FAQ for Workload Protection
Frequently asked questions about IBM Cloud Security and Compliance Center Workload Protection.
What is the difference between the Free Trial and Graduated Tier plans?
The Free Trial plan gives you access to all Workload Protection capabilities for 30 days at no cost. After 30 days, you can upgrade to the Graduated Tier plan, which is the paid plan. For more information, go to Pricing.
How is pricing calculated for Workload Protection?
Your pricing depends on how you use Workload Protection:
- Cloud security posture management (CSPM) for cloud compliance: Priced per compute instance being scanned. For a list of compute instances that incur charges, see billable resources. Other cloud resources that are scanned for CSPM do not incur charges.
- Kubernetes protection with agents installed on clusters: Priced per worker node hour.
- Host protection with agents installed on virtual machines: Priced per virtual machine (VM) node hour.
Pricing is calculated monthly or hourly according to your consumption. As your usage grows, you can benefit from volume discounts across pricing tiers. For more information, go to Pricing.
Can I use Terraform to automate Workload Protection provisioning?
Yes. The Workload Protection module provides a curated Terraform configuration for provisioning and managing IBM Cloud Security and Compliance Center Workload Protection instances as code. You can use it to automate instance setup consistently across accounts or environments. For an overview of available IBM Cloud Terraform modules, see About Terraform IBM Modules.
Which operating systems and platforms does the Workload Protection agent support?
The agent supports Kubernetes clusters (Kubernetes Service, ROKS), Red Hat OpenShift clusters, Satellite clusters, Linux hosts (Debian, Ubuntu, CentOS, RHEL, Fedora, Amazon Linux), Windows servers, AIX hosts on Power Virtual Server, and Linux hosts on Power Virtual Server.
You can also deploy the agent on Kubernetes or Red Hat OpenShift clusters that run outside IBM Cloud, including on other cloud providers or on-premises. For deployment instructions, go to Managing the agent.
What network ports does the Workload Protection agent require?
The agent requires outbound TCP traffic to the collector endpoint on port 6443 and to the API endpoint on port 443. Both ports must be open for outbound traffic from your cluster or host to the Workload Protection service
endpoints. This applies to both public and private endpoint connections, including connections by using Virtual Private Endpoint (VPE). For a list of endpoints, go to Endpoints.
What Helm version is required to deploy the Workload Protection agent?
Helm 3.6 or later is required to deploy the Workload Protection agent with a Helm chart on Kubernetes, Red Hat OpenShift, or Satellite clusters.
What features are available for different containers and hosts?
Workload Protection provides the following security capabilities based on where you deploy the agent:
| Environment | Threat detection and response | Posture management | Host scanning |
|---|---|---|---|
| Kubernetes clusters | |||
| Red Hat OpenShift clusters | |||
| Satellite clusters | |||
| Linux hosts | |||
| Windows servers | |||
| Linux hosts on Power Virtual Server | |||
| AIX hosts on Power Virtual Server |
- Threat detection and response
- Identifies threats based on application, network, and host activity.
- Posture management
- Scans host configuration files and resources for compliance against benchmarks such as CIS benchmarks.
- Host scanning
- Detects vulnerabilities and identifies resolution priority.
For deployment instructions, go to the agent deployment documentation for Kubernetes, Red Hat OpenShift, Satellite, Windows servers, Linux hosts on PowerVS, or AIX hosts on PowerVS.
How do I deploy agents to protect my workloads?
The deployment process varies depending on the environment where your workloads run:
Adding agents to containers (Kubernetes, Red Hat OpenShift, Satellite)
To deploy agents in container environments, complete the following steps:
- Verify that you have Helm 3.6 or later installed
- Obtain your Workload Protection access key and collector endpoint from your instance
- Verify that outbound TCP traffic is allowed on port
6443(collector) and port443(API) - Add the Workload Protection Helm repository
- Deploy the agent by using the Helm chart with your access key and collector endpoint
- Verify that the agent pods are running successfully
Adding agents to hosts (Linux, Windows, AIX on Power Virtual Server)
To deploy agents on host systems, complete the following steps:
- Obtain your Workload Protection access key and collector endpoint from your instance
- Verify that outbound TCP traffic is allowed on port
6443(collector) and port443(API) - Download the appropriate agent installer for your operating system
- Run the installation script or command with your access key and collector endpoint
- Verify that the agent service is running and connected
For detailed deployment instructions specific to your environment, go to the agent deployment documentation for Kubernetes, Red Hat OpenShift, or host environments.
