IT Central Station is now PeerSpot: Here's why

BMC Helix Cloud Security OverviewUNIXBusinessApplication

What is BMC Helix Cloud Security?

BMC Helix Cloud Security (formerly TrueSight Cloud Security) automates cloud resource configuration security checks and remediation across AWS, Azure, and Google Cloud.  With Helix Cloud Security, configurations of cloud resources and containers are managed consistently, securely, and with an audit trail.  Because it is SaaS, there is nothing to install.  You can literally begin automating your cloud security posture management in minutes.

•   Automated cloud configuration security
posture management (CSPM) using Center
for Internet Security (CIS) policies for
cloud assets on AWS, Azure, and GCP

•   Automated remediation - no coding or scripting required

•   Ready-to-use policy packs for CIS, PCI, and GDPR, and support for custom security and compliance policies

•   Full-stack container configuration security, including Kubernetes pods, host, Docker daemon,
image, and Docker container

•   Integration with incident & change
management 

•   Alerts, reports, exception management, RBAC, and multi-tenancy




BMC Helix Cloud Security was previously known as TrueSight Cloud Security, SecOps Policy Service.

Buyer's Guide

Download the Cloud Workload Security Buyer's Guide including reviews and more. Updated: April 2022

BMC Helix Cloud Security Customers
NHS, Vodafone, Kansas City Life, SKY Italia, Cybera
BMC Helix Cloud Security Video

Archived BMC Helix Cloud Security Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Governance Test and Compliance Officer at Thales
MSP
Top 20
Strong container security and vulnerability management tool but could benefit from improved an UI
Pros and Cons
  • "The features that I've found most valuable are its container security aspect. I also like its vulnerability management tools."
  • "The UI could be more user-friendly."

What is our primary use case?

With BMC Helix Cloud Security I'm looking for the application level security and application firewall level security. I'm also looking for its service, security and incident management tools. I'm thinking from the perspective of how many technology features can be fruitfully completed by a single tool.

What is most valuable?

The features that I've found most valuable are its container security aspect. I also like its vulnerability management tools.

What needs improvement?

I think its TOA interfaces are still not that comfortable. The UI could be more user-friendly, easier to use. Now, the technical guys don't have that much time. When I'm using it on the cloud it takes a lot of time to use it manually on all the tools and to keep track of everything that's going on in the infrastructure. So if the UI interface was much better configured, it would be easier for us to take care of our devices.

Also, all the vulnerabilities should be listed out in one code telling me that out of the 100 worker nodes that I have with my organization right now, 50 are impacted with this particular vulnerability. This is one implementation that they need to do.

Additionally, it could be made more visible which integrating and ticketing tools are available. It could be better integrated.

For how long have I used the solution?

I just started the POC three months ago.

What do I think about the stability of the solution?

It is a stable product. We did not find any bugs as of yet.

What do I think about the scalability of the solution?

In terms of scalability, it is easy to scale and expand this product.

We have around 35 worker nodes using it, which include mostly IT admins, team managers, and security admins mostly.

How are customer service and technical support?

I have never been in touch with their technical support.

How was the initial setup?

The initial setup was straightforward. It is a plug and play kind of a tool. You need to have prerequisites completed in your organization or network and then everything will be plug and play.

What about the implementation team?

We had integrators on call with us. But the technical team could be able to do it by themselves.

Which other solutions did I evaluate?

Yes, we did evaluate other options, and we're still in the process of doing it more. Because everything that I'm reporting to right now is based on our POC that was done with this product

What other advice do I have?

It’s a good tool, I still need to work on it more to make it a priority. 

It is a good tool to make sure that your containers are safe and sound.

On a scale of 1 to 10, I give it a 7. I give it a 7 because of the product's UI interface. I'm not the language guy, so I will have to have the scripts made to get it to play for me. I like products that are stronger from the UI interface side.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
JaredDean - PeerSpot reviewer
VP Cloud Operations at VVL systems
Real User
Auto-remediate takes care of a vulnerability when it's scanned, allowing us to focus on other things
Pros and Cons
  • "The cool feature of Helix Cloud Security is that you can do all that — understand and remediate issues — in one dashboard, based on the different policies that are available for security, out-of-the-box."
  • "It's also multi-cloud. You can look at several cloud providers: AWS, Azure, or GCP."
  • "We've had some with issues connectors. The connectors have seemed to have caused a little bit of trouble, perhaps with the APIs trying to scan the environment. The only time I've had to reach out to tech support was for that. It seems it may not have been scanning correctly or I wasn't seeing data within a specific time. But we've set up a couple of connectors in the past couple of weeks and they actually scanned the AWS environment and we had data within about 10 minutes. It's working a lot faster and I think they're making improvements as they go."

