Scan and monitor your resources that run on IBM Cloud for compliance by using your own collector that runs on a virtual machine on your virtual private cloud.

In this day and age, maintaining a strong security and compliance posture of your resources in the cloud is of paramount importance. With the IBM Cloud Security and Compliance Center, you can stay ahead of the curve with an easy-to-use interface designed to meet the security and compliance needs of any organization running resources in any cloud environment or on-premises. To scan and monitor your resources using the IBM Cloud Security and Compliance Center, you need to gather information on all your resources running in your cloud or on-premises environment using a collector.

What is a collector?

A collector is a software module that is packaged as a Docker image installed on a virtual machine. It builds a connection between your IT resources and the IBM Cloud Security and Compliance Center to enable the service to assess your resource configurations for vulnerabilities and manage your compliance with the organization and regulatory guidelines. 

The IBM Cloud Security and Compliance Center offers two types of collectors — the IBM-managed collector and customer-managed collector. With the IBM-managed collector, IBM oversees the installation and management of the lifecycle of the collector, making it easier to get started scanning and monitoring your IT resources. This option gives you the ability to focus on just the health and security of your resources. When you choose to have IBM manage your collector, it is installed on IBM’s secure infrastructure. However, if you want to install a collector on your own virtual server instance, you would opt for a customer-managed collector. For more information about your responsibilities, see What is a collector?

Why opt for a customer-managed collector?

The customer-managed collector gives you absolute control over where the collector is installed and how it is managed. If you choose to manage your own collectors, you are responsible for the installation and management of the collectors on your own infrastructure.

If your organization has strict policies regarding the ownership of infrastructure or specific security constraints, the customer-managed collector will be the best option for you because it enables you to install and manage the collector in an isolated environment that is governed by your own security protocols.

If the managed collector cannot reach into your environment because it is disconnected from the internet or does not have any inbound connections open, you can choose to install a customer-managed collector in your environment and have it operate within your network.

What kind of infrastructure do I need?

A virtual private cloud (VPC) enables you to define and control a virtual network that’s logically isolated from all other public cloud tenants, creating a private, secure place on the public cloud for you to install a collector and gather information on your IT resources in the cloud. On your VPC, you’ll need a virtual server instance (VSI) where you can ensure high network performance, sufficient memory, and computer power for your collector to run. For more information about the requirements that are needed for a VSI, see Verifying installation requirements.

To install your collector, you will need an SSH key. The key is used by the virtual server to identify a user or device through public-key cryptography. The SSH key is made up of an alphanumeric combination that is unique to the device to which it is assigned; this way, the instance can be accessed with the corresponding SSH key instead of a password.

To allow traffic from the internet for access your virtual server instance, you need to create a floating IP address, bind it to the virtual server and use that address to install and run your collector on your device.

How does the collector access my resource configurations?

Credentials are used by the collector to gather information about your resource configurations, assess them and initiate any remediation that is required. In IBM Cloud, an API key is used to identify the user and any access policies that a user has been assigned. By adding an API key as a credential in the Security and Compliance Center and creating a connection, the collector can gain access to the resources that are protected by that key:

How do you know which resources to scan?

A scope helps you to narrow the focus of your scans to a specific environment, region or even resource, and it enables you to determine your security and compliance score across a specific area of business. Scopes can help you to determine resource availability, resource configuration and a scope’s adherence to regulatory controls as defined in a profile.

How do I initiate a scan?

You can schedule a scan to to run for a specific scope to determine resource availability, resource configuration and a scope’s adherence to regulatory controls as defined in a profile. Depending on what you’re trying to accomplish, you can run different types of scans. 

A discovery scan is used to determine which resources are available for a specific scope. You might use this type of scan if you’ve recently created or deleted resources. Fact-collection scans are used to gather the resource configurations of the resources that are determined available by the discovery scan. A validation scan completes the tasks that are part of a discovery and fact-collection scan and then validates the configurations against a specified profile:

Need help getting started?

For a step-by-step tutorial of the process detailed in this blog, check out the Monitoring IBM Cloud resources with a customer-managed collector tutorial.


In order to ensure that we are helping you to deliver on your own mission, we’d like to hear from you with any feedback that you might have. To share your questions, comments, raves or concerns with us, use the Feedback button that can be found on any page of

More from Cloud

IBM Cloud Databases for Elasticsearch End of Life and pricing changes

2 min read - As part of our partnership with Elastic, IBM is announcing the release of a new version of IBM Cloud Databases for Elasticsearch. We are excited to bring you an enhanced offering of our enterprise-ready, fully managed Elasticsearch. Our partnership with Elastic means that we will be able to offer more, richer functionality and world-class levels of support. The release of version 7.17 of our managed database service will include support for additional functionality, including things like Role Based Access Control…

2 min read

Connected products at the edge

6 min read - There are many overlapping business usage scenarios involving both the disciplines of the Internet of Things (IoT) and edge computing. But there is one very practical and promising use case that has been commonly deployed without many people thinking about it: connected products. This use case involves devices and equipment embedded with sensors, software and connectivity that exchange data with other products, operators or environments in real-time. In this blog post, we will look at the frequently overlooked phenomenon of…

6 min read

SRG Technology drives global software services with IBM Cloud VPC under the hood

4 min read - Headquartered in Ft. Lauderdale, Florida, SRG Technology LLC. (SRGT) is a software development company supporting the education, healthcare and travel industries. Their team creates data systems that deliver the right data in real time to customers around the globe. Whether those customers are medical offices and hospitals, schools or school districts, government agencies, or individual small businesses, SRGT addresses a wide spectrum of software services and technology needs with round-the-clock innovative thinking and fresh approaches to modern data problems. The…

4 min read

IBM Tech Now: May 30, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 77 This episode, we're covering the following topics: IBM Watson Code Assistant IBM Hybrid Cloud Mesh IBM Event Automation Stay plugged in You can check out the IBM Blog Announcements for a full rundown…

< 1 min read