The IBM Cloud Pak® for Multicloud Management enables organizations to securely manage applications, no matter how they are designed or where they are deployed.
The IBM Cloud Pak for Multicloud Management is a set of open, pluggable tools built around a core application and governance model. This core architecture helps organizations model applications and application dependencies, manage the lifecycles of both applications and infrastructure, consistently govern and secure applications and their deployment models, and deliver observability for the application’s full stack.
Previously, the governance, risk, and compliance (GRC) dashboard for the Cloud Pak for Multicloud Management provided oversight functionality for a variety of Kubernetes clusters (such as OCP, EKS GKE, and so on). Version 2.0.0 further empowers compliance officers, security analysts, and cloud admins alike, as the Cloud Pak extends this oversight capability across the environment, retaining all of our cluster capabilities and pairing them with the ability to provide compliance oversight to your entire stack, including infrastructure, virtual machines (VMs), and containers.
Not only can policies be defined to assess clusters against common regulatory standards (like NIST 800-53, PCI DSS, and HIPAA), but now VM resources can be as well — and all represented together in real time, in one place, and as though they are all cloud native in nature.
Two new policy controllers have been introduced in the Governance and risk dashboard — the VM policy controller and the VM resource policy controller.
The VM policy controller
You can use the VM policy controller to ensure that matching tagged VMs are compliant with a list of CIS controls that you can customize and define. Once deployed, your VM policy controller interacts with our IBM Management Ansible operator and a set of Ansible playbooks to verify VM compliance against industry benchmarks.
As long as you've tagged your resources correctly in both your policy and through IBM Cloud Pak for Multicloud Management - Infrastructure management, you'll be granted visibility into the CIS compliance status of all of your VM resources. In version 2.0.0, the CIS benchmark support is limited to Red Hat Enterprise Linux (RHEL) 7.
The VM resource policy controller
Additionally, the VM resource policy controller can be used to receive noncompliance notifications against your own standards for VM usage. Instead of checking against security standards, the VM resource policy controller checks for compliance against traditionally VM-oriented checkpoints, like the amount of resources granted to a VM, its utilization, software versioning, and so on.
Similar to the VM policy controller, the VM resource policy controller interacts with the IBM Cloud Pak for Multicloud Management – Infrastructure Management server that is associated with the IBM Cloud Pak for Multicloud Management deployment to check compliance on the VMs that are identified by the policy.
The Hybrid GRC dashboard also provides at a glance the overall risk for the VM servers. The baseline risk specified in the policy and other factors such as the resource group to which the VM belongs is taken into account while calculating the overall risk.
Creating VM-based policies
To create either policy type from the Cloud Pak's dashboard, all you have to do is log in to the console, navigate to the Governance and risk dashboard, and click New policy. From there, follow these steps:
- Enter the name for the VM policy (which has a 63 character limit).
- Select the correct VMPolicy or VMResourcePolicy for your given scenario.
- Select the correct tags from the Resource binding field. These are the tags that must match your Information management tags in order for this all to work.
- Fill in appropriate values for the remaining fields.
- Click Create.
Once your policy is deployed, all your results and policy management can be performed right there in the same Governance and risk dashboard!
For more detailed information about implementation, including setting up Ansible Tower to manage policies, and Enabling Hashicorp Vault for CIS benchmark checking in RHEL 7, check out the IBM Knowledge Center at Governance and Compliance.