What is our primary use case?
Primarily, it is to understand the cloud baseline against regulatory controls. The primary use case is to identify unknown or unmitigated risks when it comes to security controls in a cloud workload or environment. Within that use case, it takes things, like CIS Compliance Controls, and determines if your workloads are compliant to those best practices. Therefore, the primary use cases are detection and identification. The secondary use case, which goes sort of hand in hand, is to enable operational controls in the form of remediation and actions.
It not only can identify if a cloud resource is noncompliant, but also provide operations an easy and distinct way to take action to remediate, address. amd enclose the security gaps.
The fringe use case is to integrate it with your IT operations management and IT service management. This is to not only be notified about deviations from acceptable baseline, but also tying into service management for change detection and change tracking.
It is a SaaS subscription model where you can leverage it to analyze and have insight into your cloud services. We use it in a sort of a bimodal way. We use it for both our Microsoft Azure and AWS workloads that we have both internally and customer-facing. We also use it as part of our managed service for our customers and their customer accounts. Thirdly, we use it as part of advising for clients who are interested in their capabilities.
Every account that we have, either Azure or AWS, is owned by us or managed as a managed service and overseen by BMC Helix Cloud Security. We don't deploy cloud accounts without having it managed by Cloud Security.
How has it helped my organization?
One of the pieces that is very difficult to track is elasticity and dynamics, especially when you are doing DevSecOps with multiple build pipelines in the cloud environment, or against the cloud environment, since you have a development, test/QA, and production environment. What BMC Helix has allowed us to do, especially with cloud security and cloud costs, is to unify the visibility into a single source of truth. What it has facilitated is also the skills gap and being entrenched in the native cloud providers portal and having to understand how to navigate it, how to deal with those resources, and having to understand the idiosyncrasies between each of them because they have similar capabilities but with different terminologies, architecture, methodologies, and best practices.
What BMC Helix allows you to do is very easily bring that information back to be analyzed and make informed decisions on it. That simplification of IT governance is one that gives a huge value out of BMC Helix. Now, we're talking specifically about our cloud security. This is a very challenging aspect because you're always bumping between agility, control, and rigidity. So, cloud security allows you to understand, measure, and take proactive actions for critical vulnerabilities without getting in the way of the day-to-day cloud operations.
One of the big things is being able to measure the effectiveness of your corporate policy against the reality of day-to-day changes. Take a very simple thing that we see all the time when we deal with customers. They have policy on paper, which is defined. They may be very well-matured from a cloud expertise perspective, but they're dealing with hundreds, if not thousands, of accounts sometimes within just one cloud provider. When we connect BMC Helix to their environment, it's always surprising to them how there's always an Esri bucket that has the wrong information. There might be an IAM role or credential that hasn't been enrolled within a certain period of time, which is hard to detect. It's the scenario of the needle in the haystack, especially at scale.
Even organizations, who are very rigid and mature in their deployment methodologies, there are so many resources and configurations within each cloud environment that is impossible for humans to track. That is where automation comes into play. BMC Helix helps to bring that into AI with very intelligent mechanisms, predictably telling you what's wrong or how to be better.
With the Discovery portion of Helix, it is so incredible to be able to highlight the relationships being services that are very hard to detect. Anybody who has worked with AWS, Microsoft Azure, or GCP knows how intricate the relationships between services can be. A VPC has many relationships to subnets or round tables. You may have relationships to VPN gateways or IGWs with so many integrate dependencies that it is hard for one document and understand those dependencies. Also, from a risk perspective, I find a lot of financial institutions who use the BMC Discovery capability out of Helix for security baselining to determine when a baseline has changed outside of a change control mechanism and detect an insider threat as well as a deviation from policy.
In theory and practice, compliance and security vulnerability management is typically a human labor intensive activity. It's also a repetitive activity. So, the solution has increased productivity by reducing repetitive or tedious tasks related to security. Measuring those metrics is very customer dependent based on the maturity of how they audit, measure compliance, and their vulnerability controls. I have seen environments where vulnerability and compliance security audits are done orderly in massive spreadsheets, and they never get out of that cycle. There is continuous InfoSec to operations going back and forth because there is detection, then there is remediation.
I have also seen scenarios where certain vulnerabilities or configuration controls violate a certain regulatory control. These may take weeks, if not months, to remediate at scale. With automation, leveraging BMC Helix to remediate or do cloud security, once a detection of a vulnerability security is performed and identified as something that should not exist (meaning there are no waivers nor an exception process), the remediation is done in minutes. That is the benefit of this platform.
It doesn't remediate everything. There are a lot of vulnerability controls that are manual controls. There is a large portion (80:20) between what can be remediated through automation versus manual controls, such as, physical security. Those now can be addressed by automation using BMC Helix Cloud Security and BMC Helix Remediate, which is another module capability within the helix platform. These allow you to use automation to remediate within minutes.
