed in Events. For more information, see Events Feed.
  • Vulnerabilities - Security and Compliance Center Workload Protection provides a highly accurate view of the vulnerability risks of your Windows and Linux VMs. The views include rich details on your vulnerability risks, such as: CVSS vector, score, fix age, and insights from multiple expert feeds including the NIST National Vulnerability Database (NVD) and VulnDB.
  • Compliance - Posture management provides the framework that includes controls, guidelines, benchmarks, and standards for managing compliance. With Security and Compliance Center Workload Protection, you can evaluate your Windows and Linux VMs against several CIS benchmarks such as CIS Distribution Independent Linux Benchmark and compliance policies or CIS Windows Server 2019/2022 Benchmarks. For more information, see Analyzing compliance postures from detection to remediation. Typical use cases include:
    • Check the current compliance status against predefined policies to understand the magnitude of the compliance gap.
    • Demonstrate to an auditor the compliance status at a specific point in time, by creating a report of the compliance status of the VMs.

Pattern for integrating Security and Compliance Center Workload Protection

The following diagram shows an example of integrating a VMware Cloud Foundation (VCF) as a Service instance with Security and Compliance Center Workload Protection.

Pattern for integrating Security and Compliance Center Workload Protection
Security and Compliance Center Workload Protection

This architecture pattern is summarized as follows:

  1. The agents, which are installed on your Windows or Linux VMs, collect data that is used for threat detection, posture management, and vulnerability scanning. For more information, see Sysdig Agents.

    The Sysdig Host Shield Agents provide threat detection, posture management, and vulnerability scanning. For more information, see:

  2. Your DNS servers need to be able to resolve the Security and Compliance Center Workload Protection endpoint URLs. Configure your DNS servers to use IBM Cloud DNS resolvers, if needed.

  3. Firewall rules enable the downloading of the agents from the internet and HTTPS connectivity to the Security and Compliance Center Workload Protection private endpoints. For more information about configuring firewall rules, see Add an NSX Edge Gateway Firewall Rule.

  4. Source Network Address Translation (SNAT) rules allow your VMs overlay IP addresses to be converted to IBM Cloud supplied IP addresses that can be used on the internet. For more information about configuring SNAT rules, see Add a SNAT or a DNAT Rule to an NSX Edge Gateway.

  5. The IBM Cloud Security and Compliance Center Workload Protection instance. For more information, see:

Considerations

When you design or deploy this architecture pattern, consider the following information:

  • You require only a single SNAT IP address for all your VMs hosted in your virtual data center to communicate with the Security and Compliance Center Workload Protection instance.