Well, good afternoon, everybody. Thanks for coming by. Hope everybody's having a great week at re:Invent. Uh that you have a little bit of energy and brain capacity left for a little bit more information. Uh it's been a great week. Uh how many uh here is it your first re:Invent anybody? Anybody? Awesome. And I hope you're gonna come back, right? It's been a great week. Great.
Alright, for the next 20 minutes or so. We're going to talk about uh vendor risk assessment for SaaS products in Marketplace. Uh looking forward to uh sharing some information with you and uh hopefully we can have a dialogue afterward and stay connected.
By way of introduction. My name is Tim Honeychurch. I'm a Principal in Marketplace doing technical business development. And really what that means is that I help our Marketplace, buyers and sellers utilize the features that we build in Marketplace for good outcomes in your business.
So a little bit of background on me, I come from a background as a uh a to customer. This is my 73 event. The first six were as a, as a customer and a partner. Um and I have spent time at a security size isv uh that went through the process of listing on marketplace. Um I've also had experience in my career doing the buying part uh of enterprise software through marketplaces and directly from vendors. So really thrilled to bring all of those experiences together uh in vendor insights and in marketplace.
How many here would, would define themselves as a software buyer? Like you go through the process of buying enterprise software. How many are sellers more from the vendor side? Any, any uh isv sellers? Ok. A little bit, a little bit thinking about it, hopefully. Um and, and what I would look for is those that did both like, like I have, right? Uh and hopefully we'll see more of that as our, as our uh our isvs get on board on marketplace.
Ok. Quick. look at the agenda. What we're gonna be talking about, we're gonna define a challenge that we've seen out in the marketplace uh that our, our, our customers and our isvs have shared with us. Uh we're gonna look at a solution, we like to build solutions here at aws. Uh we're gonna do a little uh walkthrough demo of what the experience looks like uh for a buyer uh in marketplace and then leave you with some getting started information. Ok?
Alright. With that. Let's think about the challenge, right? What our customers and our is svs have told us and what we've witnessed and experienced and you're probably all familiar with in the market is that the rigor of vendor risk assessments has increased in the recent past. Right. This is largely due to what we've seen in an increase in security incidents, breaches bad guys, accessing information that they shouldn't so appropriately. Our soft buyers have become much more prudent, much more careful about who they're buying software from whose software their data is going through. And that's led to a very rigorous risk assessment process that companies of all types and sizes and shapes and verticals are employing.
Well, that rigor has brought some problems, right? It has created some challenges that we are hearing from our customers and from our partners. The first is that in that rigorous process, most organizations have established that they have certain compliance requirements that they need that software to meet, right? So we'll get into that a little bit more deeply later. Uh but think uh HIPAA or FedRAMP, these are things uh compliance frameworks that they need that software to uh be able to uh comply to and finding software that meets those requirements is often a challenge. How do I discover uh in, in a holistic way which software that meets my functional requirements also has the compliance certifications that I need. So that's a challenge.
Uh the overall process of, of gathering the information to do events. risk assessment is very labor intensive and time consuming. Typically that involves a manual exchange between a procurement person and a governance risk and compliance person on the seller side to exchange the information that they need to have in order to do the risk assessment that leads to a number of days and weeks uh added to the procurement process, really delaying buyers from getting access to the information that they need and and delaying our sellers from closing transactions and completing a good, a good buying experience for customers.
So, and the last piece is really important as well, is that all of those processes that we just talked about are typically point in time, right? So uh uh go through a process to, to gather information, uh assess it, look at it. Ok. this vendor is good and and worthy of, of our trust. Um but that could change in a week or a month or six weeks from now, right now, we have information that was point in time. Uh so that becomes a little bit of a challenge as well as how do we refresh that or stay current if something changes?
Alright. So that's a summary of the challenge that we're seeing in the vendor risk assessment process for SaaS.
So again, because we're, we're AWS, we listen to our customers, we listen to our partners uh and we like to work backwards from their problems. Uh we, we did design a solution. It's an opportunity for a solution uh right, in Marketplace that solution is called AWS Marketplace, Vendor Insights and really simply put, it's designed to accelerate and streamline the process of doing vendor risk assessments in Marketplace and make the overall buying and selling experience better in Marketplace.
Anybody. Has anybody heard of Vendor Insights before? It's been mentioned a little bit today. There's been a few sessions uh but it is something that we launched about a year ago. Uh and we've had a great year of making improvements and listening to our customers and making changes.
So four key things I want to call out in terms of the way the solution addresses the challenge that we just mentioned earlier, right?
The first is that Vendor Insights provides a methodology right in Marketplace to search for software that meets your compliance standards, right? So think of an example you're in, in health care and you require that your s a uh vendor has a HIPAA uh certification, right? Uh you're able to look using Vendor Insights uh filtering mechanism in Marketplace to discover which solutions in Marketplace have HIPAA. There is no other way in Marketplace to discover that sort of uh compliance uh certification on products only through Vendor Insights. Can you do that?
