IBM Cloud Global

 View Only

How to Secure Your ROKS/IKS With IBM Cloud Security and Compliance Center Workload Protection: A Step-By-Step Guide

By Victor Hernando posted Mon February 19, 2024 09:08 AM


While businesses are increasingly adopting cloud-native strategies at a faster pace, they may struggle to keep themselves protected from cyber attacks. IBM Cloud Kubernetes Service (IKS) and Red Hat OpenShift Kubernetes Service (ROKS), like any other Kubernetes distributions, are attractive targets for cybercriminals. Bleeding-edge technology requires a rapid development pace which fosters new attack vectors and sophisticated techniques spreading at light speed. Nowadays, being on the safe side is much harder for developers, security teams, and companies.

Which vulnerability should you fix first? How can you detect and respond to cyber attacks? How are you doing in terms of security compliance? If you want to prevent, detect, and respond in a timely manner to security threats, these and many other questions should have an answer, the sooner the better.

IBM Cloud Security and Compliance Center (SCC) Workload Protection is a Cloud-Native Application Protection Platform (CNAPP) that helps you secure your cloud-native applications, and your cloud and hybrid infrastructures. In this blog post, we’ll show you how to start with Workload Protection in minutes, and what you should expect on your first steps into this exciting journey.

Workload Protection: A Quick Overview

Good news, Workload Protection is available as a security offering in the IBM Cloud service catalog.

As a CNAPP solution, Workload Protection covers the whole attack surface from security risks. This means from shift-left security, when Devs and Security teams need assistance on the early stages of the software lifecycle, to shield right, when application is at runtime.

Workload Protection is also a multi-cloud security solution. That means it not only protects your IKS, ROKS, Kubernetes, and OpenShift on-prem clusters, but also covers the main cloud providers, multiple cloud Kubernetes flavors and cloud services, and bare-metal hosts and virtual machines.

In terms of scalability and availability, the Workload Protection agent is deployed via DaemonSet across your IKS/ROKS nodes. It gathers insights from your nodes and pushes that data to the Workload Protection backend.

Let’s see in detail how to start with Workload Protection. First step: Deploying the agent.

Deploying the Agent

If you are not familiar with either UNIX commands or terminals, don’t worry at all! This is a smooth process, and you can take advantage of the Helm charts available for this purpose. 

First, just after logging into the Workload Protection platform, IBM users will come across the deployment instructions at the onboarding page. Just click on “Install the Agent” -> “Edit sources” and follow the instructions.

If you have your own Kubernetes/OpenShift cluster hosted outside IBM Cloud, you can also connect your clusters to the Workload Protection platform. Check out the documentation to learn more about the integration process.

Agent Installation Step By Step

IKS/ROKS Cluster on IBM Cloud

If you want to secure one of your IKS (IBM Kubernetes Service) / ROKS (RedHat OpenShift Kubernetes Service) clusters with Workload Protection, follow the step-by-step instructions and parameters that are already automatically generated for you. 

Once you are in your Workload Protection instance portal, click on “Get connected” -> “Install the agent” -> “Edit sources.” Select your IKS/ROKS instance and follow the steps.

Workload Protection: First Actions to Take

At this point, the agent should have been deployed successfully. Wait for a few minutes until the backend starts processing data from your infrastructure, then log into your Workload Protection instance. Security events, vulnerability information, and compliance data will show up automatically.

Insights gives you a live overview of any security event being reported in your infrastructure. Any asset you may find here is an actionable item, which facilitates enough data to make informed decisions.

Security for Cloud-native Applications

It was great to see how easy it is to get started with Workload Protection, but at this point, you may have several questions: 

What are the features Workload Protection brings to secure your cloud-native applications? What are the next steps?

Keep reading the blog to dive deeper.

Use Case No. 1: Cloud Security Posture Management

Cloud Security Posture Management (CSPM), Kubernetes Security Posture Management (KSPM), and Cloud Infrastructure Entitlement Management (CIEM) are some of the features included in Workload Protection. Identify, prioritize on, and fix Kubernetes and cloud misconfigurations across multiple cloud environments with visibility into cloud assets, misconfiguration, and suspicious activity using a single tool.

Workload Protection comes with out-of-the-box policies based on compliance standards such as PCI DSS and NIST SP 800-53, among others. Just go to “Posture” -> “Compliance” and start consuming the out-of-the-box compliance reports. But that’s not all. Compliance controls not only offer information about which of those are failing, but also give you remediation guidelines to fix the issue and become compliant with the policy again. 

By enforcing compliance standards leveraging CSPM and KSPM capabilities, companies not only ensure they are safe, but also reduce workload overhead and improve efficiency within the organization.

What use cases does CSPM cover?

