Security overview

BMC understands that the confidentiality, integrity and availability of your operational information are vital to your organization. BMC uses a multi-layered approach to protect your data, constantly monitoring and improving applications, systems, and processes. The BMC Security Operations Center (SOC) and Network Operations Center (NOC) teams work 24 hours a day, seven days a week, and 365 days a year to ensure the continuous and secure operation of your service.

The NOC makes extensive use of BMC’s world class monitoring and automation solutions. All customer environments are monitored 24 hours a day and seven days a week. The NOC frequently resolves potential incidents before they impact customers.

Should your service be impacted, automated root cause analysis data is provided via the BMC TrueSight Operations Management solution and extensive automations using BMC Atrium Orchestrator dramatically reduce the Mean Time to Repair (MTTR).

BMC’s security strategy includes the following layers:

  • Governance
  • Physical
  • Perimeter
  • Network
  • Endpoint
  • Application
  • Data


The Governance layer comprises all other controls and incorporates policies, procedures, and awareness-related activities. This layer emphasizes governance, organization information security awareness, and external validation of the effectiveness of related controls. 

Key features of this layer include:

  • Policies and procedures
  • Quality Management System
  • Architecture and design
  • Threat intelligence
  • Risk analysis and management
  • Penetration testing and vulnerability assessments
  • Security awareness training
  • Security technology
  • Assessment/evaluation


The BMC Helix physical platform is provided by top-tier data center providers globally. These data centers incorporate fully redundant power, cooling, and battery backup systems to provide continuous and safe physical and environmental operation of BMC Helix services and solutions. 

Key features of this layer include:

  • Prominent data center partners providing geographically-dispersed Tier III (as defined by the Uptime Institute) facilities
  • Secure, nondescript facilities
  • On-site security 24x7x365 with closed-circuit TV monitoring
  • Automated and manual inspections of access points
  • Secure access to all facilities requiring two-factor building access with key card, PIN in addition to biometrics

See Service locations for additional details.


The Perimeter layer focuses on ensuring data in motion is encrypted, as well as ensuring that access into the environment is restricted to the minimum access required. Key features of this layer include:

  • Tiered Internet-facing web applications
  • Strict HTTPS compliance for all ports and protocols
  • Industry-standard, fully redundant stateful firewalls
  • Intrusion prevention system (IPS) proactively monitors and blocks malicious network traffic activity
  • Security Assertion Markup Language (SAML) Single Sign-on support
  • 256-bit SSL HTTPS
  • Transport Layer Security (TLS) utilization ensures secure email and data file transmissions
  • SSL certificates (2048-bit)
  • Third-party perimeter, network, and application penetration tests conducted annually


The Network layer emphasizes segmenting and restricting internal communications. These controls elevate the security, confidentiality, integrity, and availability of customer data and eliminate the risks associated with multi-tenant environments. Key features of this layer include:

  • Internal network segmentation ensures customers’ information is private and secure
  • Web content filtering
  • Management layer with centralized administration coupled with advanced system monitoring capabilities
  • No routable public addresses are permitted on data center servers or systems


The Endpoint layer concentrates on securing sensitive customer data and information. Security controls at this layer are restricted to safeguarding a customer’s applications and systems. Key features of this layer include:

  • Enterprise anti-virus and anti-malware protection
  • Automated patch and vulnerability management provides rapid response to threats, attacks, and other unauthorized activity
  • Security posture is augmented with advanced compliance analysis and reporting
  • Adherence to least privilege compliance through privileged access assessments


The Application layer encompasses specialized security controls designed for the customer to provide role-based and secure application access.  BMC’s scalable cloud-based solutions secure our customers' solutions across the Software Development Lifecycle (SDLC) — from code development to pre-production testing and production. Key features of this layer include:

  •  Application security elements that protect data from unauthorized access
  • Role-based access provides fine-grained data permission controls
  • Credential information is encrypted end-to-end
  • A logical, multi-tiered access control construct
  • Static Application Security Testing including the use of Open Web Application Security Project (OWASP) and other leading tools to proactively detect security-related issues in the code and third-party libraries in our solutions for every release
  • Dynamic Application Security Testing including authentication tests, client-side attack tests, command execution tests, information disclosure tests, and logical attack tests for every release


BMC’s encryption solutions protect sensitive data as it is accessed and stored. This ensures that the data is unusable in the event it is removed from the environment. Key features of this layer include:

  • Enforced requirements for complex passwords
  • Full database encryption options for seamless data confidentiality and integrity. See Data encryption for additional detail.
  • Database keys are encrypted and stored separately, with access restricted to authorized individuals
  • Data is securely backed up for near and long-term storage utilizing AES 256-bit encryption
Was this page helpful? Yes No Submitting... Thank you


  1. Santhosh Justin

    is there any section describing the security on the AWS setup in case the customer chose to run Helix on their own AWS account?

    Jun 19, 2020 01:54
    1. Martha Mulvaney

      Santhosh, BMC does not deliver services under a customer-owned AWS account. The service must be purchased through BMC and security and operational policies are as defined by BMC as stated herein.

      Jun 24, 2020 04:56
  2. Foued Ben hadj ali

    I have a customer asking me for the number of servers that they will get per environment - is there a way to have this information?

    Sep 27, 2020 04:25
    1. Dhanya Menon

      Hello Foued Ben,

      Thank you for your query and I apologize for the late response.

      The number of servers provided by BMC is dependent on various factors such as subscription, usage, etc. The servers are hosted on BMC's side and supported or scaled accordingly as part of the customer's  SaaS subscription. 

      Please let us know if you need more information.



      Jun 06, 2022 01:19