IBM Cloud Docs
Getting started with IBM Cloud Security and Compliance Center Workload Protection

Getting started with IBM Cloud Security and Compliance Center Workload Protection

In architectures that are focused on container and microservices, you can use IBM Cloud® Security and Compliance Center Workload Protection to find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.

Before you begin

  • You must have a user ID that is a member or an owner of an IBM Cloud account. To get an IBM Cloud user ID, go to: Registration.

  • Check the regions where the service is available. Learn more. You can complete the steps in any of the supported regions.

Step 1. Manage user access

Every user that accesses the IBM Cloud Security and Compliance Center Workload Protection service in your account must be assigned an access policy with an IAM user role defined. The policy determines the actions that the user can run within the context of the service or instance you selected. The allowable actions are customized and defined as operations that are allowed to be run on the service. The actions are then mapped to IAM user roles. For more information, see Managing user access in the IBM Cloud.

When a user is granted permissions in the IBM Cloud to work with the IBM Cloud Security and Compliance Center Workload Protection service, the user is automatically granted a service role. This role determines the actions that a user has permissions to run. For more information, see Controlling access through IAM.

Before you can provision an instance, you need to understand:

  • The account owner can create, view, and delete an instance of a service in the IBM Cloud, and can grant permissions to other users to work with the IBM Cloud Security and Compliance Center Workload Protection service.
  • You must have permissions to create resources in the Default resource group.
  • Other IBM Cloud users with administrator or editor permissions can manage the IBM Cloud Security and Compliance Center Workload Protection service in the IBM Cloud. These users must also have platform permissions to create resources within the context of the resource group where they plan to provision the instance.

To grant a user the administrator role for the service and to manage instances within a resource group in the account, the user must have an IAM policy for the IBM Cloud Security and Compliance Center Workload Protection service. For more information, see Granting permissions to work with the IBM Cloud Security and Compliance Center Workload Protection service.

By default, users are automatically added as members of the Secure Operations team that is predefined for each IBM Cloud Security and Compliance Center Workload Protection instance. Users have full permissions to see all the data in the web UI.

An administrator can restrict access to data by managing users in teams and controlling what data is visible. For example, to restrict users being able to view permissions, an administrator can create a default team with limited scope and visibility. Then, manually assign users to other teams. For more information, see Working with teams.

Step 2. Provision an instance

To add monitoring features with IBM Cloud Security and Compliance Center Workload Protection in the IBM Cloud, you must provision an instance of the IBM Cloud Security and Compliance Center Workload Protection service.

Instances are provisioned in the context of a resource group. A resource group organizes your services for access control and billing purposes. You can provision the IBM Cloud Security and Compliance Center Workload Protection instance in the default resource group or in a custom resource group.

To provision an instance through the IBM Cloud UI, complete the following steps:

  1. Log in to your IBM Cloud account.

    Open the IBM Cloud dashboard.

    After you log in with your user ID and password, the IBM Cloud UI opens.

  2. Click Catalog. The list of the services that are available in IBM Cloud opens.

  3. To filter the list of services that is displayed, select the Security category.

  4. Click the IBM Cloud Security and Compliance Center Workload Protection tile.

  5. Select the location.

  6. Select a service plan.

    For more information about the service plans, see Service plans.

  7. Enter a service name.

  8. Select a resource group. By default, the Default resource group is set.

  9. Click Create to provision an instance.

The service UI opens.

To provision an instance through the CLI, see Provisioning a Monitoring instance through the IBM Cloud CLI.

Step 3. Connect a data source by configuring an agent

After you provision an instance of the IBM Cloud Security and Compliance Center Workload Protection service in the IBM Cloud, you can deploy the agent on your cluster. The agent collects data that you can use for intrusion detection, posture management, vulnerability scanning, and incident response capabilities.

Agents that can be configured to provide data to IBM Cloud Security and Compliance Center Workload Protection
Figure 1. Agents that can be configured to provide data to IBM Cloud Security and Compliance Center Workload Protection

Choose 1 of the following options:

  1. Configure an agent for Kubernetes.
  2. Configure an agent for Red Hat OpenShift.

Step 4. Launch the web UI

After you provision an instance of the IBM Cloud Security and Compliance Center Workload Protection service, and configure a monitoring agent for your node, you can view, monitor, and manage data through the service's web UI.

You launch the web UI within the context of the IBM Cloud Security and Compliance Center Workload Protection instance, from the IBM Cloud UI.

Complete the following steps to launch the monitoring UI:

  1. Log in to your IBM Cloud account.

    Click IBM Cloud dashboard to launch the IBM Cloud dashboard.

    After you log in with your user ID and password, the IBM Cloud Dashboard opens.

  2. In the navigation menu, select Resource List.

  3. Select Security.

    The list of instances that are available on IBM Cloud is displayed.

  4. Select one instance. Then, click Open dashboard.

    The Web UI opens.

Step 5. Secure your environment

See the following table for tasks that you can run to secure your environment:

Table 1. Tasks to secure your environment
Action Description
Integrate scanning into your CI/CD Pipeline You can integrate scanning into your CI/CD Pipeline to analyze images that are available on the CI/CD worker nodes.
Configure a notification channel You can configure a notification channel to get notified about events, anomalies, or security incidents that require attention.
Scan container images You can scan container images for vulnerabilities, and other violations.
Configure a rule You can create a Detection Rule to detect and respond to anomalous runtime activity.
You can create a rule to specify which image versions can be used.
Review your Compliance results The Compliance module relies on persisting the resources in an inventory; this enhanced resource visibility and full-context prioritization drives remediation and resolution of violations.

Next steps

To get the most out of Workload Protection, connect your instance to Security and Compliance Center. By creating a connection, you can view all of the compliance results that are returned by Workload Protection, but you can validate and view your IIBM Cloud results all in the same place. For more information, check out Connecting Workload Protection.