For example, a customer of ours that is highly regulated in the healthcare space has quarterly audits. If they find vulnerabilities or controls that are not mitigated, which are open findings, they can define starting at million dollars, then going up, compiling the number of controls and vulnerability findings. They leverage Helix remediation for the reporting and remediation as well as the detection of regulatory controls. Before, there was a never-ending process of identification and remediation. Now, the identification has been shrunken down to below a couple of weeks for their multiple control environments. The remediation is now a fraction of what it was before. Remediation was a month-long effort with multiple bodies. Whereas now, they're able to do it within a couple of weeks with a limited amount of staff. So, that's the power of it.
Vulnerability management is one of the other big areas. Another customer of ours was doing patching parties, where they were trying to deal with vulnerabilities, and doing patching for 100 to 200 systems at a time. Moving to the automated mechanism that BMC provides, they were able to do thousands of systems for every patching exercise that they were doing. Thus, shrinking the vulnerability left for how long they have been open inside their environment.
What is most valuable?
The best feature is time to value. With very minimal effort, you are able to have a cohesive view into your security posture on one or multiple cloud accounts, particularly if you are dealing with multicloud. If you have Azure and AWS deployments, you might have multiple subscriptions in Azure and usually multiple accounts in AWS. You may even be doing some GCP work (around Google Cloud Platform). It's very difficult to manage a common set of policies, even less reporting, across multiple subscriptions, accounts, and cloud environments. What BMC Helix Cloud Security does is provide a unified view or single pane of glass as to your baseline. Then, it also facilitates the ability for Level 1 or 2 operations support to take action and report on security vulnerabilities.
The great thing about Helix Cloud Security is that you can operate it in multiple modes. You can have it as a passive, e.g., I just want to baseline and understand what is happening. This might be Shadow IT or well-versed IT in how you're deploying your cloud services. It provides you with metrics and artifacts to prove that your baseline reflects your policy.
Developers can still continue to do what developers do, right or wrong. However, you can also progress to be more forward-leaning and defining policies in Helix Cloud Security which are more forceful. E.g., there is an unapproved deployment or somebody makes a change to an Esri bucket that doesn't comply to your policy regulations that you're able to detect and report. Then, going further, you are being more proactive by taking action to snap back to compliance. So, it doesn't change your DevOps model. It enriches it for better visibility, giving you a second set of eyes to ensure that you're not introducing human error where it's against corporate policy.
If you identify a vulnerability, e.g., identify a cloud security vulnerability for which you can automatically raise an incident and a change ticket on the service management platform of your choice, this could be with BMC or a third-party. Then, you can force these remediations to go through your change management process that allows you to document, review, schedule, and effectively approve them for execution. Now, you're not limiting operations from taking action, but you're introducing governance as part of the automation process.
What needs improvement?
The biggest challenge now, which is a good problem to have, with BMC Helix is content. There are some foundational regulatory bodies and controls that are well known in the industry. There is this defense information systems agency with big content, which is very popular out there with the regulator and government environment. You have PCI controls. You also have CIS which provides a great community and paid service for controls and operating systems applications. There is a big need that we're feeling in the industry from VVL systems to help customers take their organizational policy and marry it with a lot of their regulatory controls in the industry to come up with their own set of policies that are important for them.
Every organization out there doesn't rely on just one control body. They use FISMA control. They may use HIPAA, CIS, PCI, or SOX, then blend them. One of the things that is now in big demand for BMC Helix Cloud Security is content. That's the next journey in its lifespan, making it easier for the community to share and collaborate on content for security controls that can be measured and remediated.
BMC Helix Cloud Security has a variety of connectors, not only connecting to public cloud providers, but also connecting to other types of resources, such as Docker and Kubernetes, for applying security assessment at scale to other technologies. I would like to see BMC release additional connectors for industry technologies that keep popping up as technology evolves at a rapid pace. That's the part that I would like to see them keep with their momentum going forward.
For how long have I used the solution?
Before it was part of the Helix platform, BMC Helix Cloud Security was its own incidence. Then, BMC rolled it into the BMC Helix platform. So, it's been about a year and a half to two years that I've been involved in it from the initial releases into what it is now.
What do I think about the stability of the solution?
The stability has been really good. In the earlier days, as they were growing their platform and moving it to be 100 percent cloud native microservices based, they ran into some challenges around stability for the data collection.
Now, it's a pretty well-oiled machine. It's well-mature in the sense that we have never had any data loss. Their user experience portal has performed at 100 percent. I don't have any examples to point to for issues of availability or stability.
What do I think about the scalability of the solution?
