Authors:
Andrew Cursons, Solution Engineer - Technology Expert Labs Cloud
Imran Khan, Senior Solution Engineer - Technology Expert Labs Cloud
Carlos Tolon - Business Partner - Product Specialist at Sysdig
------------------------------------------------------------------------------
The growth of the cloud computing paradigm has undoubtedly fuelled an increased awareness to the need for security and the monitoring of an ever-changing landscape of threats to the world’s IT infrastructure. The IBM Cloud offers its Security Compliance Center (SCC) Workload Protection as a cloud native platform for the monitoring of hybrid cloud environments, the protection of critical workloads, the management of compliance and vulnerabilities. Further information is available from the documentation:
https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started
Installation
It is important to note that Workload Protection and Monitoring are related concepts and are capable of utilising the same agent on enabled hosts. Whilst the monitoring and workload protection instances are separate, they are linked and can be created from the IBM Cloud catalog.
The SCC Workload Protection instance can be installed using the IBM Cloud console, note that when searching the catalog while creating the resource use the phrase ‘security’ and select ‘Security Compliance Center Workload Protection’. Once selected the creation page will be displayed. First off select the location to host the instance and then select a plan. Next choose a meaningful name for the SCC Workload Protection instance and assign it to a resource group. If it is desired to use the monitoring features, then slide the toggle to the right and click on the edit button in the monitoring instance details box. Enter a name for the monitoring instance select the resource group to contain the instance and the pricing plan, now click the save button on the new instance details banner. Finally check the license terms checkbox and click the Create button. Once this is done the service instance will be created and is ready to use.
Environment Monitoring
The monitoring of environments is carried out by installing agents on the environments to be monitored. Instructions on installing the agents are available from the Cloud portal SCC Workload Protection instance by selecting the ‘Sources’ option in the left-hand menu panel. This information is also available from the main documentation stream: https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-getting-started under the ‘Managing the agent’ subsection.
Organizing the environment
If a large number of resources are going to be tracked, it is worth considering ‘up front’ how to categorise and manage them. The SCC Workload Protection dashboard which can be invoked from the cloud portal SCC Workload Protection instance overview page has the ability to group the monitored resources into zones.
A zone, in SCC Workload Protection, is a collection of scopes that represent important areas of your business. For example, create a zone for your business’ production environment. Zones are grouped by attributes of the agents, the most useful of these is the tags attribute as it allows the end user to control the grouping. Having set up the zones it is necessary to associate them with the Posture Policies which are to be applied. This is done art of the process of setting up the zone it is necessary to specify the posture policies for the zone in question. This would enable the development zone for example to have a less stringent set of policies applied to it than the production zone.
It is important to note that zones only get displayed if they contain posture policies which apply to the specified scope. If your zone fails to show up in the dashboard ‘Overview’ under ‘Compliance’ page, then the chances are the scope and policy selected are disjoint and there is therefore nothing to display. For more details about zones see: https://cloud.ibm.com/docs/workload-protection?topic=workload-protection-posture-zones.
The tags are reported back to the service and are thus available from drop down lists when setting up the zone filters.
Adding tags to the agents is a straightforward process and is best done once the agent has been installed. The process of adding tags depends on the platform being monitored, details are provided below:
Supported Platforms
Kubernetes (IKS) Cluster
With an IKS cluster the easiest way to add tags is to invoke the kubernetes dashboard and select ConfigMaps from the menu on the left, then select sysdig-agent from the list of maps. Clicking the pencil in the blue banner will allow the yaml to be edited, locate the dragent.yaml entry under data Add a new value aligned to the collector entry containing tags as outlined above. Then click the update button.
OpenShift (ROKS) Cluster
OpenShift is handled in a similar manner to kubernetes. However, when the sysdig-agent ConfigMap is displayed. Click the YAML tab to edit the YAML, then proceed as above and when done, click the Save button.
Linux
In the case of Linux hosts the file /opt/draios/etc/dragent.yaml can be edited post install and the tags added as a new value to the general section, by adding a new line after the collector_port entry for example. The line should be of the form:
tags: tag1:value1, tag2:value2, . . .
Once the dragent.yaml file has been edited the dragent needs to be restarted.
Windows
At this time only threat detection is supported, however additional features are to be made available in future versions. Adding tags to the sysdig-agent is straightforward. Once the agent has been installed, the file dragent.yaml, by default located in the directory ‘C:\Program Files\Sysdig\Agent\Config’ is edited as for Linux above.
