Good afternoon and welcome to this session. We are excited to have you here. I'm Arun Sakana and I'm a Principal Business Development Specialist with AWS Marketplace. And today I'll be joined by Kartik Balakrishnan, who's the General Manager of AWS Marketplace School Engineering Services, as well as Chris Jak, the Chief Information Security Officer of Gilead Sciences.
The topic we will cover today is what organizations can do to improve governance and assessment of third party solutions using AWS Marketplace and native AWS services.
Companies are in various stages of migrating and modernizing their workloads on AWS. And as they are doing that, they should also focus on modernizing the software supply chain, which is the process of procurement provisioning and governance of third party solutions that include software as well as data services and other industry solutions.
So what you should take away from this session today is knowledge and insights on what you can do to improve those capabilities and streamline your own software supply chain.
Before we jump into the agenda, can I ask through a quick show of hands, how many of you are familiar with AWS Marketplace and or use Marketplace on a regular basis. Anyone? Excellent. And how many are in some sort of a decision making capacity where you have to select software vendors or software products for your own organizations? Anyone? Excellent. Very good. Well, there will be a lot of insights and learnings that you will get coming out of the session that you can take back to your organization.
So in terms of the agenda, we are going to begin by first setting the stage and we'll talk about key trends in the software industry, emergence of online marketplaces and AWS Marketplace and what all of that means for governance and assessments, we'll then take a deeper dive into specific capabilities that are provided by AWS Marketplace. And Kartik will be leading that discussion, then we'll invite Chris to talk through a case study on Gilead Sciences and we'll get some guidance from him on how he is guiding his organization to streamline the software supply chain and improve governance and assessment capabilities. And then we'll wrap up this session with some brief guidance on what you can do to get started on this journey.
The software industry is very dynamic, always evolving and innovative. Now, if you look at the US market alone, we have more than 10,000 software vendors in the US and spending on software continues to outpace spending on IT services overall. And then on top of that, prices of software are increasing anywhere from 10% to more than 20% in our experience.
So what this means for companies is that they are faced with a hyper choice situation. How do you select the right product from the right vendor, given all of the thousands of choices that are out there? And how do you do that in an efficient speedy and agile manner at the same time? How do you, how do you manage the risk and the costs associated with making those decisions?
Now, companies have been procuring software for decades, the process. However, for procuring software has not changed much and it is full of sources of friction and other challenges that tend to delay procurement.
So for example, when it comes to security assessments, this is typically done by a small group of highly skilled and experienced individuals using manual methods, emails and spreadsheets, et cetera to collect all of this information about vendors and products and do this assessment. And the process can take weeks if not months.
Similarly, when it comes to contracting, you have a team of contract specialists who have experience in sourcing SAS and other software products and they take weeks if not months, often using email and other methods, manual methods, going back and forth, redlining terms, et cetera as they work with their vendors to converge upon a common set of terms.
So assessments and contracting introduce delays and make the supply chain inefficient. And then once the purchase is done monitoring the use of that software, keeping track of what entitlements are used, what entitlements are idle and then also doing your periodic assessments from a security perspective, all of this takes time effort and it's typically done using manual methods and processes and across the supply chain, you have many disparate systems.
So there's not one source of truth or there's not one system that's in place. And all of this introduces friction and delay in the procurement of software.
Now, one reason why companies are so deliberate when it comes to procurement of software is because the cost of quality or the cost of making a poor decision is so high. In fact, the Consortium of IT Software Quality estimates that the cost of poor software quality costs US businesses more than $2.4 trillion. That's an enormous number. And this is typically due to cyber security failures, data breaches, operational failures and and other issues associated with poor software quality.
So what we've seen is that companies are looking to achieve a balance between speed and agility in the procurement of software with the right level of governance and controls, speed and acidity, underpins innovation and digital transformation. And builders and engineers want speedy access to their preferred software tools so that they can do their work, develop products and so on and so forth. On the other hand, procurement and legal and finance executives want a certain set of guard rails in place to manage the risk and the cost associated with sourcing of software.
