This glossary contains terms that are relevant to BMC Helix Cloud Security.

General terminology

The following terms apply to terms you find in the Cloud Security UI or as part of the typical business use cases for using the service.


The company that is registered to use Cloud Security.


An automatic policy evaluation performed by Cloud Security for a given tenant.

Compliance content

Pre-built compliance templates that BMC offers out-of-the-box to analyze regulatory compliance. Such templates can facilitate compliance analysis when you need to adhere to industry-defined compliance policies such as CIS, DISA, HIPAA, PCI, or SOX.


A ready-to-use collector that can be configured to collect data from various sources (such as AWS, Docker, and other custom data) and to send it to Cloud Security.


A pre-built regulatory policy, which is helpful for auditors. Policies contain rules that evaluate the servers, hosts, or other resources for compliance.


An object of interest to the customer that needs to be evaluated. For example, CFN template, server, receipt, temperature of refrigerator, and so on.


An expression that is used to evaluate whether a resource is compliant.


A transaction is one policy evaluated against one resource.


A condition that indicates non-compliance of a given rule or a group of rules.

Exception :

Exceptions can be applied for a rule in a policy. When a resource is marked for exception then the rule will be always compliant as long as the exception is in effect.

Remediation :

Remediation is an action through which compliance violation can be fixed. Remediation can be enabled or disabled under Actions on the Policy Details page

Connector :

Connector is the component that collects compliance data from the data source (for example, AWS) and evaluates the data against the compliance policies that you specify. Connectors can be set to evaluate data on-demand or on a user-defined schedule.

Terminology by technology

The following terms are relevant to the specific technology groups governed by the Center for Information Security (CIS) and used in Policy to evaluate corresponding resources and maintain compliance and governance in specific environments.


Client ID

The Azure Application ID used to generate an authentication key for the application. The Client ID must have access to all subscriptions (single or multiple) to be scanned.

Client Secret

The authentication key string for the Azure account to be scanned.

Network Security Groups

A policy that validates the configuration of Azure security groups, the main tool you use to enforce and control network traffic rules at the network level.


A policy that validates Azure subscriptions, the details that uniquely identify your subscription to use Azure services. For each tenant, there can be multiple subscriptions. Cloud Security checks for security settings and tracks costs based on the subscription level.

Subscription ID

The GUID that uniquely identifies your subscription to use Azure services. For each tenant, there can be multiple subscriptions in one Azure account.

Tenant ID

The ID specific to the tenant you obtained when you opened your Azure account.

Virtual Machine

A policy that validates the configuration of Azure Virtual Machines (VMs), primarily the availability of the VM.

Virtual Network

A policy that validates the configuration Azure Virtual Networks (VNet), a representation of your own network in the cloud. A VNet is a logical isolation of the Azure cloud dedicated to your subscription.



An open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud.

Docker Container

Wrappers for a piece of software in a complete filesystem that contains everything needed to run: code, runtime, system tools, system libraries – anything that can be installed on a server. This guarantees that the software will always run the same, regardless of its environment.

Docker Image

Read-only template used to create containers.


Kubernetes Operations. Production Grade K8s Installation, Upgrades, and Management. Kops supports deploying Kubernetes on Amazon Web Services (AWS) and support for more platforms is planned.


Kubernetes-provided tool for spanning a Kubernetes base cluster.


A command line interface for running commands against Kubernetes clusters.


An open-source system for automating deployment, scaling, and management of containerized applications.

Kubernetes Kube config

The location of the Kubernetes kube configuration file path (the host from which the Kubernetes cluster can be accessed).


A Kubernetes abstraction that represents a group of one or more application containers (such as Docker or rkt), and some shared resources for those containers.


A worker machine in Kubernetes and may be either a virtual or a physical machine, depending on the cluster. Each Node is managed by the Master. A Pod always runs on a Node.

Was this page helpful? Yes No Submitting... Thank you