PowerVS
At the time of writing PowerVS environment is only supported with the Linux operating system installed, neither AIX or IBMi are available. Having followed the sysdig-agent install instructions the tags can be added in the same manner as for Linux above.
VMware
Individual virtual machines can have the agent installed on them and tags can be applied in the manner outlined above for Windows and Linux hosts.
Satellite
SCC Workload Protection can be used to monitor clusters in a Satellite environment using the published instructions. Tagging of the agents is a matter of following the instructions outlined for clusters above.
Other Hyper-Scalers
The other supported Hyper scalers are handled using the Connect another data source tile available from the Home page on the SCC Workload Protection dashboard.
Related resources
Provided below is a set of curated resources which giving further details of the SCC Workload Protection product. These documents are blogs based on customer scenarios and industry standard. It is worth remembering that with the threat and vulnerability landscape being highly dynamic and constantly evolving it is likely that specific details in blogs will become outdated. However, the fundamental capabilities and concepts tend to remain fairly constant.
Carlos Tolon - ‘Prioritizing Vulnerabilities with IBM Security and Compliance Center Workload Protection’: available at https://community.ibm.com/community/user/cloud/blogs/carlos-tolon/2023/11/03/prioritizing-vulnerabilities-with-ibm-security-and?CommunityKey=dd1ee2bc-c83b-4afb-bd1c-9095ff0c3bc1
Carlos Tolon - ‘Scanning Vulnerabilities with the IBM Cloud Security and Compliance Center Workload Protection Registry Scanner and IBM Cloud Code Engine’: available at https://community.ibm.com/community/user/cloud/blogs/carlos-tolon/2024/03/15/scanning-vulnerabilities-with-the-ibm-cloud-securi
Carlos Tolon - ‘Linux for PowerVS Security with IBM Security and Compliance Center’: available at https://community.ibm.com/community/user/cloud/blogs/carlos-tolon/2024/05/17/linux-for-powervs-security-with-ibm-security-and-c
Victor Guerro - ‘Scanning images in IBM Container Registry with IBM Security and Compliance Center Workload Protection’: available at https://community.ibm.com/community/user/cloud/blogs/victor-guerrero/2023/11/07/scanning-images-in-ibm-container-registry-with-ibm
Victor Guerro - ‘Windows Threat Detection with IBM Security and Compliance Center Workload Protection’: available at https://community.ibm.com/community/user/cloud/blogs/victor-guerrero/2024/01/11/windows-threat-detection-with-ibm-security-and-com?CommunityKey=dd1ee2bc-c83b-4afb-bd1c-9095ff0c3bc1
Victor Hernando - ‘How to Secure Your ROKS/IKS With IBM Cloud Security and Compliance Center Workload Protection: A Step-By-Step Guide’: available at https://community.ibm.com/community/user/cloud/blogs/victor-hernando/2024/02/19/how-to-secure-roks-iks
Victor Hernando - ‘Introducing the New Searchable Inventory in Workload Protection’: available at https://community.ibm.com/community/user/cloud/blogs/victor-hernando/2024/04/25/introducing-the-new-searchable-inventory-in-worklo
Victor Hernando - ‘Visualizing and Prioritizing Cloud Security Risks in Workload Protection With Risks and Attack Path’: available at https://community.ibm.com/community/user/cloud/blogs/victor-hernando/2024/05/15/visualizing-and-prioritizing-cloud-security-risks
Ahcene Fekir - ‘Enhancing Kubernetes cluster security through IBM Workload Protection and Kubernetes audit logs’: available at https://community.ibm.com/community/user/cloud/blogs/ahcene-fekir/2024/07/23/enhancing-kubernetes-cluster-security-through-ibm?CommunityKey=dd1ee2bc-c83b-4afb-bd1c-9095ff0c3bc1
Janet Van - ‘Easily secure your IBM Cloud for VMware Cloud Foundation as a Service (VCFaaS) Linux Hosts with IBM Cloud Security and Compliance Center Workload Protection’: available at https://community.ibm.com/community/user/cloud/blogs/janet-van/2024/08/21/secure-vcfaas-with-scc-workload-protection
Conclusion
The security landscape is constantly evolving, as such it is recommended to keep regularly appraised of the release notes and announcements relating to the IBM cloud SCC Workload Protection product. It is also worthwhile to keep updated using the blogs available around the subject material.