What is our primary use case?

The biggest use case is for our customers who want to be proactive and not have any kind of vulnerabilities. Instead of being reactive, they want to understand where their vulnerabilities are, whether their cloud space is Azure, AWS, or Google. They want to understand and remediate those vulnerabilities before they get bigger than they really should be. 

For example, we are working with a client that is trying to be proactive. They said they don't want to be on the front page of a newspaper, and they're quite big in AWS. They wanted to check out the tool and they're doing a trial. It's meeting all their needs.

Essentially, all use cases, with regard to security. involve clients wanting to understand and get that 50,000-foot view of what their vulnerabilities are. They also want the ability to remediate inside the tool instead of having to understand what's going on and then have to go to each server and remediate the vulnerabilities.

How has it helped my organization?

We're aware of vulnerabilities far sooner than we were previously. The tool scans on-demand or at intervals and then notifies us of the issues and vulnerabilities that are present. That proactive feature of the tool has helped us be aware of any issues prior to their becoming a problem.

On a weekly basis the tool saves us about five or six hours. The fact that it does the automatic scanning and provides a report of what's been scanned and what's wrong, and the auto-remediating some of the vulnerabilities, are huge time savers for us.

Helix Cloud Security has made governance easier by centralizing it. The fact that it's multi-cloud, and you don't have to log into different cloud providers, is an advantage. We're at two providers right now, Azure and AWS, and it's easy to come to one place, instead of logging into both at the time, and get a holistic, 50,000-foot view. It enables us to cover both cloud providers and manage, understand, and govern all of our assets in the cloud.

In terms of productivity, the continuous scanning at the selected intervals and the reduction of false-positive vulnerabilities are helpful, based on the out-of-the-box policies. As a result, we're able to understand what vulnerabilities are really out there. And once something is remediated, it's remediated, unless a user makes a change to revert that vulnerability. That saves time because there isn't any repetitive work. That vulnerability is not going to come back the next day.

The automated remediation has decreased our mean time to repair by about 20 percent.
And the solution has also helped to eliminate or reduce the cost and complexity of writing, debugging, and maintaining remediation scripts. The remediation within the tool is there. You do have to configure it, but it gives you the means to get started.

What is most valuable?

The cool feature of Helix Cloud Security is that you can do all that — understand and remediate issues — in one dashboard, based on the different policies that are available for security, out-of-the-box. The dashboard is very user-friendly. Being able to remediate in-tool is valuable. There are a lot of cloud tools out there that can tell you what your vulnerabilities are, but don't necessarily have the ability to remediate with a click of a button.

It's also multi-cloud. You can look at several cloud providers: AWS, Azure, or GCP. That's one of the best features. 

In addition, the solution's automated remediation of cloud IaaS and PaaS resource misconfigurations is one of the biggest things that we need to focus on, as far as public cloud goes. There are a lot of misconceptions out there within companies that are going into the cloud. They think that the cloud provider is responsible for that security piece. There's a misunderstanding of where that line is drawn for security. A lot of companies only understand, once they're in the cloud, that it's their responsibility to ensure the security of their resources. That is where this tool fits in perfectly. You can set it to auto-remediate. As soon as it identifies an issue or a vulnerability within your environment, if you've configured it to auto-remediate, it takes care of that vulnerability and saves that time so you can focus on other things as an organization. And if you don't want to auto-remediate, if you're testing something out, for example, you don't have to.

There's also an archive of the history with a list of all the resources in the cloud environment and how they're connected. It tracks any actions that have been taken on those resources over time. You can go back several months and see how the resources were connected and what they were connected to and any vulnerabilities that were remediated within the tool.

And it gives us the ability to control who can remediate something and where. You have to be an admin. A user or viewer cannot go in and configure remediation. That allows us to see who's doing what because, as I mentioned, there can be vulnerabilities that you don't want automatically remediated. That can be true not only for testing but it's possible that a vulnerability is not a true vulnerability for that environment; or the remediation could affect other users and needs to be planned instead of remediating right then and there.

What needs improvement?

An area for improvement is that we get a lot of questions about creating customized policies in the tool. You get several out-of-the-box policies that you can delete and upload, but I would like to see them improve the understanding of how to write those policies; maybe a Help wizard. There should be a clearer understanding of how to write security policies to scan against.

