Scan and monitor your resources that run on IBM Cloud for compliance by using your own collector that runs on a virtual machine on your virtual private cloud.

In this day and age, maintaining a strong security and compliance posture of your resources in the cloud is of paramount importance. With the IBM Cloud Security and Compliance Center, you can stay ahead of the curve with an easy-to-use interface designed to meet the security and compliance needs of any organization running resources in any cloud environment or on-premises. To scan and monitor your resources using the IBM Cloud Security and Compliance Center, you need to gather information on all your resources running in your cloud or on-premises environment using a collector.

What is a collector?

A collector is a software module that is packaged as a Docker image installed on a virtual machine. It builds a connection between your IT resources and the IBM Cloud Security and Compliance Center to enable the service to assess your resource configurations for vulnerabilities and manage your compliance with the organization and regulatory guidelines. 

The IBM Cloud Security and Compliance Center offers two types of collectors — the IBM-managed collector and customer-managed collector. With the IBM-managed collector, IBM oversees the installation and management of the lifecycle of the collector, making it easier to get started scanning and monitoring your IT resources. This option gives you the ability to focus on just the health and security of your resources. When you choose to have IBM manage your collector, it is installed on IBM’s secure infrastructure. However, if you want to install a collector on your own virtual server instance, you would opt for a customer-managed collector. For more information about your responsibilities, see What is a collector?

Why opt for a customer-managed collector?

The customer-managed collector gives you absolute control over where the collector is installed and how it is managed. If you choose to manage your own collectors, you are responsible for the installation and management of the collectors on your own infrastructure.

If your organization has strict policies regarding the ownership of infrastructure or specific security constraints, the customer-managed collector will be the best option for you because it enables you to install and manage the collector in an isolated environment that is governed by your own security protocols.

If the managed collector cannot reach into your environment because it is disconnected from the internet or does not have any inbound connections open, you can choose to install a customer-managed collector in your environment and have it operate within your network.

What kind of infrastructure do I need?

A virtual private cloud (VPC) enables you to define and control a virtual network that’s logically isolated from all other public cloud tenants, creating a private, secure place on the public cloud for you to install a collector and gather information on your IT resources in the cloud. On your VPC, you’ll need a virtual server instance (VSI) where you can ensure high network performance, sufficient memory, and computer power for your collector to run. For more information about the requirements that are needed for a VSI, see Verifying installation requirements.

To install your collector, you will need an SSH key. The key is used by the virtual server to identify a user or device through public-key cryptography. The SSH key is made up of an alphanumeric combination that is unique to the device to which it is assigned; this way, the instance can be accessed with the corresponding SSH key instead of a password.

To allow traffic from the internet for access your virtual server instance, you need to create a floating IP address, bind it to the virtual server and use that address to install and run your collector on your device.

How does the collector access my resource configurations?

Credentials are used by the collector to gather information about your resource configurations, assess them and initiate any remediation that is required. In IBM Cloud, an API key is used to identify the user and any access policies that a user has been assigned. By adding an API key as a credential in the Security and Compliance Center and creating a connection, the collector can gain access to the resources that are protected by that key:

How do you know which resources to scan?

A scope helps you to narrow the focus of your scans to a specific environment, region or even resource, and it enables you to determine your security and compliance score across a specific area of business. Scopes can help you to determine resource availability, resource configuration and a scope’s adherence to regulatory controls as defined in a profile.

How do I initiate a scan?

You can schedule a scan to to run for a specific scope to determine resource availability, resource configuration and a scope’s adherence to regulatory controls as defined in a profile. Depending on what you’re trying to accomplish, you can run different types of scans. 

A discovery scan is used to determine which resources are available for a specific scope. You might use this type of scan if you’ve recently created or deleted resources. Fact-collection scans are used to gather the resource configurations of the resources that are determined available by the discovery scan. A validation scan completes the tasks that are part of a discovery and fact-collection scan and then validates the configurations against a specified profile:

Need help getting started?

For a step-by-step tutorial of the process detailed in this blog, check out the Monitoring IBM Cloud resources with a customer-managed collector tutorial.

Feedback

In order to ensure that we are helping you to deliver on your own mission, we’d like to hear from you with any feedback that you might have. To share your questions, comments, raves or concerns with us, use the Feedback button that can be found on any page of cloud.ibm.com.

Was this article helpful?
YesNo

More from Cloud

Hyperscale vs. colocation: Go big or go rent?

9 min read - Here’s the situation: You’re the CIO or similarly empowered representative of an organization. Different voices within your business are calling attention to the awesome scalability and power of hyperscale computing, which you’ve also noticed with increasing interest. Now the word comes down from on high that you’ve been tasked with designing and implementing your company’s hyperscale computing solution—whatever that should be. Your organization already has an ambitious agenda in mind for whatever IT infrastructure you wind up choosing. The company…

IBM Tech Now: March 25, 2024

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 95 On this episode, we're covering the IBM X-Force Threat Intelligence Index 2024: IBM X-Force Cyber Range Combating deepfakes Stay plugged in You can check out the IBM Blog Announcements for a full rundown…

Types of 5G: Which one is right for your organization?

7 min read - 5G technology isn’t a one-size-fits-all solution that can enable digital transformation at the touch of a button. There are three kinds of 5G, each with its own specific use cases and capabilities, that business leaders need to understand. 5G wireless is broken down into three types—low, mid and high band—named for the spectrum of radio frequencies they support. Low-band 5G transmits data on frequencies between 600 and 900 MHz Mid-band 5G transmits between 1 and 6 GHz High-band 5G transmits…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters