Skip to Content

Walkthrough: Discovery Integration

Introduction

Cloud Security integration with BMC Discovery, should allow users to see the security posture of the business service. User should be able to report, notify, set exceptions on business service.

User Capabilities : 

  1. Report compliance summary and new violations reported for a business service
  2. Setup exception for a business service
  3. Find all the violations that are reported for a business service
  4. Find all the resources and corresponding violations that belong to a business service

Understanding business service

Business service is an IT service that directly supports a business process. For example, financial services, online banking services delivered by banks to its customers, or Human Resource (HR) services delivered by an HR department. In IT organizations, business services are supported by different components, such as servers, applications, and databases.

A user selects all the resources of a business service, creates an application model and publishes it as a Business Application Instance in BMC Discovery.

BMC Discovery enables you to add manually selected nodes to a group. Groups and subgroups enable you to collect all items that make up an application and divide them into subgroups to help you understand the structure and operation of an application.

In Discovery, any business application instance, models, resources can be tagged using Manual Group. BMC Helix Cloud Security uses this manual group to identify the Business Service. Its syntax is Service::<Business Service Name>

There are lot of synergies between Helix Discovery and Helix CloudOps platform and these two products compliment each other very well. While both of them scans for Cloud Resources, CloudOps shows the security and Cost posture of the Resources while Discovery lets customers understand the overall topology and Business service grouping. We would like to get this Business Service information from Discovery and show various CloudOps KPIs in context of the already defined Business Services. 

Below capabilities are provided as part of this integration

  1. Discover Business Service from Discovery and show it as "Imported" Resource Pools in BMC Helix Cloud Security.
  2. Cross launch from BMC Helix Cloud Security UI to Discovery UI to show network topology/graph details for individual Resources.


Steps to use discovery integration with cloud security

Prerequisites : 

 1. BMC Discovery - 11.3

 2. Ensure that Remedy Single Sign On is enabled.

Steps: 

  •  On board AWS/GCP/Azure Cloud connector for target account.  On prem connectors of AWS, GCP and Azure are also supported.
  •  Scan data for same target account in BMC Discovery.
  •  Create business service under manual group in discovery. Refer Discovery documentation for details.
  •  Onboard and run Discovery Cloud Connector. Refer section "Discovery connector"
  •  Overlapping resources will be imported as resource pools for the business service in discovery. These resource pools will be marked as "Imported" in Cloud Security UI.
  •  Refer to section "BMC Helix Cloud Security integration with BMC Discovery" for further steps in BMC Cloud Security.

Enabling RSSO Integration

To use discovery integration with BMC Helix Cloud Security , Remedy Single Sign On is prerequisite. Please refer to below documentation for more information for RSSO. Please click on this page.

Discovery connector

Discovery Cloud Connector

BMC Helix Cloud Security offers Discovery Cloud Connector which enables customers to scan BMC Helix Discovery data on the basis of business services. This page covers principles and on-boarding of Discovery Cloud Connector.

Completing prerequisites

Ensure that we meet following prerequisites before on-boarding the Discovery Cloud Connector.

  1. BMC Helix Discovery setup
  2. All required manual groups, business services and application instances are already created in BMC Helix Discovery. An application instance is a group of resources collected from a target account (AWS, Azure or GCP). Please refer Discovery documentation for more details.
  3. Ensure that BMC Helix Cloud Security already has scanned resource data from the same target account as the discovery. This can be done through AWS, Azure or GCP Cloud  and on prem Connector.

On-boarding the Discovery Cloud Connector

To on-board the Discovery Cloud Connector, perform the following steps:

  1. Log on to BMC Helix Cloud Security with your registered credentials.
  2. Select Configure icon >Connectors.
  3. Click Add a Connector.
  4. Select Discovery Cloud Connector and then click Continue
    image2019-10-16_16-32-13.png
  1. In the Add a Connector page, fill in the following credentials:
    1. In the Connector Name field, specify a name for the connector. This name must be unique and must not have already been created. If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label will appear next to the field.   
      image2019-10-16_16-33-38.png                     

                b. In the Endpoint field, type in the BMC Helix Discovery URL.

                                        image2019-10-16_16-35-31.png

                      

                c.  In the Token field, type in the token created for discovery user. Please refer discovery document to create a token. This token is for a discovery user that has api-access/read- only/never-                                 expire permissions.

                  image2019-10-16_16-37-21.png

                    

                d. In Business Service Configuration

                     image2019-10-16_16-38-24.png

                    Select first option if you want to scan data for a specific manual group or select second option to scan data for all manual groups created in discovery.

                 e. In Service Tag field, type in manual group name for which you want to scan the data.

                     image2019-10-16_16-40-6.png

                       NOTE: Service Tag option will be available only if you select first option in Business Service Configuration

                 f. In At Scheduled Intervals field, set the time in which discovery resources should be collected periodically.

                     image2019-10-16_16-40-59.png

                    

                      NOTE: If you disable the schedule mode, you can run the scan in On Demand collection mode.

                 g. Click Continue.

                     image2019-10-16_11-43-20.png

                      The connector is available in Cloud Security and discovery data can be scanned and evaluated in schedule or on-demand mode.

