Best practices for Workload Protection
Review these best practices to help you get the most out of IBM Cloud® Security and Compliance Center Workload Protection.
Cloud security posture management (CSPM)
Cloud security posture management (CSPM) helps you continuously assess and improve your cloud security posture by identifying compliance violations across your IBM Cloud account and resources. For more information, go to Enabling cloud compliance.
Enable CSPM
Enable CSPM to gain visibility into your cloud security posture across all your IBM Cloud resources. CSPM automatically discovers and evaluates your cloud resources against security best practices and compliance frameworks.
By default, CSPM is enabled when you create a new Workload Protection instance. Keep CSPM enabled to automatically scan your IBM Cloud account and resources for compliance. If you disable CSPM before creating the instance, you can set up the connection manually later.
Use built-in compliance frameworks
Workload Protection provides built-in compliance frameworks such as IBM Cloud Framework for Financial Services, DORA, CIS IBM Cloud Foundations Benchmark, and PCI standards. Use these frameworks to assess your compliance posture against industry standards, identify gaps in your security controls, generate compliance reports for audits, and track remediation progress over time.
Start with predefined policies and apply them to appropriate zones. These policies are regularly updated with new parameters and checks. If predefined policies do not meet your requirements, create custom policies based on existing or customized controls. Keep policies in draft state while designing and configuring them to avoid affecting running compliance scans. Policies are not run in your environment until they are published.
Review and prioritize remediation
After the first completed scan, review posture results from Attack Surface > Compliance Findings. Not all compliance violations carry the same risk. Focus your remediation efforts by severity, so critical and high-severity findings are addressed first. For more information, see Findings.
Use the Inventory to review all connected IBM Cloud resources and use feature filters to narrow down to your most prevalent and at-risk resources.
View and schedule reports
Built in with Workload Protection is a highly scalable and powerful reporting platform. With it, you can create and schedule reports with large amounts of data for audit purposes. For more information, go to Reporting.
Working with agents
Agents collect security and compliance data from your workloads. Follow these best practices to ensure optimal agent deployment and management.
Add agents strategically
Deploy agents to all environments where you need security visibility and compliance monitoring:
- Kubernetes and OpenShift clusters
- Deploy agents using Helm charts for easier management and updates. Helm 3.6 or later is required. Create a dedicated namespace (for example,
ibm-observe) to isolate agents from application workloads. - Virtual servers
- Install agents on Linux and Windows virtual servers to monitor host-level security.
- IBM Cloud Satellite locations
- Deploy agents to Satellite-managed infrastructure for consistent security across hybrid environments.
- Power Systems
- Install agents on AIX and Linux on Power to extend security monitoring to these platforms.
You can use the console to connect an existing Red Hat OpenShift or Kubernetes cluster to your instance of Workload Protection. In the IBM Cloud console, go to Containers > Clusters to access the existing cluster. Then, click Connect in the Workload Protection widget to connect your cluster to Workload Protection.
Choose from the following options to add an agent programmatically:
- Deploying an agent on a Kubernetes cluster
- Deploying an agent on an OpenShift cluster
- Deploying an agent on Satellite
- Deploying an agent on Linux hosts on Power Virtual Server
- Deploying an agent on AIX hosts on Power Virtual Server
- Deploying an agent on an outside Kubernetes or Red Hat OpenShift cluster
- Deploying an agent on Windows
- Deploying an agent on a Linux host
Configure agents appropriately
Customize agent configuration based on your environment and requirements:
- eBPF driver
- Configure the universal eBPF driver when supported. The universal eBPF driver requires kernel version 5.8 or newer. If you have an older version, you need BPF ring buffer support and a kernel that exposes BTF (BPF Type Format). If you encounter problems during agent installation, try removing the eBPF configuration or contact support.
- Private endpoints
- If your security requirements mandate that data does not traverse the public internet, configure agents to use private endpoints. Ensure that virtual routing and forwarding (VRF) is enabled for your account.
- Resource allocation
- Set appropriate CPU and memory limits for agents to prevent resource contention with application workloads. Monitor CPU and memory usage of agents to ensure they do not impact application performance.
- Access keys
- Protect access keys used by agents. Rotate keys periodically and disable unused keys immediately to prevent unauthorized access.
Keep agents updated
Regularly update agents to the latest version to benefit from new features, bug fixes, and security patches. Monitor the Agent release notes for updates.
Share an agent with Monitoring
If you use both Workload Protection and IBM Cloud Monitoring, deploy a single agent that works for both products. You can connect them when you create an instance of either service to avoid deploying duplicate agents and optimize costs.
Zones and policies
Zones and policies are fundamental to organizing your compliance monitoring and applying the right security controls to your resources.
Organize resources with zones
By default, Workload Protection creates a zone called Entire Infrastructure for all connected resources. Create custom zones to organize resources logically for compliance assessments based on business unit, geographic location, compliance requirements, and more.
Handle context-based restrictions
When context-based restrictions are enabled for resources, configuration data cannot be collected unless access is provided. Create appropriate network zones and reference App Configuration as the reference service to ensure Workload Protection can scan your resources. For more information, see Creating context-based restrictions.
Enterprise accounts
If you have an IBM Cloud enterprise account, follow these best practices to enable comprehensive posture management across all child accounts in your organization.
Set up trusted profile templates
Enterprise accounts must set up a trusted profile template to allow Workload Protection to scan child accounts for compliance. This is a critical requirement for enterprise-wide compliance management with CSPM. For more information, see Set up App Configuration to collect configuration data from all child accounts.
Create zones based on child account IDs to organize and manage compliance reporting for different parts of your enterprise.
Enable IAM for enterprise accounts
Enterprise accounts must be IAM-enabled to support trusted profile templates and cross-account scanning. Verify that your enterprise account has IAM enabled before attempting to set up CSPM for child accounts.
Manage access across the enterprise
Implement the principle of least privilege across your enterprise:
- Use IAM access groups to organize users with similar access needs.
- Grant users only the minimum permissions required to perform their tasks.
- Separate platform and service roles appropriately.
- Review access regularly to ensure permissions remain appropriate as roles change.