Now, online marketplaces have emerged in the last 10 years and have begun to enable companies to achieve that balance.
So last year with the help of Forestry Consulting, we conducted a survey of more than 700 executives across North America and Europe. And we asked them many questions related to risk mitigation, et cetera and the software supply chain. One question we asked is that given that your organization is using an online marketplace to procure software and data, what are the benefits that you're seeing? And 48% of them said that it makes it easier for us to implement the right level of governance and controls that are appropriate for our business. And more than 40% said that look, we really like the selection that these online marketplaces provide. They are providing access to more trusted vendors, higher quality vendors and they are also enabling cost savings.
Now, AWS Marketplace was launched in 2012. So we've been around for about 11 years or so. And on this catalog, we have 15,000 transact listings from more than 4000 sellers, more than 300 data providers who list curated third party data sets on our catalog. And we have more than 2000 channel partners and these include resellers and systems integrators who work with marketplace to procure solutions and products for their customers.
We have millions of active subscriptions, thousands of active customers and to make discovery and selection easier we have organized all of these listings into 70 different categories.
AWS Marketplace is also a day one service. So we are available in all the 30 regions where AWS operates and whenever AWS opens a new region, AWS Marketplace is available, but more than just being a catalog with a wide selection, AWS Marketplace is also a management and governance service and it has a number of features and capabilities that address some of the challenges i spoke about earlier.
So for example, when it comes to contracting, there is a feature called Standardized License Terms or the Standard Contract for Marketplace using which buyers and sellers can accelerate the contracting process. And the anecdotal evidence that we've collected is that we are seeing that contracting cycle times shrink by more than 50% using Standardized License Terms.
Similarly for, for on boarding new vendors and for doing the proper security assessment, there is a feature called Vendor Insights which provides a security profile on a product and a vendor on the basis of 100 and 25 different security controls. And this really streamlines the security assessment in a process that companies go through when they're looking to onboard a vendor or when they're doing periodic assessments of the security posture of a product on an ongoing basis.
And then for license management of software for server software products, as well as data products, we have something called Entitlements Management which allows administrators to grant and activate licenses in their own organization.
So like that there are many other features and capabilities using which companies can implement those well architected governance and assessment capabilities to allow them to streamline and modernize their software supply chain.
Now, I spoke about the more than 2000 channel partners who work with AWS Marketplace. And I also mentioned that skills and expertise when it comes to security assessments and contracting are often scarce and in short supply. And this is where channel partners can really help by bringing that level of expertise, that market knowledge, knowledge of regulatory requirements and provide expert guidance on sourcing of software products help with risk mitigation by doing the proper assessment and due diligence. And some of these channel partners provide all of these services as a managed service so that you can do this, you can leverage their skills on an ongoing basis in your software supply chain.
So before we transition to the next section and go deeper into specific capabilities, I want to leave you with a set of questions to think about as you think about building these capabilities in your own companies.
Number one is access, who in your organization will have access to AWS Marketplace and what will they be authorized to do? All of this can be done on the basis of AWS Identity and Access Management using which you can define roles, users, user groups, etc and create those permissions based on your own business. needs and requirements.
Similarly, many companies operate a complex multi-account structure when it comes to AWS. And the question is what accounts should be used for subscriptions from Marketplace and what accounts should be denied that ability. And then again, using services like AWS Organizations, AWS Control Tower, as well as Service Control Policies. Administrators can put in place guard rails as appropriate for your organization when it comes to centralization and improving visibility to subscriptions.
There is a feature called Private Marketplace which allows administrators to create a custom curated catalog of approved products, those products that have been approved for subscription for your own company, so that a user or an engineer when he or she logs into Marketplace, they are only allowed to subscribe to those products that have been specifically approved for subscription.
