Scan and monitor your resources that run on IBM Cloud for compliance by using your own collector that runs on a virtual machine on your virtual private cloud.

In this day and age, maintaining a strong security and compliance posture of your resources in the cloud is of paramount importance. With the IBM Cloud Security and Compliance Center, you can stay ahead of the curve with an easy-to-use interface designed to meet the security and compliance needs of any organization running resources in any cloud environment or on-premises. To scan and monitor your resources using the IBM Cloud Security and Compliance Center, you need to gather information on all your resources running in your cloud or on-premises environment using a collector.

What is a collector?

A collector is a software module that is packaged as a Docker image installed on a virtual machine. It builds a connection between your IT resources and the IBM Cloud Security and Compliance Center to enable the service to assess your resource configurations for vulnerabilities and manage your compliance with the organization and regulatory guidelines. 

The IBM Cloud Security and Compliance Center offers two types of collectors — the IBM-managed collector and customer-managed collector. With the IBM-managed collector, IBM oversees the installation and management of the lifecycle of the collector, making it easier to get started scanning and monitoring your IT resources. This option gives you the ability to focus on just the health and security of your resources. When you choose to have IBM manage your collector, it is installed on IBM’s secure infrastructure. However, if you want to install a collector on your own virtual server instance, you would opt for a customer-managed collector. For more information about your responsibilities, see What is a collector?

Why opt for a customer-managed collector?

The customer-managed collector gives you absolute control over where the collector is installed and how it is managed. If you choose to manage your own collectors, you are responsible for the installation and management of the collectors on your own infrastructure.

If your organization has strict policies regarding the ownership of infrastructure or specific security constraints, the customer-managed collector will be the best option for you because it enables you to install and manage the collector in an isolated environment that is governed by your own security protocols.

If the managed collector cannot reach into your environment because it is disconnected from the internet or does not have any inbound connections open, you can choose to install a customer-managed collector in your environment and have it operate within your network.

What kind of infrastructure do I need?

A virtual private cloud (VPC) enables you to define and control a virtual network that’s logically isolated from all other public cloud tenants, creating a private, secure place on the public cloud for you to install a collector and gather information on your IT resources in the cloud. On your VPC, you’ll need a virtual server instance (VSI) where you can ensure high network performance, sufficient memory, and computer power for your collector to run. For more information about the requirements that are needed for a VSI, see Verifying installation requirements.

To install your collector, you will need an SSH key. The key is used by the virtual server to identify a user or device through public-key cryptography. The SSH key is made up of an alphanumeric combination that is unique to the device to which it is assigned; this way, the instance can be accessed with the corresponding SSH key instead of a password.

To allow traffic from the internet for access your virtual server instance, you need to create a floating IP address, bind it to the virtual server and use that address to install and run your collector on your device.

How does the collector access my resource configurations?

Credentials are used by the collector to gather information about your resource configurations, assess them and initiate any remediation that is required. In IBM Cloud, an API key is used to identify the user and any access policies that a user has been assigned. By adding an API key as a credential in the Security and Compliance Center and creating a connection, the collector can gain access to the resources that are protected by that key:

How do you know which resources to scan?

A scope helps you to narrow the focus of your scans to a specific environment, region or even resource, and it enables you to determine your security and compliance score across a specific area of business. Scopes can help you to determine resource availability, resource configuration and a scope’s adherence to regulatory controls as defined in a profile.

How do I initiate a scan?

You can schedule a scan to to run for a specific scope to determine resource availability, resource configuration and a scope’s adherence to regulatory controls as defined in a profile. Depending on what you’re trying to accomplish, you can run different types of scans. 

A discovery scan is used to determine which resources are available for a specific scope. You might use this type of scan if you’ve recently created or deleted resources. Fact-collection scans are used to gather the resource configurations of the resources that are determined available by the discovery scan. A validation scan completes the tasks that are part of a discovery and fact-collection scan and then validates the configurations against a specified profile:

Need help getting started?

For a step-by-step tutorial of the process detailed in this blog, check out the Monitoring IBM Cloud resources with a customer-managed collector tutorial.

Feedback

In order to ensure that we are helping you to deliver on your own mission, we’d like to hear from you with any feedback that you might have. To share your questions, comments, raves or concerns with us, use the Feedback button that can be found on any page of cloud.ibm.com.