IBM Cloud Docs
Learning about Workload Protection architecture and workload isolation

Learning about Workload Protection architecture and workload isolation

Review the following sample architecture for IBM Cloud Security and Compliance Center Workload Protection, and learn more about the workload isolation level that the service offers in the cloud.

IBM Cloud Security and Compliance Center Workload Protection architecture

IBM Cloud Security and Compliance Center Workload Protection is a highly available, multi-tenant, regional service that is available in IBM Cloud. You can use it to find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions and compliance from source to run.

IBM Cloud Security and Compliance Center Workload Protection
Workload Protection Architecture

The API server component provides a web and an API interface to the service.

The collector component ingests data that agents forward to the service.

The data store component stores all results, metadata, instance credentials, and environmental data.

An agent connects to one instance. The agent forwards data to the instance that is connected.

The UI is the front-end component where users can monitor and configure scans, postures, policies, and alerts.

Workload Protection workload isolation

Each regional deployment of the IBM Cloud Security and Compliance Center Workload Protection service serves multiple tenants that are identified by the IBM service instance.

  • A region that is responsible for running user workloads in the region has one deployment of the Workload Protection service in the region.

  • The Workload Protection service in a region is highly available.

  • The data that is collected and processed by the Workload Protection service is associated with the instance and not visible to the other service instances by virtue of this association.

  • Data for all tenants is located in the same data stores and segmented by the tenant-specific metric tags that are associated with each metric to enforce access control policies.

You can use IBM Cloud Identity and Access Management (IAM) to control which users see, create, use, and manage resources in your service instance. Learn more.

  • To grant access to manage the Workload Protection service in IBM Cloud, you can assign platform roles that define users levels of access for completing platform management tasks and accessing account resources.

  • Service roles that define levels of access for viewing data and managing features, such as dashboards, teams, and alerts, can be assigned to users. These roles grant access to manage the instance and its resource.