And then of course, we have other capabilities that make it easy for deployment of images of third party software as well as cost management.
So with that, I want to invite Kartik to come and talk about some of these capabilities in more detail. Kartik, thank you so much Arun.
Kartik: It's a nice turnout considering it's the last session of the day. And I bet some of you have sore feet with all the walking. So I'm Kartik Balakrishnan. I'm the General Manager for AWS Marketplace. I'm responsible for the foundational systems and APIs that power AWS Marketplace. I'm really excited to be here and walk you through a few AWS Marketplace features that address some of the needs Arun highlighted earlier as well as show how you in a procurement security and compliance capacity can use AWS Marketplace to control and govern software data professional services and machine learning purchases across your company.
On AWS security compliance and governance are baked into AWS Marketplace along the entire procurement journey from selection to assessments and subscriptions to post purchase monitoring. As Arun mentioned earlier, AWS Marketplace provides a curated catalog of over 15,000 products across software, data, professional services and machine learning. We support a myriad of pricing models including contracts, subscriptions, bring your own licenses and free products. Some products even offer free trials that allow you to try the product before you purchase it. We support a multitude of flexible fulfillment methods including Amazon Machine Images, containers, Software as a Service and SageMaker.
You can head to aws.amazon.com/marketplace and filter across all of these facets and more the example you see on the screen here shows how you can shortlist products that are SOC2 certified.
Now, a question we often get from our customers is is there a way I can restrict the builders in my company to only select and view a list of pre-approved products you can do so with Private Marketplaces, Private Marketplaces allow you to define your own custom catalog...
On top of the wide selection that AWS Marketplace offers, you can create multiple such catalogs across your company to create a private marketplace. Simply head to the Private Marketplace page and create a new experience with your own custom branding. Then select a list of products that you'd like to be approved by default. Your private marketplace will be available to your users within minutes. You can even create a list of products that are denied by default.
Your users may browse the broader selection on AWS Marketplace and request the addition of products to your private marketplace, which then you as the administrator get to approve or deny.
Now that we have shortlisted a bunch of products, let's head to the next step in the journey which is performing a security assessment. AWS Marketplace Vendor Insights is a single pane of glass that correlates evidences across 125 controls from a myriad of data sources including vendor self assessments, certification data from SOC2 and ISO, and automated monitoring powered by AWS Config and AWS Audit Manager.
The control names are derived from existing industry standards for familiarity. To use Vendor Insights, simply head over to the product details page and click "View Assessment Data". Once your access request is approved by the vendor, you'll be able to see these 125 controls as well as download certification information for certifications such as SOC2, ISO 27001, FedRAMP, and more.
All of the information downloaded from Vendor Insights is watermarked by AWS Artifact for traceability purposes. Vendor Insights eliminates the need for periodic reassessments and makes security and compliance a part of your ongoing conversations across all of your vendors and products on AWS Marketplace. The best part is Vendor Insights is included with your Marketplace subscription at no additional cost to you.
Now that we have transacted a product, let's head to the next step which is monitoring your purchase. As I mentioned earlier, Vendor Insights constantly tracks the posture of products on AWS Marketplace and notifies the vendor as well as you as the buyer when a change in posture is detected.
You can use AWS CloudTrail logs to track all activities such as who subscribed or unsubscribed to a product or who called a certain set of APIs. If you use AWS Organizations, you can use Service Control Policies (SCPs) to define the maximum permissibility for the accounts managed by your organization. SCPs can be assigned at the organization root level, OU level, or individual account level.
Now that we have covered some key features, I'd like to welcome Crushon on stage to walk us through Gilead's approach to vendor management and their use of AWS Marketplace. I'll be back shortly for some Q&A.
So we can actually do a follow up questions as well based on the follow up questions. If once you are satisfied with all the responses, then we actually get into the reporting phase where we actually produce a final report with all our observations and recommendations uh that we want our, our solution to be implemented as an example, if you wanted to say, you know, i wanted to secure or notify me. if there is a security incident within 72 hours on your organization, we will be able to put that recommendation in the control as well.