It improves our organization with the facilitation to scale at the size that we are. We are a small business and efficient in what we do. However, the business model throws bodies at solving automatable challenges is not cost-effective. If our organization has the ability to deliver leading edge services at scale for large Fortune 500 companies without having to scale monumentally or exponentially, it decreases the number of resources needed on my side. Now, I can have senior engineers or junior engineers drive some very complex use cases for customers without having to scale at a monumental cost.
Theoretically, there's no limits to its scalability. It's all based on cloud resources. So, BMC Helix runs on the cloud, either the BMC cloud, AWS, or Azure. Effectively, because of the architecture which is microservice-based, the scale is something that we have not run across. We have not run across a limitation. We've had BMC Helix interacting with thousands of assets and hundreds of accounts in the cloud. We haven't run into a scale issue yet, as the architecture is built for scale based on microservices.
Our small business is between 10 to 15 people. Right now, we have about 80 percent of our staff who are technical and the other 20 percent are management or customer success engagement. Our staff uses it for reporting and management of our cloud accounts that we are continually manage as a part of our own infrastructure, or if it's a part of a managed service for a client or consulting engagement. Then, they may use it when involved with a client, but not everybody is using it day-to-day. It's not for daily operation. Based on our business model, it's either for managing the effectiveness of our own services that we run and maintain as well as delivering services for clients.
How are customer service and technical support?
The technical support has been really good. The BMC Helix platform overall has tightened up its responsiveness. The support organization has been pretty phenomenal. The integration of their support into their account team for escalation has lead to prioritization being phenomenal.
A lot of times, we've interacted directly with product engineering to give them some insight or feedback for features or UX design ideas. Their UX design engineers have actually been very forward-leaning in soliciting feedback. From our experience, this has been really good.
Which solution did I use previously and why did I switch?
Prior to using Helix, we were using all of the cloud native solutions available at a time from AWS and Microsoft Azure. Even then, they were fairly immature, as it was a new space before they started releasing some capabilities. This was before their cloud security model to manage cloud native resources, like serverless computing and others. It was the traditional methodology of managing virtual machines like you would do on-premises.
We used some of the BMC automation solutions dating back to BMC BladeLogic to manage those workloads. But those solutions were not meant for cloud native resources, dealing with things like serverless computing, Lambda Functions, and so forth in a cloud construct. Before, there was really nothing that we were using except for good old best practices and human intervention.
We were using the solution before it was BMC Helix and TrueSight Cloud Security. It was always cloud native. However, BMC unified their branding messaging, releasing new products on the BMC Helix platform. They brought cloud security into it. About a year and a half ago, it was made available and we've been using it from the early days. We have been providing feedback from the beta phase to where it is today.
Scale helped us come to the realization that we needed something like Helix Cloud Security. With manual labor and referenceable cloud architecture best practices, you can deploy it once and it's hard to track over time, especially when there is a DevOps methodology involved. So, it was scale and agility of the cloud. The rate that new services are released by cloud vendors made it almost impossible to do anything else.
How was the initial setup?
The initial setup has always been fairly standard. What's changed over the year and a half is the support for additional cloud environments. They started with AWS and Azure, then added GCP. They started adding additional connectors and cloud environments. So, they added features and capabilities. They added additional content and more policies that can be evaluated.
The setup has always been easy because it's always been cloud native. There are very minimal requirements for on-premise. However, it got easier as they do more in the cloud.
The first deployment probably took a couple of minutes. It's always been a couple of minutes. It's a matter of prerequisites.
At this point, we have a standard implementation strategy.
A lot of times the challenge comes in granting the right permissions for BMC Helix to get data out of your cloud environment. There are always some fundamental things that it requires. Usually, it is read-only. If you want to be able to remediate security risks, then it needs a read-write type of permission.
Initially, maybe some of the documentation wasn't as clear as I would have liked it to be. It might have taken a bit of time to set up on the cloud environment to give BMC Helix access. Now, BMC has done a great job in maturing the documentation and making it easier to configure multiple accounts under the same connector. I believe we did an evaluation for a recent client, and it took about five minutes to set up the connector to their AWS environment that had hundreds of resources.
What about the implementation team?
We worked directly with BMC and their product team, especially as they valued a lot of feedback and insight into what was working or not. So, we worked directly with them and didn't use a third-party.
The setup is pretty straightforward. There is no operational care that you have to do because this is a SaaS offering. All of the maintenance, upgrades, and break/fix is done by BMC.
From our side, we just use the service. Now, depending on the size of the environment and cloud specific expertise, you might need more than just one person for the deployment. On our side, we have one expert who manages all of our customer and accounts with BMC Helix. They do all the administration of BMC Helix Cloud Security.
What was our ROI?
For our own environment, it has reduced a lot of the unknown unpredictable costs around cloud security and vulnerability.
