Best Practices for working with Workload Protection for IBM Cloud CSPM

IBM Cloud® Security and Compliance Center Workload Protection now supports Cloud Security Posture Management (CSPM) for IBM Cloud resources with the IBM Cloud Framework for Financial Services, Digital Operational Resilience Act (DORA), CIS IBM Cloud Foundations Benchmark, PCI, and other regulated industry standards.

Managing posture policies

In Workload Protection, posture policies are collections of controls that you use to evaluate your compliance. You can use the predefined policies or create custom ones.

Predefined compliance policies

With the new versions of the compliance programs including IBM Cloud Framework for Financial Services, Digital Operational Resilience Act (DORA), CIS IBM Cloud Foundations Benchmark, the PCI standards and many others, the predefined policies are updated and new parameters and checks are added on a regular basis.

When you start implementing CSPM for IBM Cloud, your services will be evaluated against all available IBM Cloud controls (All Posture Findings) and the CIS IBM Cloud Foundations Benchmark and you can apply other policies as described next.

Applying posture policies

By default, Workload Protection creates a scope for all of your connected IBM Cloud services, clusters and workloads in a Zone called Entire Infrastructure. You can apply new posture policies to this zone or create a new zone to scope your resources.

To apply a policy to a zone go to Policies / Zones and link the policy to the zone:

If the zone exists, add the policy by Linking a policy to a zone.
If the zone does not exist, create and configure the zone, and then add the policy by linking a policy to a zone.

Creating custom posture policies

If you want to take control of the controls, requirements, or names of your posture policies, with Workload Protection, you can create custom policies based on the existing or customized controls.

Learn how to to create your own policy from scratch Creating a custom policy.
Learn how to to create your own policy starting from an existing posture policy Creating a custom policy from a template.

Reviewing posture results and downloading reports

When you start implementing CSPM for IBM Cloud, your services will be evaluated against all available IBM Cloud controls and the CIS IBM Cloud Foundations Benchmark and you can apply other policies as described in previous sections.

After the first completed scan (that can take some minutes after the integration) the posture results will be shown under Posture / Compliance:

Select the policy you want to review.
Select the requirement(s) to analyze.
Click on Show controls and show results.
You will see listed all the affected resources by that particular control.
When clicking on View Remediation you will get the steps to remediate that control.
In this same view, you can Accept Risk for removing the violation from the failed control for that resource. Select the risk reason and (optional) expiration to complete the accept risk creation.

From a particular policy results view, you can download a report by clicking on Download Report that will generate a CSV with all the results for the controls of the select policy.

Reviewing all connected resources in Inventory

Once you have implemented CSPM for your IBM Cloud account(s), all your IBM Cloud resources (and any other connected data source such as Kubernetes/OpenShift resources or multi-cloud environments) will be listed under Inventory.

Use the Feature Filters to quickly filter by the most used filter types. It lets you narrow down to your most prevalent and at-risk resources, including resource counting and risk indicators.

For each resource, click on the resource card to access the Posture and Configuration tab:

The Posture tab indicates the number of failed policies. Select a failed policy to see the relevant controls to be remediated. The controls are grouped by requirement within each policy.
The Configuration tab contains additional metadata and configuration details including the timestamp when the resource was last scanned.

Customizing controls

Workload Protection incrementally adds the ability to customize posture control by adding parameters defined within posture controls.

You can see all the available Posture controls under Policies > Controls. Select the control you want to customize and select Parameters, then click on Customize and change the parameters based on your requirements.

In addition to modifying the parameters of existing controls, you can duplicate and edit any control as described Custom Controls.

Organize your accounts and resources

By default, Workload Protection creates a scope for all your connected IBM Cloud services, clusters and workloads in a zone called Entire Infrastructure. You can apply new posture policies to this zone or create a new zone to scope your resources.

You can create your own scopes based on region or account IDs. In the near future, also resource labels will be available for defining scope.

Next steps

To get the most of Workload Protection enable CSPM following the steps described in Implementing CSPM (Cloud Security Posture Management) for IBM Cloud using the UI and CLI.