The new tool will standardize and automate the way ISVs provide security information to RCMP professionals.
AWS RE:INFORCE — Amazon has introduced a new tool called AWS Marketplace Vendor Insights. It aims to simplify the risk assessment of partners’ SaaS applications. The cloud provider previewed the Marketplace feature on Tuesday at the launch of its AWS re:Inforce security conference in Boston.
Vendor Insights provides a web-based dashboard that enables governance, risk, and compliance (GRC) professionals to evaluate software on AWS Marketplace. The dashboard provides security and compliance information, including data privacy, application security, and access control. AWS developed Vendor Insights to give vendors a standard approach to reporting compliance information through AWS Marketplace.
AWS Chief Information Security Officer CJ Moses (pictured above) introduced the preview version of Vendor Insights during the re:Inforce keynote.
“What we’ve done is collect common security controls, including third-party audits such as SOC 2 and ISO 27001, and vendor attestations,” Moses said. “Our goal is to reduce the supply life cycle by eight to 10 weeks, decreasing the time used for capacity, so that we can actually use the capacities that exist.”
Mona Chadha, Director of Category Management at AWS, added that Vendor Insights will make it easier for ISV partners to provide more transparency when customers perform risk assessments.
“Today they have that ability, but they don’t have it permanently,” Chadha told Channel Futures. “What we provide are our dashboard views for customers to see their third-party software security status.”
According to Chadha, ISVs can self-declare controls in their solutions based on 140 security and compliance features. Vendor Insights is integrated and runs on AWS Audit Manager and AWS Config.
“The bottom line is that customers now have everything in one place where they actually transact, which is across the entire marketplace,” she said. “This is the first time you’ve had a cloud marketplace that provides all of this documentation, all of these controls in one place for the customer.”
Customers must sign a nondisclosure agreement before they can view the full security profile of an ISV’s offering. After signing the NDA, a customer can access the profiles on demand.
Laura Roantree, global head of marketplace go-to-market at security platform provider Trend Micro, agrees with that assertion. Roantree expects other cloud providers to follow AWS’ lead.
“AWS has really been the leader in evolving and modernizing procurement, and other markets tend to follow suit,” Roantree said. “We know that not all customers can buy through AWS Marketplace. For those who need to do this elsewhere, we wish they had this functionality.
Information about independent software vendors and publishers
Trend Micro is one of about 20 ISVs that participated in a private Vendor Insights preview, according to Chandha. Other ISVs testing Vendor Insights include JFrog, Palo Alto Networks, and Teradata. Ultimately, AWS expects thousands of ISVs that distribute their offerings through AWS Marketplace will use the tool. While officials didn’t give an exact general availability date, they did say they hope to release it later this year.
For Trend Micro, Roantree believes that by automating the risk assessment process, Vendor Insights will achieve its goal of accelerating procurement. By continuously providing updates to Trend Micro’s attestations, it validates them in real time, she said.
“If a customer or prospect receives our type of report or overview of our compliance information today, and it changes next week, they will automatically get it. Or if the requirements change, we’ll be able to provide more information to attest to that, again, simpler, automated, no emails to five cybersecurity architecture guys, to validate something.