 Supported AWS, Azure and GCP Resources

Discovery Cloud Connector currently supports following AWS, Azure and GCP resources during scan.



Cloud Provider

Category

Resource Type

Discovery Kind

Is Licensed in Discovery

Present in Cloud-Security

Present in Cloud Cost

1

AWS

Compute

Amazon EC2

VirtualMachine

Yes

Yes

Yes

2

AWS

Compute

Amazon EC2 - Auto scaling group

VirtualMachine

Yes

Yes

Yes

3

AWS

Compute

Amazon EC2 - Storage

StorageVolume

Yes

Yes

Yes

4

AWS

Database

Amazon Aurora

SoftwareInstance

Yes

Yes

Yes

5

AWS

Database

Amazon RDS

SoftwareInstance

Yes

Yes

Yes

6

AWS

Database

Amazon DynamoDB

Database

Yes

no

Yes

7

AWS

Database

Amazon Neptune

SoftwareInstance

Yes

Yes

Yes

8

AWS

Containers

Amazon EC2 Container Service

VirtualMachine

Yes

Yes

Yes

9

AWS

Containers

Amazon EKS

Cluster

Yes

no

Yes

10

AWS

Containers

AWS Fargate

Deployment 

Yes

no

no

11

AWS

Analytics

Amazon Athena

CloudResource

Yes

no

no

12

AWS

Analytics

Amazon EMR

CloudResource

Yes

no

Yes

13

AWS

Analytics

Amazon Kinesis

CloudResource

Yes

no

Yes

14

AWS

Analytics

Amazon Redshift

CloudResource

Yes

no

Yes

15

AWS

Application Hosting/ Serverless

AWS Elastic Beanstalk

 Cloud Resource

Yes

no

no

16

AWS

Application Hosting/ Serverless

AWS API Gateway

SoftwareInstance

Yes

no

Yes

17

AWS

Application Hosting/ Serverless

AWS Step Functions

CloudResource

Yes

no

Yes

18

AWS

Caching

Amazon ElastiCache

SoftwareInstance

Yes

no

Yes

19

AWS

Storage

Amazon S3

CloudResource

Yes

Yes

Yes

20

AWS

Storage

AWS Glacier

CloudResource

Yes

no

Yes

21

AWS

Messaging Services

Amazon MQ

CloudResource

Yes

no

Yes

22

Azure

Compute

Virtual Machine

VirtualMachine

Yes

Yes

Yes

23

Azure

Database

SQL

SoftwareInstance

Yes

Yes

Yes

24

Azure

Database

Azure DB for MySQL

SoftwareInstance

Yes

No

Yes

25

Azure

Database

Azure for PostgreSQL

SoftwareInstance

Yes

No

Yes

26

Azure

Analytics

HDInsight

CloudResource

Yes

No

Yes

27

Azure

Analytics

Azure Databricks

CloudResource

Yes

No

Yes

28

Azure

Analytics

Data Lake

CloudResource

Yes

No

Yes

29

Azure

Analytics

Azure Stream Analytics

CloudResource

Yes

No

Yes

30

Azure

Storage

Azure Backup

CloudResource

Yes

No

Yes

31

Azure

Auto Scaling

Virtual Scale Sets

VirtualMachine

Yes

No

Yes

32

GCP

Compute

Compute Engine


Yes

Yes


33

GCP

Database

Cloud SQL


Yes

Yes



BMC Helix Cloud Security integration with BMC Discovery

After BMC Helix Cloud Security is integrated with BMC Discovery, business services from BMC discovery are imported into BMC Helix Cloud Security as Resource Pools.

Here is how the business services imported as Resource Pools will be seen in BMC Helix Cloud Security, you can see that these are marked as "BUSINESS SERVICE" & "IMPORTED".

Also, note that these Resource Pools are not editable.

Resource_Pools_Showing_Imported_Business_Services.JPG

Resources and Violations can be filtered based on such resource pools to identify resources/violations for a particular business service.

Here is how you can see business services under Resource Pools dropdown for filtering on Dashboard page

Dashboard_Resource_Pools_Filter_Showing_Business_Services.JPG


In addition to this, there are cross launch links available on Resource details page & Violation details page that can be used to launch into BMC Discovery to see additional details like Application Model, Deployment Model & Resource Visualization details.

Here is how the cross launch links will be shown on Resource details page

Resources_L3_Page_with_Cross_Launch_Links.JPG

Here is how the cross launch links willbe shown on Violation details page

Violations_L3_Page_with_Cross_Launch_Links.JPG


Here is a sample BMC Discovery UI opened after clicking cross launch link "View Resource Visualizations & Details"

Discovery_UI_for_View_Resource_Visualization_and_Details.JPG

Here is a sample BMC Discovery UI opened after clicking cross launch link "Application Model"

Discovery_UI_for_Application_Model.JPG

Here is a sample BMC Discovery UI opened after clicking cross launch link "Deployment Model"

Discovery_UI_for_Deployment_Model.JPG

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Cloud Security