What we do is by putting those controls, we actually put them, put them in a security in a privacy rider that actually legally binds within the contract for the partner to actually fulfill and comply with as well. So that's the last phase that we partner closely with our legal and compliance team for them to actually complete and embed that riders into the contract.
This whole end to end process is definitely a lot of time consuming process because as you can see, there are a lot of different touch points, right? Once, if somebody, i mean, they fill out the pre assessment questionnaire, if they don't give us the right level of details or if they don't mark a sensitivity level of data, we could actually do a light assessment as opposed to be doing a focus assessment. So that could actually lead on a different path.
The next is actually the vendor providing responses, the quality of responses that we receive from the vendor. If they don't really provide all the level of details, then we can go back and forth and it could take a lot of time as well. And then the final stage is actually uh the legal rider contract once we have already filled the complete of the assessment process. And once our report is generated, when you go through the the security terms and riders into the actual contract, there could be a lot of delays as well. So that's the overall end to end process where we are trying to leverage a lot of the aws marketplace capabilities, which i'll talk about in the next slide to see how we are planning to simplify that there are a lot of uh capabilities that kartik and arun talked about that's available in aws marketplace. But i'm going to be specifically touching on a couple of them that's more critical for, for us actually everything that's listed on this slide as critical, but i'm going to touch on a few of them in lieu of time.
The first one, i'll talk about vendor insights as you can see in the previous slide when i talked, talked about all the the detailed security assessment process. Vendor insights actually helps us to simplify that process because the partners and vendors are actually going through aws marketplace and where they are actually in the vendor insights, they are actually fulfilling their questionnaires already. My team can actually look at the responses already pre populated there and then they can actually career the questions and make it a light assessment to a focus assessment because they can ask very specific questions based on the type of data that we're putting in in, in that particular solution.
So we don't need to really send a long questionnaire for them to fill, fill, fill and complete and send it back to my team v in science actually helps and simplifies that process. You can also imagine from a vendor perspective or a partner perspective, like companies like us, everybody has a similar questionnaire process. They all send them a similar one to fill out. They keep filling out the same questions for every customer that they work with vendor insights actually simplifies not only us our process, it also actually helps the vendor. It actually helps us to improve the quality of the response that they provide. Because from a vendor perspective, they have to actually provide responses once that can be leveraged by all the aws marketplace customers.
The next one i'll touch on is private offers. Private offers actually helps to streamline your negotiation process as well. The secretary terms and writer that i talked about, which is your pre negotiated pricing in terms that can be embedded into private offers that can actually reduce your time. It takes for renewals or even contract negotiation for either an existing solutions or a new solution that we put in place.
The last one i'll touch on is private marketplace, private marketplace. As kartik mentioned, it's a curated custom approve catalog that for us what's already been approved within gilead is actually listed there so we can train our users to go back and check if there are solutions that's already listed there. You can actually leverage them and these are the ones that's already approved and already gone through our security assessment process. In case if they don't see a particular software, they can always reach out to my team, they can initiate that assessment process and then we can actually make them appear on the approved list as well. So private marketplace actually helps us to simplify. And he also touched on about id and access management where we can give very granular access for people and we can make sure who can see the list of solutions as well that's available there.
And then the last one, i think it's about channel partners while we're procuring solutions through our resellers. And if they are already a channel partners, they can also leverage their channel partners, private offers as well when we're procuring solutions for within gillian as a key takeaway, i'll touch on some few best practices as well, right, as part of a security team, you know, when you really receive um a security vulnerability or a software vulnerability. And if i had to go back and look through all my vendor partners that i actually use within my, within my landscape or within my environment, i need to figure out which particular partner is actually impacted with this particular vulnerability today. What i have to do is i actually have to send everybody a question or a survey to figure out what are the action plan? Have they been impacted? And have they taken any action plan to remedy that particular vulnerability?