Because we started with cloud security very earlier on, I don't have a traditional model to compare to. What I do have is the the number of resources and effort that it takes to detect and comply is a fairly high ratio to cloud assets.
What's my experience with pricing, setup cost, and licensing?
It is a subscription model with term licensing that is usually yearly. This includes, not only the product, but support and maintenance. It is based on cloud assets. Therefore, if you have 100 cloud assets, those cloud assets are measured based on evaluation or transactions.
For example, if I'm evaluating that cloud asset for CIS compliance, PCI compliance, and AWS best practices, that asset gets evaluated three times, as those are three transactions. However, the license model is based on peak asset usage. So, over a year, if you deploy 100, 1000, 500, and then 2000 assets, you will be charged for the 2000 peak of assets managed by Helix Cloud Security.
I have operational costs for my staff, but it's not part of the BMC licensing.
Which other solutions did I evaluate?
I don't know if there are other solutions similar to what BMC Helix Cloud Security does today. We are not evaluating others because we haven't found a gap for not using BMC Helix.
We do some consulting engagements for clients who are evaluating other third-parties that come from their vulnerability management space, but they are not cloud security or cloud construct security native. We sometimes do feature by feature bake-offs, but they are not really equivalent.
The remediation of vulnerabilities can be a tedious process because you have identification. There are a lot of companies use standards to identify vulnerabilities, i.e., Nessus, Qualys, and Rapid7 who are great at identifying, but not great at helping operations to fix vulnerabilities. This is because it takes a three-legged stool:
- You have to know what is the asset that is actually impacted by the vulnerability. Sometimes, you only have an IP address and don't even have the name of the asset. So, you have to track down where does it reside. Especially in a large enterprise that has multiple sites or data centers that might be in the cloud, where does it reside?
- You have to identify how to remediate the vulnerability. Some vulnerabilities are maybe a patch bought from a vendor, a combination of patches from a vendor (e.g., Microsoft or Red Hat plus an application patch), or a configuration change. You might have to toggle a registry key in addition to applying a patch. Can I actually apply that remediation to the system? Do I have a mechanism to apply at scale? This is where BMC Helix helps. It is able to integrate with a detection system, such as a vulnerability scanner, then understand and get the vulnerability identifiers (the metadata) from those scanners. It is able to associate it with known patches from multiple vendors. They might be Microsoft, Red Hat, IBM, or HPE. BMC can identify and relate the vulnerability to specific actions that vendors have identified from the patches.
- The ability to apply at scale with thousands of endpoints. That remediation to affect the actual vulnerability. In the old days, InfoSec would detect the vulnerability and send a spreadsheet to operations. Now, there is no manual process in-between. It's all automated to the extent that they feel comfortable either fully automated or having a human in the loop for approvals and change management.
What other advice do I have?
Start early with this type of capability. Make it part of your cloud governance baseline if you want to leverage a product like BMC Helix Cloud Security from the get go. Make it part of your governance methodology, not after the fact. That's the biggest takeaway I could suggest.
Don't implement a cloud governance and migrate to the cloud first, then later try to implement a governance method like BMC Helix Cloud Security provides, because it's a little too late. Otherwise, you will be detecting things that you could have addressed beforehand. Furthermore, my recommendation would be to include BMC Helix cloud costs in that governance for right-sizing cloud resources before you deploy them into the cloud.
We're just getting started with BMC Helix Capacity Optimization, which is part of their optimized feature set. We're just starting to use that in its initial stage.
Developers are interested in only a few things:
- Do they have the agility to deploy their capabilities of developing?
- Does it match the performance and intended state and operational capability that they designed it for?
- When something goes wrong and bump in the night, why is it not working?
When operations is coming back to them, and saying, "Something is wrong with their application." There is a need to understand that old issue around traditional data centers: Who is at fault and what has changed? Discovery allows you to do that exact thing. Also, from a security perspective, is your deployment secure based on regulatory standards? Take PCI or CIS compliance standards, leveraging those as a baseline. That's a great start in understanding if you're designing your product correctly.
I would suggest that you don't position cloud security as a deterrent to agility in your cloud journey. Use it as a validation capability to validate your best practices and policies. That is very important instead of positioning it as a deterrent to agility because that will really hinder your ability to get acceptance and adoption from your team.
Overall, I would give it a nine (out of 10). The only reason I am not giving it a 10 is because it's still a fairly new offering in the market. It's mature but new in the market. The industry itself is shifting very quickly around how to measure security in the cloud. BMC is also still adapting to what that model is, and that is not their fault. It's just the industry shifting to "What is a secure cloud?" and "How do you help customers understand and take ownership of the shared responsibility?" Because the cloud has a shared responsibility model. The vendor is responsible and you're responsible.
I would rate it a nine (out of 10) because the industry's not quite there yet to make this product perfect. It is still adapting to what is the right way to report cloud security.