Amazon Previews AWS Marketplace Vendor Insights for Risk Management

AWS RE:INFORCE — Amazon has introduced a new tool called AWS Marketplace Vendor Insights. It aims to simplify risk assessment of partners’ SaaS applications. The cloud provider previewed the marketplace feature on Tuesday as it kicked off its AWS re:Inforce security conference in Boston.

Vendor Insights provides a web dashboard that lets governance, risk and compliance (GRC) professionals assess software in the AWS Marketplace. The dashboard provides security and compliance information, which includes data privacy, application security and access control. AWS developed Vendor Insights to give sellers a standard approach for rendering compliance information via the AWS Marketplace.

AWS chief information security officer C.J. Moses (pictured above) introduced the preview release of Vendor Insights during the re:Inforce opening keynote.

“What we’ve done is collected common security controls, including third-party audits like SOC 2 and ISO 27,001, along with vendor attestations,” Moses said. “Our goal is to cut eight to 10 weeks out of the procurement life cycle, decreasing the time used for capability, for actually being able to use the capabilities that are there.”

Continuous Updates

Mona Chadha, AWS director of category management, added that Vendor Insights will make it easier for ISV partners to provide more transparency when customers perform risk assessments.

AWS’ Mona Chadha

“Today they have that ability, but they don’t have it continuously,” Chadha told Channel Futures. “What we’re providing is our dashboard views for customers to see their third-party software security posture.”

ISVs can self-report controls in their solutions based on 140 security and compliance features, according to Chadha. Vendor Insights is integrated with and run atop AWS Audit Manager and AWS Config.

“The key thing is that customers have everything now in one spot where they’re actually transacting, which is all through the marketplace,” she said. “This is the first time that you have a cloud marketplace that’s providing all of that documentation, all of those controls in one spot for the customer.”

Customers must sign a non-disclosure agreement before they can view the full security profile of an ISV’s offering. After signing the NDA, a customer can access the profiles on-demand.

Laura Roantree, global head of marketplaces go-to-market at security platform provider Trend Micro, agreed with that claim. Roantree anticipates other cloud providers will follow AWS’ lead.

“AWS has truly been the leader in evolving and modernizing procurement, and other marketplaces tend to follow suit,” Roantree said. “We know not all customers can buy through the AWS Marketplace. For those who need to do it elsewhere, we’d love them to have that functionality.”

Vendor Insights and ISVs

Trend Micro is one of roughly 20 ISVs that have participated in a private preview of Vendor Insights, according to Chandha. Other ISVs testing Vendor Insights include JFrog, Palo Alto Networks and Teradata. Ultimately, AWS anticipates thousands of ISVs that distribute their offerings via the AWS Marketplace will use the tool. While officials didn’t give an exact general availability date, they indicated that they hope to release it later this year.

For Trend Micro, Roantree believes by automating the risk assessment process, Vendor Insights will meet its aim of expediting procurement. By continuously providing updates in Trend Micro’s attestations, it validates them in real time, she said.

“If a customer or a prospect gets our kind of report or view into our compliance insights today, and that evolves in the next week, they’ll automatically get that. Or if the requirements change, we’ll be able to provide more information to attest to that, again, simpler, automated, not back and forth emailing five guys in the cybersecurity architecture, to validate something.”