Security overview

BMC understands that the confidentiality, integrity, and availability of your operational information are vital to your organization. BMC uses a multi-layered approach to protect your data, constantly monitoring and improving applications, systems, and processes. The BMC Security Operations Center (SOC) and Network Operations Center (NOC) teams work 24 hours a day, seven days a week, and 365 days a year to ensure the continuous and secure operation of your service.

The NOC makes extensive use of world-class monitoring and automation solutions. All customer environments are monitored 24 hours a day and seven days a week. The NOC frequently resolves potential incidents before they impact customers.

Should your service be impacted, root cause analysis data would be provided to our customers upon request.

BMC’s security strategy includes the following layers:

  • Governance
  • Physical
  • Perimeter
  • Network
  • Endpoint
  • Application
  • Data

Governance

The Governance layer comprises all other controls and incorporates policies, procedures, and awareness related activities. This layer emphasizes governance, organization information security awareness, and external validation of the effectiveness of related controls. 

Key features of this layer include:

  • Policies and procedures
  • Quality Management System
  • Architecture and design
  • Threat intelligence
  • Risk analysis and management
  • Penetration testing and vulnerability assessments
  • Security awareness training
  • Security technology
  • Assessment/evaluation

Physical

Helix Control-M physical platform is provided by Amazon Web Services. These data centers incorporate fully redundant power, cooling and battery backup systems to provide continuous and safe physical and environmental operation of Helix Control-M services. 

Key features of this layer include:

  • Prominent data center partners providing geographically-dispersed Tier III (as defined by the Uptime Institute) facilities
  • Secure, nondescript facilities
  • On-site security 24x7x365 with closed circuit TV monitoring
  • Automated and manual inspections of access points
  • Secure access to all facilities requiring two-factor building access with key card, PIN in addition to biometrics

Perimeter

The Perimeter layer focuses on ensuring data in motion is encrypted, as well as ensuring that access into the environment is restricted to the minimum access required. Key features of this layer include:

  • Tiered Internet-facing web applications
  • Strict HTTPS compliance for all ports and protocols
  • Industry-standard, fully redundant stateful firewalls
  • Intrusion prevention system (IPS) proactively monitors and blocks malicious network traffic activity
  • Security Assertion Markup Language (SAML 2.0) single Sign-on support
  • 256-bit SSL HTTPS
  • Transport Layer Security (TLS) utilization ensures secure email and data file transmissions
  • SSL certificates (2048-bit) 
  • Third-party perimeter, network and application penetration tests conducted annually

Network

The Network layer emphasizes segmenting and restricting internal communications. These controls elevate the security, confidentiality, integrity and availability of customer data and eliminate the risks associated with multi-tenant environments. Key features of this layer include:

  • Internal network segmentation ensures customers’ information is private and secure
  • Web content filtering
  • Management layer with centralized administration coupled with advanced system monitoring capabilities
  • No routable public addresses permitted on data center servers or systems

Endpoint

The Endpoint layer concentrates on securing sensitive customer data and information. Security controls at this layer are restricted to safeguarding a customer’s applications and systems. Key features of this layer include:

  • Enterprise anti-virus and anti-malware protection
  • Automated patch and vulnerability management provides rapid response to threats, attacks and other unauthorized activity
  • Security posture is augmented with advanced compliance analysis and reporting
  • Adherence to least privilege compliance through privileged access assessments

Application

The Application layer encompasses specialized security controls designed for the customer to provide role-based and secure application access.  BMC’s scalable cloud-based solutions secures our customers solutions across the Software Development Lifecycle (SDLC) — from code development and automatic testing to pre-production automatic testing and production. Key features of this layer include:

  • Application security elements that protect data from unauthorized access
  • Role-based access provides fine grained data permission controls
  • Credential information is encrypted end-to-end
  • A logical, multi-tiered access control construct
  • Static Application Security Testing including the use of Open Web Application Security Project (OWASP) and other leading tools to proactively detect security-related issues in the code and third-party libraries in our solutions for every release
  • Dynamic Application Security Testing including authentication tests, client-side attack tests, command execution tests, information disclosure tests and logical attack tests for every release

Data

Generally Helix Control-M does not store any sensitive information. BMC’s encryption solutions protect sensitive data as it is accessed and stored. This ensures that the data is unusable in the event it is removed from the environment. Key features of this layer include:

  • Enforced requirements for complex passwords
  • Sensitive information is encrypted within the database using AES-256
  • Database keys are encrypted and stored separately, with access restricted to authorized individuals
  • Data is securely backed up for near and long-term storage utilizing AES 256-bit encryption


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*