Also, we've had some issues with connectors. The connectors have seemed to have caused a little bit of trouble, perhaps with the APIs trying to scan the environment. The only time I've had to reach out to tech support was for that. It seems it may not have been scanning correctly or I wasn't seeing data within a specific time.

But we've set up a couple of connectors in the past couple of weeks and they actually scanned the AWS environment and we had data within about 10 minutes. It's working a lot faster and I think they're making improvements as they go.

We've also helped identify bugs here and there, which only makes the tool better.

For how long have I used the solution?

We've been using Helix Cloud Security for just under a year.

What do I think about the stability of the solution?

The stability has been perfect. I haven't had one downtime issue yet.

How are customer service and technical support?

Tech support is top-notch. They were very responsive and eager to help get the problem resolved.

Which solution did I use previously and why did I switch?

We didn't have a previous cloud solution. We had the responsibility ourselves. When we would set up an account or a resource in the cloud, we would go through what needed to be done to secure it. Having Helix Cloud Security saves us time it would take us to do that. We still have to do some setup of proper protocols, but when you attach this tool and scan your resources, it catches things you may have never seen: an open S3 bucket, or that the routing security groups to AWS are wide open. We know what we need to do, but sometimes that doesn't get transferred to the keyboard to do it. This tool is like that double-checker in the back of the room saying, "Hey, by the way, you forgot to do this." It really catches those potentially big vulnerabilities that may be detrimental to our organization.

We realized we needed a tool like this as we moved more to the cloud. More companies are going to the cloud and using the cloud on a more frequent basis. We all know that there are vulnerabilities out there that people would want to access and use to do things that shouldn't be done. So we needed to have a tool in place to be that "big brother" to catch the things that we didn't catch, or that we didn't do during the creation of the resources.

How was the initial setup?

The initial setup was a little complex at first because of the different moving parts. In hindsight, it's security and the vulnerabilities. It's similar, as a tool, to what we've used previously, but now it's in the cloud. Once you get to know your way around the tool, things start becoming second-nature. But the initial view feels like there's a lot of information in terms of understanding what is what and where it's located.

It's a SaaS tool so there's no deployment required. Once you get set up with BMC, you get an account, you log in, and you can start working right away to set up your connectors to scan your environment. It only takes a few minutes. It only takes one person to deploy it across an organization.

What was our ROI?

I don't have a number for how much we've saved or for return on investment, but there has been a return because of the time we've saved. We're not using man-hours to fix the vulnerabilities or search for them. That's where our biggest ROI is.

What's my experience with pricing, setup cost, and licensing?

The pricing is based on an annual subscription, upfront, and it's based on cloud assets. Whether your assets are in Azure and AWS combined, the tool tells you how many assets are being scanned and that's the number used for pricing.

The subscription model is good. It makes sense that you are paying for cloud assets. There are so many different types of resource assets, specifically with AWS, so that number can really grow. But at the same time it's telling you how many assets you have. You understand what you're paying for. The license is very simple. There's no gray zone or muddy water in understanding how the pricing and licensing work.

Which other solutions did I evaluate?

BMC was the first one that we started evaluating. We liked it so much that we stuck with it.

They provided a 14-day free trial for us. We had 14 days to connect to our information, scan it, and get familiar with the tool. It was a nice little treat to take it for a test drive around the block for 14 days.

What other advice do I have?

Don't be surprised if you see some things that you thought were secure that were not secure. You think you're 100 percent, or you think you're close, but when you get in there and scan...

Also, take it piece by piece and understand. It might be good to scan your resources using just one security policy to start. Don't jump in too deep. If you jump in too deep you get overwhelmed with all the different policies that are scanned and all the vulnerabilities. It's just easier to take it day-by-day. Learn one section of the tool and then promote yourself as you get better and better versed in the application.

It can be deployed on AWS, Azure, and BMC has its own cloud as well. We've done integrations with dev environments, production environments, and test environments. Customers can have several environments within AWS. If those environments are within one main account — as long as that account from the high level has been integrated with the tool — that account is scanned and monitored by Helix Cloud Security. We can scan and remediate any vulnerabilities within any environment within a cloud account.

We have just under 10 people using it. They are systems engineers, security engineers, an analyst, and management. They're all using it in different ways. There are the admins, the users, and the viewers — people who are just viewing the data. Management is able to see a 50,000-foot view of the vulnerabilities. We can notify them and send emails reports of vulnerabilities on a daily basis, which helps them understand from a management perspective.