Now, with the use of s bomb, which is the software bill of materials, once it's already listed part of the solutions and what um what actual software they're using to build their solution. Now, i can really focus on the partners that are really using a particular capability or a particular component of that uh vulnerability. And then i can target my responses only to those partners. So i highly encourage people to look at the software bill of materials and try to build as part of the third party risk assessment process and put them into your catalog.
The next one i'll touch on is open source software. Leveraging open source software is easy. A lot of things that we do these days is open source software can be leveraged. But i also wanted to touch on a few things. We actually have a detailed software assessment process. Before we leverage an open source software within our environment, we take the software, we actually put it in a very specific dedicated server. We actually scan for any vulnerabilities. And we also look for any licensing terms because when you leverage an open source software, we may be there, there are certain licensing terms that may be embedded within the open source software that we may be violating. So before we leverage them, we actually want them to go through that process. So utilizing uh the open source software is good but understand what actually it comes with it so that you can build your processes, either to patch the solution or if you have to build uh the terms that we actually work with them. So you can actually modify that as well as per when you use the solution within your environment.
The next one i'll touch on is vendor insights. As i talked about, vendor insights can really simplify your life cycle for third party risk assessments. What we're also trying to do is we can do some level of automation by actually integrating some of the input from vendor insights to our grcgrc system and where we can maintain those solutions and then we can see the responses and then we can really focus on the points that we really need to be worried about that's not already captured in the vendors inside dashboard.
We also use some level of due diligence tools as well, which actually like security scorecard as an example that gives you an outside perspective of about a particular provider. And what is their score? It actually has a, a scoring mechanism like a through f and it actually breaks down for every layer software. Like it talks about how, how, how are they doing patching or how are they doing dna security or how are they doing email security? It gives us an insight into that. And with the vendor insights integration and the security scorecard integrations that i can really simplify the third party risk assessment process and reduce the time it takes for the organization.
I'll also talk about um the private offers the terms and the conditions and the riders that you can actually use this like including for one partner is is fine. But then if you can include uh do that for all the partners, you are also standardizing the licensing terms as well so that you can actually give them the template already with the partner. Uh the partner can see what the terms that they need to comply with and they already kind of in a pre negotiated phase as well. So that's another one. I highly recommend that we actually leverage from private office.
Finally, i'll talk about aws marketplace, which in our case, which is a private marketplace where you can really create a dedicated team, which can actually manage access to a private marketplace where they can help the organization. And in our case, helps us to identify procure and deploy solutions at gilead with that, i'll ask arun to come back on and then follow through the next steps.
Thank you, chris. So in terms of next steps and what you can do to get started on this journey, uh the first action item that i would recommend is get familiar with aws marketplace, browse through our selection of software products, solutions, data products and so on. Uh understand how we've organized the catalog and the features that are available, et cetera. And then uh experiment by doing a few renewals using the private offer mechanism that both kartik as well as krish spoke about. So these private offers really help drive purchasing efficiencies. And once you become familiar with the private offer mechanism that can help you understand how to incorporate of this marketplace in software procurement on an ongoing basis.
Pilot, the use of vendor insights especially for on boarding new vendors. Understand the information that's available on the basis of the 125 controls in the security profile and how you can get access to that information. Understand how private marketplace can provide an additional layer of governance within your organization so that you can extend self service capabilities to the builders and the engineers in your organization to subscribe to only those products that have been approved for subscription.
And then of course, as you become familiar with all of these capabilities and there are many other capabilities related to cost management entitlements, management, et cetera. Start thinking about how marketplace can align with your overall software supply chain.
So with that, we are done and if there are any questions, we'll be happy to take them. Well, you all have been wonderful. Thank you for attending our session and we are going to be around for a few more minutes in case you have any other questions. Thank you. Thank you. Thank you so much.
2977
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