The second is we talk about the exchange of information, right. So buyers are asking sellers to provide all kinds of details about the controls and their SaaS production environments that's typically done in a manual way exchanged via email. There are some other platforms that do it as well that are evolving. But what we've created is an ability to do that exchange directly in Marketplace directly in the product listing for that s a uh product, right? Uh so that the buyer doesn't need to leave the Marketplace experience. Uh they can access it right there directly in Marketplace.
Those things together can cut significant time off of the procurement process, right? Makes it a much more streamlined process, allows buyers to get the software that they have identified that they need and meets their requirements much quicker and creates a better buying experience.
And the last piece, certainly not the least is that we have a capability within Vendor Insights to do automated checks of the controls that are, that are behind the security profile using AWS integration into those SaaS production environments. That's a really important factor because instead of now and whether or not this data is point in time expired stale, not up to date. Uh buyers can have confidence that at any point they can check to see if that software is still compliant uh with, with those standards.
So really important features uh that, that we rolled out and we're excited to have available for our, our customers.
So what we want to do now is take a quick look through what this looks like uh from like a UI perspective, right? And we're gonna present this from the buyer's perspective, right? You're a software buyer, you're coming into Marketplace and you're, you're, you're, you're completing your, all the things that involve a transaction process. Uh and we're gonna look at what Vendor Insights looks like from that perspective.
So of course, you start right at the beginning, right, natural place to start uh the opening uh the, the home page of Marketplace. And there's so much information behind this, there's a massive catalog of all types of listings uh of all different types from professional services to, to SaaS all the way in between. Um and, and it's a, it's a, it's a huge catalog to sort through. Uh and, and it's a, it's a, it's a huge catalog to sort through.
Uh and, what we wanna walk through and, and, and, and, and look at is how we use Vendor Insights to cut through all of that to get to the information that you want. Ok.
So once we drill in and we start looking at some listings, what you'll notice is that there are a set of filters on the left side, those who have used Marketplace. I'm sure are familiar with that. And the first thing that you want to call your attention to is the Vendor Insight section. And you'll see that that is the way that we determine, show me which vendors have security profiles in Marketplace that I can use that information to do my risk assessment. Uh when we took this picture, uh there were 100 and 20 different products that had those uh Vendor Insights profiles. I think we're over 130 close to 140. Now we're adding more every day and having a broader catalog uh of solutions that have that.
So let's drill in a little bit deeper to the filters. Uh and what you'll see is we have two other categories here. So we've been mentioned earlier about uh compliance certifications and how important those frameworks are to many of our customers. Again, I mentioned the only way to determine which uh AWS Marketplace solutions have these certifications is with these filters, right? So you can use those to select those one or more that you require for your purchase, right?
The other is something that we're really excited and actually just launched this week is the ability to identify which of those sellers also have specializations, right? So there was a couple of sessions just before this here, a couple of talks that talked about specializations and for those who are familiar, this is a these are granted to our ISV partners that have met really rigorous standards to achieve competency specialization in certain areas, right? Uh we started this new feature in filtering in uh in Marketplace with Vendor Insights um with Security Specialization and Managed Security, uh uh Special Services Specialization and we'll be expanding that going forward. But what this allows you as a buyer to do is to show you those sellers that have that really elevated level of competency in those particular areas helps those stand out. And identify uh those that are the strongest and have great track record of uh customer success and great customer uh outcomes with their software. So that's really important in helping to filter and, and curate the experience.
Ok. So we're gonna look into one of these products that has a Vendor Insights profile and kind of walk through, you know how you use it, right? If I'm a buyer and I, I wanna do a risk assessment. How does that work?
So this is your typical uh what we would call product detail page and Marketplace that has all the good things that you need to know about the product, the overview, the pricing, the usage support, uh all of the things that you want to know about it. But what you'll notice there in the upper right corner is a button that says View Assessment Data. That button is only there for those solutions that have a Vendor Insights profile and that's the place you start the journey of uh accessing that information and using it in your in your risk assessment process.
Ok. So when you click into that, uh you start to see a little bit more detail, it's a separate section right off of the product detail page. And the first thing you'll see is which certifications does this product have? Right. And a little bit of detail about it. Now for our demo, uh this particular vendor has them. All right, which is great. That's what we want. Uh but that's the first thing you're gonna see is what certifications do I have. And again, you'll have found that doing your searching uh above that o on the same part of the page is really the header, right? This is the place that says, hey, this is the the home page of the, of the security uh profile, but there's not a lot of information there, right? It's pretty, pretty basic, right? Just says, hey, this, this uh ISV does have a profile and the reason for that is you'll notice there's a Request Access button up on the right right hand side.
And this is really, really important in that a lot of that information, whether it be the details behind the SO two report or the controls that uh that a ISV provided for us uh are are very, it's a lot of sensitive information there. It's not something that's going to be open to the public without permission from the ISV.