It's being used on a daily basis in our organization. It's integral to our operations. The tool scans to make sure our environments are secure. And if they're not, it's going to let us know what's not secure so that we can resolve it, or if it's set to auto remediate, then we'll understand what the vulnerability was and that it has been fixed. 

There's no maintenance, per se, as a SaaS product, but it does require making sure the connectors are running and that your scans are working and scanning on whatever basis you set them up to do, whether ad hoc or interval. There's also the need to create users. But if something is not working within the tool itself, that's really on the BMC side to handle. BMC owns that piece and would be responsible for any maintenance, upgrades, etc.

Using this solution is an eye-opener. It really is. We thought we had a pretty good handle on security. Colleagues I've talked to at other organizations have that same mentality: "Yeah, we're good. We do this, this and this and this." But when you connect it and take that free trial, it's like, "Wow, I didn't know that S3 bucket was open. I thought we were good there." Having that holistic view is the biggest eye-opener. You understand, from any of your connected cloud accounts, what your vulnerabilities are with it. We saw data within 10 minutes of connecting to our AWS account. When I say data, I mean that we saw our resources popping in there and showing if there were vulnerabilities. We were immediately seeing data regarding our cloud infrastructure.

I'd give it a nine out of 10. It provides a multi-cloud experience, it's easy to use, the dashboard is user-friendly, and you really can see what your environment looks like.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Buyer's Guide
Cloud Workload Security
April 2022
Find out what your peers are saying about BMC, Palo Alto Networks, Check Point and others in Cloud Workload Security. Updated: April 2022.
595,546 professionals have used our research since 2012.
VinnieLima - PeerSpot reviewer
Managing Director at VVL Systems
Real User
Gives you a cohesive view into your security posture on cloud accounts
Pros and Cons
  • "The best feature is time to value. With very minimal effort, you are able to have a cohesive view into your security posture on one or multiple cloud accounts, particularly if you are dealing with multicloud. If you have Azure and AWS deployments, you might have multiple subscriptions in Azure and usually multiple accounts in AWS. You may even be doing some GCP work (around Google Cloud Platform). It's very difficult to manage a common set of policies, even less reporting, across multiple subscriptions, accounts, and cloud environments. What BMC Helix Cloud Security does is provide a unified view or single pane of glass as to your baseline. Then, it also facilitates the ability for Level 1 or 2 operations support to take action and report on security vulnerabilities."
  • "Every organization out there doesn't rely on just one control body. They use FISMA control. They may use HIPAA, CIS, PCI, or SOX, then blend them. One of the things that is now in big demand for BMC Helix Cloud Security is content. That's the next journey in its lifespan, making it easier for the community to share and collaborate on content for security controls that can be measured and remediated."

What is our primary use case?

Primarily, it is to understand the cloud baseline against regulatory controls. The primary use case is to identify unknown or unmitigated risks when it comes to security controls in a cloud workload or environment. Within that use case, it takes things, like CIS Compliance Controls, and determines if your workloads are compliant to those best practices. Therefore, the primary use cases are detection and identification. The secondary use case, which goes sort of hand in hand, is to enable operational controls in the form of remediation and actions.

It not only can identify if a cloud resource is noncompliant, but also provide operations an easy and distinct way to take action to remediate, address. amd enclose the security gaps. 

The fringe use case is to integrate it with your IT operations management and IT service management. This is to not only be notified about deviations from acceptable baseline, but also tying into service management for change detection and change tracking.

It is a SaaS subscription model where you can leverage it to analyze and have insight into your cloud services. We use it in a sort of a bimodal way. We use it for both our Microsoft Azure and AWS workloads that we have both internally and customer-facing. We also use it as part of our managed service for our customers and their customer accounts. Thirdly, we use it as part of advising for clients who are interested in their capabilities.

Every account that we have, either Azure or AWS, is owned by us or managed as a managed service and overseen by BMC Helix Cloud Security. We don't deploy cloud accounts without having it managed by Cloud Security.

How has it helped my organization?

One of the pieces that is very difficult to track is elasticity and dynamics, especially when you are doing DevSecOps with multiple build pipelines in the cloud environment, or against the cloud environment, since you have a development, test/QA, and production environment. What BMC Helix has allowed us to do, especially with cloud security and cloud costs, is to unify the visibility into a single source of truth. What it has facilitated is also the skills gap and being entrenched in the native cloud providers portal and having to understand how to navigate it, how to deal with those resources, and having to understand the idiosyncrasies between each of them because they have similar capabilities but with different terminologies, architecture, methodologies, and best practices.

