Setting up Workload Protection to scan an enterprise for compliance

If you're an Administrator of an enterprise account, you can set up IBM Cloud® Security and Compliance Center Workload Protection to scan all of your enterprise's child accounts for compliance. By completing this tutorial, you learn how to set up your own instance of Workload Protection, add an agent to a Red Hat OpenShift cluster to scan for vulnerabilities within that cluster, and set up App Configuration so Workload Protection can scan your enterprise account and all child accounts for compliance.

This topic focuses on enabling CSPM for IBM Cloud. Need to enable CSPM for another cloud provider, like AWS, Azure, GCP, or OCI? See Connect cloud accounts for more information.

Imagine that you're the administrator of an enterprise account that contains multiple child accounts. You want to set up Workload Protection to scan your enterprise and all child accounts for compliance. You already have a running instance of App Configuration in your enterprise account, and you want Workload Protection to use that instance of App Configuration to gather configuration information for compliance scanning. To keep your workloads as secure as possible, you also want to add an agent to your Red Hat OpenShift cluster so Workload Protection can scan that cluster for threats and vulnerabilities.

Before you begin

Make sure that you're working in your enterprise account and that you have the necessary access.

  • Make sure that you're working in your enterprise account by going to Manage > Enterprise in the IBM Cloud console.
  • Make sure that you have an instance of App Configuration in your enterprise account.
  • Make sure that you're assigned the following IAM roles:
    • Administrator of the Enterprise account.
    • Manager role or greater on the Workload Protection service.
    • Manager role or greater on the App Configuration service.

Set up Workload Protection

Create an instance of Workload Protection in your enterprise account.

You can use Terraform to set up an instance of Workload Protection as code. For more information, see the FAQ.

  1. Go to the IBM Cloud catalog, search for Security and Compliance Center Workload Protection, and open the catalog listing for the service.

  2. Select the location for your instance and select a plan that fits your needs.

  3. Cloud security posture management (CSPM) is enabled by default, but you already have an instance of App Configuration in your enterprise account, so you need to disable it.

    If you keep CSPM enabled, a new instance of App Configuration is created to use with your instance of Workload Protection.

  4. Accept the license agreements and click Create.

  5. After the instance of Workload Protection is created, copy the CRN for the instance and save it for later.

Secure your cluster by connecting it to Workload Protection

In addition to compliance, Workload Protection can also scan your containers and hosts to help keep them secure. To get this layer of protection, connect your container or host to Workload Protection by adding an agent. This tutorial focuses on adding an agent to a Red Hat OpenShift cluster, but you can add an agent to many different containers and hosts, including Kubernetes clusters and Power Virtual Server hosts.

  1. In the IBM Cloud console, click the Navigation Menu icon Navigation Menu icon > Containers > Clusters and click Create cluster.

  2. Make sure that Red Hat OpenShift is selected as the orchestration platform.

  3. Customize your cluster by selecting the network and compute environment to run your cluster, the location of the cluster, along with the worker zones and subnets for the cluster.

  4. In the Integrations section, make sure Workload Protection is enabled. Select Existing Workload Protection instance as the configuration type, and select the instance of Workload Protection that you just created from the Workload Protection instance menu.

  5. Click Create.

    Do you already have a cluster? You can use the console to connect an existing Red Hat OpenShift or Kubernetes cluster to your instance of Workload Protection. Go to Containers > Clusters to access the existing cluster. Then, click Connect in the Workload Protection widget to connect your cluster to Workload Protection.

  6. Wait 10-15 minutes then click the Navigation Menu icon Navigation Menu icon > Security > Overview. Select the Workload Protection instance in the Vulnerabilities widget to view a snapshot of vulnerabilities within your cluster.

Connect your IBM Cloud account to Workload Protection

So far, you set up Workload Protection to scan a Red Hat OpenShift cluster for vulnerabilities. Next, establish trust between your Workload Protection instance and the App Configuration service, and connect your IBM Cloud account to Workload Protection to enable CSPM. Complete the following steps:

  1. Create a trusted profile that allows your instance of Workload Protection access to the App Configuration service. Your Workload Protection instance must already exist in your enterprise account. Complete the following steps:
    1. Go to Manage > Access (IAM) > Trusted profiles and click Create.
    2. Name the trusted profile Workload Protection access to App Configuration.
    3. Establish trust by selecting IBM Cloud services as the trusted entity type, and enter the CRN for the Workload Protection instance that you just created.
    4. Add the following access policies to the trusted profile:
      • Viewer and Usage Report Viewer roles on the Enterprise service.
      • Configuration Aggregator Reader and Manager roles on the App Configuration service.
    5. After you create the trusted profile, copy the profile ID and save it for later.
  2. Next, enable CSPM by connecting your instance of Workload Protection to your IBM Cloud account. Complete the following steps:
    1. Click the Navigation Menu icon Navigation Menu icon > Resource list and search for App Configuration to find your instance of App Configuration.
    2. On the Getting started page of your App Configuration instance, click Details and copy the CRN for the instance.
    3. Click the Navigation Menu icon Navigation Menu icon > Security > Compliance and click the name of your Workload Protection instance to open it.
    4. Go to Sources and click Add on the IBM Cloud Account tab.
    5. Enter the trusted profile ID for Workload Protection access to App Configuration and the App Configuration instance CRN and click Add.

When context-based restrictions are enabled for resources, configuration data cannot be collected unless access is provided. Create appropriate network zones and reference App Configuration as the reference service to ensure Workload Protection can scan your resources. For more information, see Creating context-based restrictions.

Set up App Configuration to collect configuration data from all child accounts

Your instance of Workload Protection can now use the App Configuration instance to scan your account and resources for compliance. However, to scan your entire enterprise, App Configuration needs access to all of your enterprise's child accounts. Create a trusted profile template and assign it to your child accounts. Complete the following steps:

  1. Create a trusted profile template and name it trusted profile template for child accounts. Include the following access policies:
    • Viewer and ConfigReader for All Account Management services.
    • Reader, Viewer, and ConfigReader for All Identity and Access enabled services.
  2. After you create the trusted profile template, copy the template ID and save it for later.
  3. Assign the trusted profile template to your child accounts and account groups in the enterprise.
  4. Create another trusted profile to grant App Configuration access to read the trusted profile template that you just created. Complete the following steps:
    1. Go to Manage > Access (IAM) > Trusted profiles and click Create.
    2. Name the trusted profile App Configuration access to child accounts.
    3. Establish trust by selecting IBM Cloud services as the trusted entity type, and enter the CRN for your App Configuration instance.
    4. Add the following access policies to the trusted profile:
      • Viewer role on the Enterprise service.
      • Template Administrator, Assignment Administrator, and Viewer roles for All IAM Account Management services.
    5. After you create the trusted profile, copy the profile ID and save it for later.

Set up configuration aggregator in your instance of App Configuration

CSPM is now enabled, but App Configuration isn't collecting configuration data just yet. Turn on the configuration aggregator by completing the following steps:

  1. Click the Navigation Menu icon Navigation Menu icon > Resource list and search for App Configuration.
  2. Click the name of the App Configuration instance to open it, then, click Configuration aggregator.
  3. Click Define an aggregation and specify which regions you want to collect configuration data from.
  4. Enter your enterprise ID, the ID for trusted profile template for child accounts, and the ID for App Configuration access to child accounts that you just created and click Save.
  5. Turn on Recording to begin collecting configuration data in your accounts.
  6. Wait 24 hours for initial scanning to complete, then, go to the Navigation Menu icon Navigation Menu icon > Security > Overview to view a snapshot of your compliance data from Workload Protection.