Who is responsible for keeping the Workload Protection agent up to date?
IBM provides regular updates to the agent image with new features, defect fixes, and security fixes, and documents changes in the agent release notes. You are responsible for updating the agent in your environment to keep it current as new versions are made available. You can track the new features and enhancements with these release notes.
Which IBM Cloud services can I scan for compliance issues?
You can scan a broad range of IBM Cloud services for compliance issues, including IBM Cloud Object Storage, Kubernetes Service, Red Hat OpenShift, Virtual Private Cloud (VPC) resources, Secrets Manager, databases like Databases for Elasticsearch, Key Protect, Container Registry, Code Engine, Event Streams, Direct Link, Transit Gateway, Schematics, Monitoring, Hyper Protect Crypto Services, App ID, and more. For the complete list, go to About IBM Cloud Security Posture Management (CSPM).
How does Workload Protection collect my IBM Cloud resource configurations for compliance scanning?
Workload Protection uses the aggregator feature of App Configuration to gather your resource configuration details for compliance scanning. The aggregator feature is free and included in the Basic plan of App Configuration. The integration uses IBM Cloud Identity and Access Management trusted profiles to manage permissions. For more information, go to Implementing CSPM for IBM Cloud.
How long does it take to view compliance scan results after I connect my IBM Cloud account to Workload Protection?
Results are typically displayed 5-10 minutes after the connection is established, depending on the number of resources in your account.
Can I use Workload Protection to scan my IBM Cloud enterprise for compliance?
Yes. You can integrate your IBM Cloud enterprise account to scan for compliance across all accounts in your organization. For more information, go to Implementing CSPM for IBM Cloud and Setting up Workload Protection to scan an enterprise for compliance.
How do I set up my enterprise account to work with Workload Protection?
To enable Workload Protection to scan all child accounts in your enterprise, you must set up trusted profile templates and trusted profiles in your enterprise account. Without this configuration, App Configuration cannot scan child accounts, and compliance data is collected from the enterprise account only.
Complete the following steps:
- Create a trusted profile template with the following access policies: Viewer and ConfigReader for All Account Management services, and Reader, Viewer, and ConfigReader for All Identity and Access enabled services.
- Assign the trusted profile template to your child accounts and account groups in the enterprise.
- Create a trusted profile to grant App Configuration access to read the trusted profile template with the following access policies: Viewer role on the Enterprise service, and Template Administrator, Assignment Administrator, and Viewer roles for All IAM Account Management services.
- Configure the configuration aggregator in your App Configuration instance with your enterprise ID, trusted profile template ID, and trusted profile ID.
For detailed step-by-step instructions, go to Setting up Workload Protection to scan an enterprise for compliance. For best practices, go to Best practices for enterprise accounts.
Is CSPM data collection affected if I enable context-based restrictions on my IBM Cloud resources?
Yes. When context-based restrictions are enabled for any resource in your IBM Cloud account, configuration data cannot be collected unless access to that resource is explicitly provided. To provide access, you need to create a rule. When asked to add a context, create a network zone and select App Configuration as the reference service. For more information, go to Implementing CSPM for IBM Cloud.
How often does Workload Protection scan my IBM Cloud resources for compliance?
Workload Protection automatically scans all connected IBM Cloud accounts every 24 hours based on the compliance policies that you applied. The 24-hour schedule begins when you connect an account for the first time. You can also have scans on demand at no additional charge.
Compliance violations are displayed on the Compliance page in the Workload Protection UI. A compliance snapshot is also available from Security > Overview in IBM Cloud console.
Can I accept a compliance risk without remediating it?
Yes. For any failing control, you can accept the risk either temporarily (with an expiration date) or permanently. You can accept risk at the individual resource level or globally for all the resources that are associated with a specific control. Accepted risks are tracked and visible in the compliance overview. For more information, go to Analyzing compliance postures from detection to remediation.
Can I create custom posture policies and controls?
Yes. You can create custom posture policies from scratch or by starting from an existing predefined policy as a template. You can also create custom controls and customize control parameters to tailor compliance evaluation to your organization's specific requirements. For more information, go to Creating a custom policy and Creating custom controls.
Who is responsible for managing custom threat detection rules and policies?
You are responsible for updating your custom policies and tracking changes to them through your own change management process. IBM updates the default rules and policies as requirements change. For more information, go to Understanding your responsibilities.