So uh first thing you'll do is request access from the ISV to view and have access to that information. The ISV will receive that request, confirm that you're a valid requester or a potential customer uh and grant you access under NDA to that information.
So now that you have access, the view changes a little bit, right, we start to get a little bit more detailed information, right? And a few things that you'll see in the overview section include, how current is this information? Right? Um uh I, I subscribe to the product that goes with it and we'll talk a little bit more about that later. Um what are the sources for the data that uh are, are that populate this profile? Right? Uh those are the things that you see in that overview, but really more importantly and what we'll drill into more is the second tab, the Security and Compliance tab.
Alright, because this is the the dashboard, if you will of detail behind the controls and the actual data that you wanna know that you need to use in order to, to complete your risk assessment.
Ok. Uh a couple of things we want to point out first, we base the profile on 125 unique controls. There's a couple of different sources that we can use to get that information. I mentioned earlier, automated integration with SaaS production environment to draw data down. That's the controls of validated evidence. There are some that are only accessible or available through self reporting by an iv. That's your 60 controls itself reported. And really importantly, your eye immediately goes to the font and red which says, hey, there's 12 non compliant controls here, right?
So if you as a customer are seeing this, you're like, all right, I'm really interested in this. I want to do my risk assessment and drill into that really quickly.
We're going to look at the format and the way it looks for a security category or a control category that is in compliance, right? And once you click into that, you'll see, these are the questions that the vendor will have asked, uh or, or the controls that we're assessing and including in the profile and you'll see the sources where that information might come from.
Now, these particular questions here are only things that would have been discovered through what we call a vendor self assessment and not something we can pull down from their SO two report or their ISO report or even from their workload in AWS. So these are all self attested, all of these happen to be compliant, right? That's the way we want it to look.
But let's take a, a little deeper look on the more interesting part, which is, hey, what if they're not compliant? Uh let, let's drill in, why, why are they not compliant? What's happening there? Right.
Uh we're gonna drill into Security Policy uh in particular, and there are two categories here that, that are non compliant to some degree, right? And we want to find out why. Here is the remaining transcript formatted for better readability:
So let's look into uh policies for security configuration. And what you'll see is the question about two factor authentication uh failed as non compliant, right? Even better, we're able to drill into that question and find out any more detail around that. And this is really the the process that we use in doing a risk assessment is to find out why and what's happening in the detail, right?
So we drill in, it says, yes, not compliant. But when you read the, the annotation that the ISV provided, what they told us is, well, we don't uh natively or distinctly provide a use two factor. However, we effectively provide two factor through the use of SSO, right?
So if you're doing a risk assessment, you have that information, you say actually that's good, even though it technically didn't meet that, that two factor uh uh requirement, we do meet it in a different way, right? So this is aaa way that you can dig through the information to get what you need to do the risk assessment.
So that's a real quick look at what it looks like to use that.
Um before we wrap up, i want to hit a couple other points, one is i mentioned earlier that access is provided by the isv on purpose. Ok. Um and the, the initial access is for 60 days that provides the the buyer the opportunity to do their vendor risk assessment. If the buyer buys that solution, the access is continuous through the subscription term in marketplace. And this is really important because if there are any changes that take place to those controls during the subscription term, you as a customer will have access to that and be able to see what changed. And when it changed really, really important uh and that includes uh perhaps uh expiration of a compliance certification. You will see that have access to that and be able to uh be aware, right? So that's the access period.
And then let's like quickly, just uh uh kind of get started, right? Uh for those who aren't familiar, uh what i would encourage you to do is go into the go into marketplace, do the filtering as we walk through and request access to some products that you may be interested in. Uh and, and walk through that information uh from the ISVs that have provided that that's a great way to get familiar.
And secondly, if you have active marketplace subscriptions or you're looking to purchase marketplace subscriptions, uh SaaS subscriptions, ask if those vendors are not uh on boarded or have a security profile with Vendor Insights, ask them to, it's a really simple process for them. Uh and it will really streamline your buying experience.
Ok? I'm gonna leave you with a little bit of information. Uh a link to a much more detailed explanation of Vendor Insights that i could give here in 20 minutes. So take a look at that at your leisure. Uh and of course, contact information.
One of my favorite things about uh events like this is uh connecting with people getting questions, take questions now, but always you can reach out to me and connect with me. Would love to talk to you about it.
A couple of really quick things. Uh first, i would encourage you if you're not a marketplace user and you don't have a lot of experience with marketplace. I'd encourage you just to start by looking through uh some of our exhibitor and sponsor solutions that are in marketplace. It's a great way to get familiar. And even though we're a little bit close on time here, it might give you an opportunity to go talk to them here uh in the expo today. Uh so that's a great way to get started.
And then last, but certainly not least, uh we always love to hear your feedback. Uh take a look at the survey uh in the app and uh give us your thoughts and feedback.
So, uh again, i'll be here happy to take questions uh and, and meet some of you, but thanks for being here. Really appreciate it. Thank you.
3964
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