  • Get visibility into multi-cloud compliance and security posture by discovering cloud assets and identifying misconfigurations.

  • Drill down through your public and hybrid clouds with rich context.

  • Meet and track security posture progress with detailed reports and alerts for a broad variety of frameworks: CSI, PCI, NIST 800-53, SOC2, GDPR, HIPAA, ISO-27001-53, etc.

  • Get guided remediation for meeting compliance standards, and fast coverage thanks to the out-of-the-box policies, dashboards, and alerts.

Use Case No. 2: Vulnerability Management

Vulnerability Management (VM) ensures you have enough data about security threats across the software lifecycle by identifying, triaging, and prioritizing software vulnerabilities. The whole lifecycle is covered, from shift left, where developers and DevOps teams build and push applications into the pipeline, to shield right, where cloud-native applications are at runtime.

When it comes to detecting vulnerabilities at early stages, image scanning on IBM Container Registry (ICR) is key to prevent promoting vulnerabilities and putting production at risk. 

Furthermore, VM in Workload Protection goes to the next level by providing runtime insights. Developers can now correlate vulnerabilities with packages used at runtime, prioritizing those vulnerabilities that represent a real and immediate risk for their business.


Let’s enumerate some of the VM use cases:

  • Secure the entire life cycle. Secure your CI/CD pipeline, from source to run, by integrating image container scanning into pipeline tools, repos, and registries.

  • Monitor vulnerabilities in production and assess the risk impact of new vulnerabilities (CVEs) in packages in production in seconds.

  • Prioritize vulnerabilities with runtime context. Eliminate the noise and stop vulnerability overload by prioritizing and fixing what is really urgent.

  • Scan hosts at runtime for vulnerabilities as well as risky configurations and compliance violations, unifying containers and host scanning in a single workflow.

Use Case No. 3: Threat Detection & Response

With Workload Protection Platform (CWPP) capabilities, customers can now protect their cloud-native applications against bad actors by responding immediately to security threats.

Runtime security events are reported in real time, so users can rely on the accuracy of what’s being reported in the events feed. Thanks to the simple, accurate, and meaningful data provided, Mean Time to Repair (MTTR) is shortened. Security teams can respond accordingly, in a timely manner, avoiding running into serious trouble.

In the events feed panel, customers will find a list of security events captured in their infrastructure. Process Tree, along with the out-of-the-box information captured from Kernel insights, gives you a better understanding of what's going on. Customers can drill down through the data and get valuable comprehensive information, such as the command executed, arguments, IPs, etc. Troubleshoot and make informed decisions based on real, live, and accurate data, or let Workload Protection automatically stop the attack on your behalf by using the automatic response against security threats.

Some of the use cases CDR covers in the cloud security space are:

  • Real-time threat detection. Stop attacks up to 10 times faster.

  • End-to-end coverage. Consolidate security across containers, cloud services, Linux/Windows servers, identities, and third-party applications from a single pane of glass.

  • Container drift prevention. Block executables that were not in the original container. Stop malicious activities by enforcing cloud-native immutability principles.

  • Kubernetes audit logging

  • Malware detection

  • Live threat investigation and incident response

  • Automate response actions (pause, kill, notify)

Use Case No. 4: Network Security

This feature brings the ability to not only monitor, but to generate Kubernetes Network Policies based on the actual ingress and egress traffic. Strengthen and enforce network security by defining and tuning your own security policies.

Some of the use cases you can cover with network security:

  • Enforce zero-trust network segmentation between Pods and services by blocking suspicious connections and stopping lateral movement.

  • Automatically profile Kubernetes network traffic and create ingress and egress least-privilege policies.

  • Visualize and modify all network communications between Pods and services from the UI.

  • Meet and validate compliance (NIST) that requires network visibility and segmentation.

Use Case No. 5: Cloud Forensics

Workload Protection comes with a set of tools that helps Security teams with analyzing security events. Cloud-native applications run on containers, and most of them are ephemeral, with a really short lifespan, making troubleshooting efforts much harder.

Captures is a tool that allows customers to do post-mortem analysis by going through syscalls and raw data from a container capture taken during a security event. It’s similar to how you’d analyze a network capture in Wireshark.


Cloud security can be tough. Companies have to be ready to detect and respond against threats in a timely manner. IBM Cloud Security and Compliance Center (SCC) Workload Protection is a CNAPP service that helps customers secure their Kubernetes and Cloud environments with minimum effort and a fast onboarding experience. After following a few simple steps, and in just minutes, your data will start showing up automatically.

What’s next?

If you want to learn more about how Workload Protection can help you secure your cloud-native applications, take a look at the following resources and visit the IBM Cloud catalog. You can request a 30-day free instance. You’ll be up and running in a few minutes!