What BMC Helix allows you to do is very easily bring that information back to be analyzed and make informed decisions on it. That simplification of IT governance is one that gives a huge value out of BMC Helix. Now, we're talking specifically about our cloud security. This is a very challenging aspect because you're always bumping between agility, control, and rigidity. So, cloud security allows you to understand, measure, and take proactive actions for critical vulnerabilities without getting in the way of the day-to-day cloud operations.

One of the big things is being able to measure the effectiveness of your corporate policy against the reality of day-to-day changes. Take a very simple thing that we see all the time when we deal with customers. They have policy on paper, which is defined. They may be very well-matured from a cloud expertise perspective, but they're dealing with hundreds, if not thousands, of accounts sometimes within just one cloud provider. When we connect BMC Helix to their environment, it's always surprising to them how there's always an Esri bucket that has the wrong information. There might be an IAM role or credential that hasn't been enrolled within a certain period of time, which is hard to detect. It's the scenario of the needle in the haystack, especially at scale.

Even organizations, who are very rigid and mature in their deployment methodologies, there are so many resources and configurations within each cloud environment that is impossible for humans to track. That is where automation comes into play. BMC Helix helps to bring that into AI with very intelligent mechanisms, predictably telling you what's wrong or how to be better.

With the Discovery portion of Helix, it is so incredible to be able to highlight the relationships being services that are very hard to detect. Anybody who has worked with AWS, Microsoft Azure, or GCP knows how intricate the relationships between services can be. A VPC has many relationships to subnets or round tables. You may have relationships to VPN gateways or IGWs with so many integrate dependencies that it is hard for one document and understand those dependencies. Also, from a risk perspective, I find a lot of financial institutions who use the BMC Discovery capability out of Helix for security baselining to determine when a baseline has changed outside of a change control mechanism and detect an insider threat as well as a deviation from policy.

In theory and practice, compliance and security vulnerability management is typically a human labor intensive activity. It's also a repetitive activity. So, the solution has increased productivity by reducing repetitive or tedious tasks related to security. Measuring those metrics is very customer dependent based on the maturity of how they audit, measure compliance, and their vulnerability controls. I have seen environments where vulnerability and compliance security audits are done orderly in massive spreadsheets, and they never get out of that cycle. There is continuous InfoSec to operations going back and forth because there is detection, then there is remediation.

I have also seen scenarios where certain vulnerabilities or configuration controls violate a certain regulatory control. These may take weeks, if not months, to remediate at scale. With automation, leveraging BMC Helix to remediate or do cloud security, once a detection of a vulnerability security is performed and identified as something that should not exist (meaning there are no waivers nor an exception process), the remediation is done in minutes. That is the benefit of this platform. 

It doesn't remediate everything. There are a lot of vulnerability controls that are manual controls. There is a large portion (80:20) between what can be remediated through automation versus manual controls, such as, physical security. Those now can be addressed by automation using BMC Helix Cloud Security and BMC Helix Remediate, which is another module capability within the helix platform. These allow you to use automation to remediate within minutes. 

For example, a customer of ours that is highly regulated in the healthcare space has quarterly audits. If they find vulnerabilities or controls that are not mitigated, which are open findings, they can define starting at million dollars, then going up, compiling the number of controls and vulnerability findings. They leverage Helix remediation for the reporting and remediation as well as the detection of regulatory controls. Before, there was a never-ending process of identification and remediation. Now, the identification has been shrunken down to below a couple of weeks for their multiple control environments. The remediation is now a fraction of what it was before. Remediation was a month-long effort with multiple bodies. Whereas now, they're able to do it within a couple of weeks with a limited amount of staff. So, that's the power of it.

Vulnerability management is one of the other big areas. Another customer of ours was doing patching parties, where they were trying to deal with vulnerabilities, and doing patching for 100 to 200 systems at a time. Moving to the automated mechanism that BMC provides, they were able to do thousands of systems for every patching exercise that they were doing. Thus, shrinking the vulnerability left for how long they have been open inside their environment.

What is most valuable?