What access do users need to use Workload Protection?
Users need both platform and service roles to work with Workload Protection:
- Platform roles
- Control access to manage instances in IBM Cloud. Users need at the Viewer role to view instances the Administrator or Editor role to create or delete instances.
- Service roles
- Define permissions within the Workload Protection UI. The Manager role provides full access including managing access keys, teams, and agents. The Writer role allows creating and editing content, managing policies, and viewing reports. The Reader role provides view-only access to events, reports, and policies.
A user with an Administrator platform role automatically has the Manager service role permissions. For detailed information about roles and permissions, go to Controlling access through IAM.
What are the predefined policies that I can use with Workload Protection?
Workload Protection provides several types of predefined policies to help you secure your workloads:
- Supply chain policies
- Validate container image signatures and enforce security requirements before deployment. These policies help ensure that only trusted images run in your environment.
- Threat detection policies
- Detect runtime threats by using Falco-based rules that monitor application, network, and host activity. These policies identify suspicious behavior and security incidents as they occur.
- Vulnerability management policies
- Identify and prioritize vulnerabilities in container images and hosts. These policies help you understand which vulnerabilities pose the greatest risk and should be remediated first.
- Posture policies
- Evaluate compliance against security benchmarks and regulatory frameworks such as CIS benchmarks, PCI DSS, NIST, and IBM Cloud Framework for Financial Services. These policies scan your cloud resources and workload configurations for compliance violations.
You can view and apply these policies from Workload Protection under Policies. For more information about policy types and how to use them, go to Policies in the Sysdig documentation. For IBM Cloud-specific posture policies, go to Posture policies.
Do context-based restrictions affect Workload Protection agent connectivity?
No. Context-based restrictions do not affect the connectivity of Workload Protection agents because agents authenticate by using access keys rather than IBM Cloud® Identity and Access Management tokens. Agents can connect through either public or private service endpoints. For more information, go to Protecting resources with context-based restrictions.
When context-based restrictions are enabled for any resource in your IBM Cloud account, compliance data cannot be collected unless access to that resource is explicitly provided.
What IAM roles are required to create or update context-based restriction rules for Workload Protection?
A user must have the Administrator role on the Workload Protection service to create, update, or delete context-based restriction rules. To create, update, or delete network zones, a user must have the Editor or Administrator role on the Context-based Restrictions service. A user with the Viewer role on the Context-based Restrictions service can only add network zones to an existing rule. For more information, go to Protecting resources with context-based restrictions.
Does Workload Protection remain available during regional outages?
Yes. Workload Protection is a multi-tenant, regional service deployed across multizone regions (MZRs). Each region has three availability zones (data centers) for redundancy, with independent power, cooling, and network infrastructure. If one zone fails, the service continues operating from the remaining zones. The service is available in nine regions across Asia Pacific, Europe, North America, and South America. For more information, go to High availability and disaster recovery.
Which actions generate audit events in Workload Protection?
Workload Protection automatically generates Activity Tracker Event Routing audit events when the following actions occur:
- When captures are created, read, listed, updated, or deleted
- When teams are created, read, listed, updated, or deleted
- When access keys are created
These events comply with the Cloud Auditing Data Federation (CADF) standard. For more information, go to Auditing events.
What advanced security features does Workload Protection provide?
Workload Protection provides comprehensive security capabilities for the workloads. Key features include:
- Posture Management
- Organize resources into zones for compliance evaluation, apply posture policies, and track compliance across your cloud infrastructure and Git repositories.
- Supply Chain Security
- Validate image signatures, enforce supply chain policies on Kubernetes clusters, and ensure that container images meet security requirements before deployment.
- Runtime Protection
- Detect threats continuously using Falco-based detection rules, tune runtime policies to reduce false positives, and automatically adjust security policies based on observed application behavior.
- Incident Response
- Use Rapid Response to connect to remote shells for investigating security events, run security tools directly from alerts, and troubleshoot incidents without separate host access.
- Activity Monitoring
- Track commands, network activity, file operations, and Kubernetes API requests with Activity Audit for forensics and investigation.
- Integration
- Forward security events to third-party SIEM platforms like Splunk, Elastic Stack, QRadar, and ArcSight for centralized security analysis.
For detailed configuration and usage of these features, go to the Sysdig Secure documentation. For IBM Cloud-specific setup and integration, go to the Workload Protection documentation.