If you were talking to someone whose organization is considering BMC Helix Cloud Security, what would you say?
How would you rate it and why? Any other tips or advice?
It’s a good tool, I still need to work on it more to make it a priority. It is a good tool to make sure that your containers are safe and sound. On a scale of 1 to 10, I give it a 7. I give it a 7 because of the product's UI interface. I'm not the language guy, so I will have to have the scripts made to get it to play for me. I like products that are stronger from the UI interface side.
Don't be surprised if you see some things that you thought were secure that were not secure. You think you're 100 percent, or you think you're close, but when you get in there and scan... Also, take it piece by piece and understand. It might be good to scan your resources using just one security policy to start. Don't jump in too deep. If you jump in too deep you get overwhelmed with all the different policies that are scanned and all the vulnerabilities. It's just easier to take it day-by-day. Learn one section of the tool and then promote yourself as you get better and better versed in the application. It can be deployed on AWS, Azure, and BMC has its own cloud as well. We've done integrations with dev environments, production environments, and test environments. Customers can have several environments within AWS. If those environments are within one main account — as long as that account from the high level has been integrated with the tool — that account is scanned and monitored by Helix Cloud Security. We can scan and remediate any vulnerabilities within any environment within a cloud account. We have just under 10 people using it. They are systems engineers, security engineers, an analyst, and management. They're all using it in different ways. There are the admins, the users, and the viewers — people who are just viewing the data. Management is able to see a 50,000-foot view of the vulnerabilities. We can notify them and send emails reports of vulnerabilities on a daily basis, which helps them understand from a management perspective. It's being used on a daily basis in our organization. It's integral to our operations. The tool scans to make sure our environments are secure. And if they're not, it's going to let us know what's not secure so that we can resolve it, or if it's set to auto remediate, then we'll understand what the vulnerability was and that it has been fixed. There's no maintenance, per se, as a SaaS product, but it does require making sure the connectors are running and that your scans are working and scanning on whatever basis you set them up to do, whether ad hoc or interval. There's also the need to create users. But if something is not working within the tool itself, that's really on the BMC side to handle. BMC owns that piece and would be responsible for any maintenance, upgrades, etc. Using this solution is an eye-opener. It really is. We thought we had a pretty good handle on security. Colleagues I've talked to at other organizations have that same mentality: "Yeah, we're good. We do this, this and this and this." But when you connect it and take that free trial, it's like, "Wow, I didn't know that S3 bucket was open. I thought we were good there." Having that holistic view is the biggest eye-opener. You understand, from any of your connected cloud accounts, what your vulnerabilities are with it. We saw data within 10 minutes of connecting to our AWS account. When I say data, I mean that we saw our resources popping in there and showing if there were vulnerabilities. We were immediately seeing data regarding our cloud infrastructure. I'd give it a nine out of 10. It provides a multi-cloud experience, it's easy to use, the dashboard is user-friendly, and you really can see what your environment looks like.
Start early with this type of capability. Make it part of your cloud governance baseline if you want to leverage a product like BMC Helix Cloud Security from the get go. Make it part of your governance methodology, not after the fact. That's the biggest takeaway I could suggest. Don't implement a cloud governance and migrate to the cloud first, then later try to implement a governance method like BMC Helix Cloud Security provides, because it's a little too late. Otherwise, you will be detecting things that you could have addressed beforehand. Furthermore, my recommendation would be to include BMC Helix cloud costs in that governance for right-sizing cloud resources before you deploy them into the cloud. We're just getting started with BMC Helix Capacity Optimization, which is part of their optimized feature set. We're just starting to use that in its initial stage. Developers are interested in only a few things: * Do they have the agility to deploy their capabilities of developing? * Does it match the performance and intended state and operational capability that they designed it for? * When something goes wrong and bump in the night, why is it not working? When operations is coming back to them, and saying, "Something is wrong with their application." There is a need to understand that old issue around traditional data centers: Who is at fault and what has changed? Discovery allows you to do that exact thing. Also, from a security perspective, is your deployment secure based on regulatory standards? Take PCI or CIS compliance standards, leveraging those as a baseline. That's a great start in understanding if you're designing your product correctly. I would suggest that you don't position cloud security as a deterrent to agility in your cloud journey. Use it as a validation capability to validate your best practices and policies. That is very important instead of positioning it as a deterrent to agility because that will really hinder your ability to get acceptance and adoption from your team. Overall, I would give it a nine (out of 10). The only reason I am not giving it a 10 is because it's still a fairly new offering in the market. It's mature but new in the market. The industry itself is shifting very quickly around how to measure security in the cloud. BMC is also still adapting to what that model is, and that is not their fault. It's just the industry shifting to "What is a secure cloud?" and "How do you help customers understand and take ownership of the shared responsibility?" Because the cloud has a shared responsibility model. The vendor is responsible and you're responsible. I would rate it a nine (out of 10) because the industry's not quite there yet to make this product perfect. It is still adapting to what is the right way to report cloud security.