The best feature is time to value. With very minimal effort, you are able to have a cohesive view into your security posture on one or multiple cloud accounts, particularly if you are dealing with multicloud. If you have Azure and AWS deployments, you might have multiple subscriptions in Azure and usually multiple accounts in AWS. You may even be doing some GCP work (around Google Cloud Platform). It's very difficult to manage a common set of policies, even less reporting, across multiple subscriptions, accounts, and cloud environments. What BMC Helix Cloud Security does is provide a unified view or single pane of glass as to your baseline. Then, it also facilitates the ability for Level 1 or 2 operations support to take action and report on security vulnerabilities.

The great thing about Helix Cloud Security is that you can operate it in multiple modes. You can have it as a passive, e.g., I just want to baseline and understand what is happening. This might be Shadow IT or well-versed IT in how you're deploying your cloud services. It provides you with metrics and artifacts to prove that your baseline reflects your policy. 

Developers can still continue to do what developers do, right or wrong. However, you can also progress to be more forward-leaning and defining policies in Helix Cloud Security which are more forceful. E.g., there is an unapproved deployment or somebody makes a change to an Esri bucket that doesn't comply to your policy regulations that you're able to detect and report. Then, going further, you are being more proactive by taking action to snap back to compliance. So, it doesn't change your DevOps model. It enriches it for better visibility, giving you a second set of eyes to ensure that you're not introducing human error where it's against corporate policy.

If you identify a vulnerability, e.g., identify a cloud security vulnerability for which you can automatically raise an incident and a change ticket on the service management platform of your choice, this could be with BMC or a third-party. Then, you can force these remediations to go through your change management process that allows you to document, review, schedule, and effectively approve them for execution. Now, you're not limiting operations from taking action, but you're introducing governance as part of the automation process.

What needs improvement?

The biggest challenge now, which is a good problem to have, with BMC Helix is content. There are some foundational regulatory bodies and controls that are well known in the industry. There is this defense information systems agency with big content, which is very popular out there with the regulator and government environment. You have PCI controls. You also have CIS which provides a great community and paid service for controls and operating systems applications. There is a big need that we're feeling in the industry from VVL systems to help customers take their organizational policy and marry it with a lot of their regulatory controls in the industry to come up with their own set of policies that are important for them.

Every organization out there doesn't rely on just one control body. They use FISMA control. They may use HIPAA, CIS, PCI, or SOX, then blend them. One of the things that is now in big demand for BMC Helix Cloud Security is content. That's the next journey in its lifespan, making it easier for the community to share and collaborate on content for security controls that can be measured and remediated.

BMC Helix Cloud Security has a variety of connectors, not only connecting to public cloud providers, but also connecting to other types of resources, such as Docker and Kubernetes, for applying security assessment at scale to other technologies. I would like to see BMC release additional connectors for industry technologies that keep popping up as technology evolves at a rapid pace. That's the part that I would like to see them keep with their momentum going forward.

For how long have I used the solution?

Before it was part of the Helix platform, BMC Helix Cloud Security was its own incidence. Then, BMC rolled it into the BMC Helix platform. So, it's been about a year and a half to two years that I've been involved in it from the initial releases into what it is now.

What do I think about the stability of the solution?

The stability has been really good. In the earlier days, as they were growing their platform and moving it to be 100 percent cloud native microservices based, they ran into some challenges around stability for the data collection.

Now, it's a pretty well-oiled machine. It's well-mature in the sense that we have never had any data loss. Their user experience portal has performed at 100 percent. I don't have any examples to point to for issues of availability or stability.

What do I think about the scalability of the solution?

It improves our organization with the facilitation to scale at the size that we are. We are a small business and efficient in what we do. However, the business model throws bodies at solving automatable challenges is not cost-effective. If our organization has the ability to deliver leading edge services at scale for large Fortune 500 companies without having to scale monumentally or exponentially, it decreases the number of resources needed on my side. Now, I can have senior engineers or junior engineers drive some very complex use cases for customers without having to scale at a monumental cost.

Theoretically, there's no limits to its scalability. It's all based on cloud resources. So, BMC Helix runs on the cloud, either the BMC cloud, AWS, or Azure. Effectively, because of the architecture which is microservice-based, the scale is something that we have not run across. We have not run across a limitation. We've had BMC Helix interacting with thousands of assets and hundreds of accounts in the cloud. We haven't run into a scale issue yet, as the architecture is built for scale based on microservices.

