About Workload Protection

Managing compliance with CSPM

CSPM provides a unified platform to manage the security and compliance of applications, workloads, and infrastructure that run on IBM Cloud, in other clouds, and on-premises.

Workload Protection supports multiple cloud providers, such as AWS and Azure, in addition to IBM Cloud. For more information, see Connect cloud accounts.

App Configuration connection

To enable CSPM with Workload Protection, your IBM Cloud account needs an instance of App Configuration. App Configuration uses a configuration aggregator to gather configuration information in your IBM Cloud account, which allows Workload Protection to access your resources and scan them for compliance.

By default, Workload Protection is CSPM-enabled. However, if you disable CSPM before provisioning Workload Protection, or if you want to use an existing instance of App Configuration, you can set up the connection manually.

Compliance frameworks

Default frameworks are available for immediate use, such as DORA, NIST, and the IBM Cloud Framework for Financial Services. With these predefined policies, you can implement and validate the controls that are required to meet industry standards and regulations. Workload Protection runs automated configuration checks and provides audit-ready reports at both the infrastructure and application levels. For more information, see Analyzing compliance postures from detection to remediation.

Policy management

You can create and manage your own custom policies to ensure that your workloads are compliant with your organization's policies. For example, you can create a policy to ensure that your workloads are running in a specific region or that they're using a specific version of a database. You can also create policies to ensure that your workloads are using specific security features, such as encryption or multi-factor authentication. For more information, see creating a custom policy.

Addressing failures

When a control fails, detailed remediation instructions are provided to address the failure. Workload Protection also provides a risk acceptance flow for failed controls with options to include the reason for accepting the risk and an expiration date for the acceptance. You can accept risk at one resource level or globally for all resources from one control. For more information, see risks.

Securing containers and hosts with agents

For an additional layer of security, add an agent to your containers and hosts to gain visibility into your workloads. Workload Protection uses Server Endpoint Detection and Response (EDR) capabilities to provide comprehensive runtime protection and threat detection.

Server endpoint detection and response (EDR)

Workload Protection instruments hosts, VMs, and Kubernetes or Red Hat OpenShift on IBM Cloud clusters through eBPF technology to inspect all system activity through system calls with minimal performance impact. This deep visibility allows you to detect and respond to threats in real time across your entire infrastructure.

Threat detection and response

With thousands of out-of-the-box policies that are updated weekly by the Sysdig Threat Research team, you get immediate protection against the latest threats. You can customize existing rules or create new ones using the Falco language, the open source cloud-native standard for runtime security. Beyond rule-based detection, behavioral analysis helps identify common threats like crypto mining activities, while workload profiling automatically defines expected behavior to extend your detection capabilities. For more information, see Threats.

Proactive threat prevention

Workload Protection goes beyond detection by offering preemptive blocking capabilities. You can prevent blacklisted or malicious binaries from executing, including identified malware or drifted binaries in a container image. Advanced remediation features allow you to automatically execute corrective actions such as killing processes, killing or pausing containers, and more.

File Integrity Monitoring (FIM)

Define detection rules per scope (path, filename, command, user, and more) to detect all possible file activities at the source, including reading files, writing files, writing directories, and other operations. This helps you maintain the integrity of critical system files and detect unauthorized changes.

Policies for your lifecycle

Supply chain policies, threat detection policies, and network security policies work together to provide comprehensive security of your containers and hosts. Supply chain policies help ensure only trusted code enters your environment, threat detection policies monitor for malicious behavior during runtime, and network security policies control how workloads communicate with each other.

Kubernetes Security Posture Management (KSPM)

Workload Protection offers visibility into your Kubernetes clusters, helping you monitor configurations, enforce security policies, and detect misconfigurations or violations of best practices. For more information, see Compliance.