Our small business is between 10 to 15 people. Right now, we have about 80 percent of our staff who are technical and the other 20 percent are management or customer success engagement. Our staff uses it for reporting and management of our cloud accounts that we are continually manage as a part of our own infrastructure, or if it's a part of a managed service for a client or consulting engagement. Then, they may use it when involved with a client, but not everybody is using it day-to-day. It's not for daily operation. Based on our business model, it's either for managing the effectiveness of our own services that we run and maintain as well as delivering services for clients.

How are customer service and technical support?

The technical support has been really good. The BMC Helix platform overall has tightened up its responsiveness. The support organization has been pretty phenomenal. The integration of their support into their account team for escalation has lead to prioritization being phenomenal.

A lot of times, we've interacted directly with product engineering to give them some insight or feedback for features or UX design ideas. Their UX design engineers have actually been very forward-leaning in soliciting feedback. From our experience, this has been really good.

Which solution did I use previously and why did I switch?

Prior to using Helix, we were using all of the cloud native solutions available at a time from AWS and Microsoft Azure. Even then, they were fairly immature, as it was a new space before they started releasing some capabilities. This was before their cloud security model to manage cloud native resources, like serverless computing and others. It was the traditional methodology of managing virtual machines like you would do on-premises.

We used some of the BMC automation solutions dating back to BMC BladeLogic to manage those workloads. But those solutions were not meant for cloud native resources, dealing with things like serverless computing, Lambda Functions, and so forth in a cloud construct. Before, there was really nothing that we were using except for good old best practices and human intervention.

We were using the solution before it was BMC Helix and TrueSight Cloud Security. It was always cloud native. However, BMC unified their branding messaging, releasing new products on the BMC Helix platform. They brought cloud security into it. About a year and a half ago, it was made available and we've been using it from the early days. We have been providing feedback from the beta phase to where it is today.

Scale helped us come to the realization that we needed something like Helix Cloud Security. With manual labor and referenceable cloud architecture best practices, you can deploy it once and it's hard to track over time, especially when there is a DevOps methodology involved. So, it was scale and agility of the cloud. The rate that new services are released by cloud vendors made it almost impossible to do anything else.

How was the initial setup?

The initial setup has always been fairly standard. What's changed over the year and a half is the support for additional cloud environments. They started with AWS and Azure, then added GCP. They started adding additional connectors and cloud environments. So, they added features and capabilities. They added additional content and more policies that can be evaluated. 

The setup has always been easy because it's always been cloud native. There are very minimal requirements for on-premise. However, it got easier as they do more in the cloud.

The first deployment probably took a couple of minutes. It's always been a couple of minutes. It's a matter of prerequisites.

At this point, we have a standard implementation strategy.

A lot of times the challenge comes in granting the right permissions for BMC Helix to get data out of your cloud environment. There are always some fundamental things that it requires. Usually, it is read-only. If you want to be able to remediate security risks, then it needs a read-write type of permission. 

Initially, maybe some of the documentation wasn't as clear as I would have liked it to be. It might have taken a bit of time to set up on the cloud environment to give BMC Helix access. Now, BMC has done a great job in maturing the documentation and making it easier to configure multiple accounts under the same connector. I believe we did an evaluation for a recent client, and it took about five minutes to set up the connector to their AWS environment that had hundreds of resources.

What about the implementation team?

We worked directly with BMC and their product team, especially as they valued a lot of feedback and insight into what was working or not. So, we worked directly with them and didn't use a third-party.

The setup is pretty straightforward. There is no operational care that you have to do because this is a SaaS offering. All of the maintenance, upgrades, and break/fix is done by BMC. 

From our side, we just use the service. Now, depending on the size of the environment and cloud specific expertise, you might need more than just one person for the deployment. On our side, we have one expert who manages all of our customer and accounts with BMC Helix. They do all the administration of BMC Helix Cloud Security.

What was our ROI?

For our own environment, it has reduced a lot of the unknown unpredictable costs around cloud security and vulnerability. 

Because we started with cloud security very earlier on, I don't have a traditional model to compare to. What I do have is the the number of resources and effort that it takes to detect and comply is a fairly high ratio to cloud assets. 

What's my experience with pricing, setup cost, and licensing?

It is a subscription model with term licensing that is usually yearly. This includes, not only the product, but support and maintenance. It is based on cloud assets. Therefore, if you have 100 cloud assets, those cloud assets are measured based on evaluation or transactions.

For example, if I'm evaluating that cloud asset for CIS compliance, PCI compliance, and AWS best practices, that asset gets evaluated three times, as those are three transactions. However, the license model is based on peak asset usage. So, over a year, if you deploy 100, 1000, 500, and then 2000 assets, you will be charged for the 2000 peak of assets managed by Helix Cloud Security.

I have operational costs for my staff, but it's not part of the BMC licensing.

Which other solutions did I evaluate?

I don't know if there are other solutions similar to what BMC Helix Cloud Security does today. We are not evaluating others because we haven't found a gap for not using BMC Helix. 

We do some consulting engagements for clients who are evaluating other third-parties that come from their vulnerability management space, but they are not cloud security or cloud construct security native. We sometimes do feature by feature bake-offs, but they are not really equivalent.

The remediation of vulnerabilities can be a tedious process because you have identification. There are a lot of companies use standards to identify vulnerabilities, i.e., Nessus, Qualys, and Rapid7 who are great at identifying, but not great at helping operations to fix vulnerabilities. This is because it takes a three-legged stool: 

  1. You have to know what is the asset that is actually impacted by the vulnerability. Sometimes, you only have an IP address and don't even have the name of the asset. So, you have to track down where does it reside. Especially in a large enterprise that has multiple sites or data centers that might be in the cloud, where does it reside? 
  2. You have to identify how to remediate the vulnerability. Some vulnerabilities are maybe a patch bought from a vendor, a combination of patches from a vendor (e.g., Microsoft or Red Hat plus an application patch), or a configuration change. You might have to toggle a registry key in addition to applying a patch. Can I actually apply that remediation to the system? Do I have a mechanism to apply at scale? This is where BMC Helix helps. It is able to integrate with a detection system, such as a vulnerability scanner, then understand and get the vulnerability identifiers (the metadata) from those scanners. It is able to associate it with known patches from multiple vendors. They might be Microsoft, Red Hat, IBM, or HPE. BMC can identify and relate the vulnerability to specific actions that vendors have identified from the patches. 
  3. The ability to apply at scale with thousands of endpoints. That remediation to affect the actual vulnerability. In the old days, InfoSec would detect the vulnerability and send a spreadsheet to operations. Now, there is no manual process in-between. It's all automated to the extent that they feel comfortable either fully automated or having a human in the loop for approvals and change management.

What other advice do I have?

Start early with this type of capability. Make it part of your cloud governance baseline if you want to leverage a product like BMC Helix Cloud Security from the get go. Make it part of your governance methodology, not after the fact. That's the biggest takeaway I could suggest. 

Don't implement a cloud governance and migrate to the cloud first, then later try to implement a governance method like BMC Helix Cloud Security provides, because it's a little too late. Otherwise, you will be detecting things that you could have addressed beforehand. Furthermore, my recommendation would be to include BMC Helix cloud costs in that governance for right-sizing cloud resources before you deploy them into the cloud.

We're just getting started with BMC Helix Capacity Optimization, which is part of their optimized feature set. We're just starting to use that in its initial stage.

Developers are interested in only a few things:

  1. Do they have the agility to deploy their capabilities of developing?
  2. Does it match the performance and intended state and operational capability that they designed it for?
  3. When something goes wrong and bump in the night, why is it not working?

When operations is coming back to them, and saying, "Something is wrong with their application." There is a need to understand that old issue around traditional data centers: Who is at fault and what has changed? Discovery allows you to do that exact thing. Also, from a security perspective, is your deployment secure based on regulatory standards? Take PCI or CIS compliance standards, leveraging those as a baseline. That's a great start in understanding if you're designing your product correctly.

I would suggest that you don't position cloud security as a deterrent to agility in your cloud journey. Use it as a validation capability to validate your best practices and policies. That is very important instead of positioning it as a deterrent to agility because that will really hinder your ability to get acceptance and adoption from your team.

Overall, I would give it a nine (out of 10). The only reason I am not giving it a 10 is because it's still a fairly new offering in the market. It's mature but new in the market. The industry itself is shifting very quickly around how to measure security in the cloud. BMC is also still adapting to what that model is, and that is not their fault. It's just the industry shifting to "What is a secure cloud?" and "How do you help customers understand and take ownership of the shared responsibility?" Because the cloud has a shared responsibility model. The vendor is responsible and you're responsible. 

I would rate it a nine (out of 10) because the industry's not quite there yet to make this product perfect. It is still adapting to what is the right way to report cloud security.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Download our free Cloud Workload Security Report and find out what your peers are saying about BMC, Palo Alto Networks, Check Point, and more!