New Amazon Web Services rolled out at the debut re:Inforce conference allow enterprises to integrate AWS Marketplace with their procurement systems for greater control of software spending, and capture and inspect network traffic at scale through virtual private cloud traffic mirroring.
The cloud provider also announced the general availability of AWS Control Tower, which makes it easier for customers to set up and continuously govern compliant multi-account AWS environments, and AWS Security Hub, which provides customers a central place to manage security and compliance across an AWS environment.
Read on to find out more about the new services highlighted at re:Inforce, a conference on security, identity and compliance held in Boston this week.
AWS Marketplace Procurement System Integration
AWS Marketplace Procurement System Integration is a new feature that allows enterprises to integrate AWS Marketplace with their procurement systems to give chief information officers (CIOs) more control over their informational technology (IT) spending and centralised governance of purchase orders.
IT teams can use the new feature to search, purchase, deploy, pay and manage thousands of software products in AWS Marketplace and get instant budget visibility.
“We want to make it super easy for builders to find, buy and deploy software that they need from over 4800 listings across the Marketplace,” said Stephen Schmidt, AWS’ chief information security officer.
The first integration is with Coupa and its cloud platform for business spend management. Support for additional vendors will be coming out soon, according to Schmidt. Builders also can develop their own integrations for any procurement system supporting cXML (commerce eXtensible Markup Language), a protocol for the communication of business documents between procurement applications, e-commerce hubs and suppliers.
“CIOs often struggle to get control of IT spending that is happening in different departments and systems across the company because of siloed purchases and processes,” Coupa chief executive officer Rob Bernshteyn said in a statement. "By running the entire AWS Marketplace purchase process -- from search through payment and beyond -- on the Coupa platform, IT leaders can now bring order to this spend.”
The new feature should be a boon for large AWS software reseller partners because it will fast-forward the procurement approval process, according to Dave McCann, vice president of AWS Marketplace, Service Catalog and migration services.
“The way it's going to help the big resellers is in speed of winning a contract,” McCann said. “Resellers…are typically negotiating the price with the buyer for very large contracts, and then waiting for that contract to get approved. We think it's going to compress the timeline.”
While AWS Marketplace Procurement System Integration seems like an odd thing to call out at a security event, it addresses a key concern of major organizations and partners, according to Mark Nunnikhoven, vice president of cloud research at Trend Micro, an enterprise data security and cybersecurity company whose U.S. headquarters is in Irving, Texas.
“Extending AWS Marketplace into existing procurement systems is a win for organizations and AWS partners,” he said. “It removes a big roadblock for customers by allowing them to use their existing procurement systems and process, and that will make it easier to test and acquire new technologies.”
VPC Traffic Mirroring
The easier it is to see what happens to a network, the easier it is to secure it, Schmidt said. But many customers have thousands of virtual private clouds (VPCs) and use 20 to 40 security tools that require some form of collection process.
“Deploying an agent or a collector for each tool is a recipe not only for inefficiency, but also for an outage or a vulnerability in your infrastructure, so we decided to solve that,” Schmidt said.
AWS likens VPC Traffic Mirroring to a “virtual fiber tap” that gives direct access to network packets flowing through VPCs. VPC Traffic Mirroring allows customers to capture and inspect network traffic at scale to detect network and security anomalies, gain operational insights, implement compliance and security controls, and troubleshoot issues. It forwards traffic natively from VPCs to a user’s tools of choice without an agent or a bump in the wire and without performance impact to infrastructure, according to Schmidt. Traffic can be mirrored from any EC2 instance powered by the AWS Nitro system.
AWS Control Tower
AWS Control Tower is designed to help customers set up and govern multi-account AWS environments.
Control Tower provides prescriptive guidance for customers on how to establish a landing zone and create workflows to provision compliant accounts, according to Schmidt.
“It integrates with IAM, our identity and access management platform, and offers pre-configured architectures for network design, cross-account logging and audit console,” he said. “Most importantly, workloads which are deployed in landing zones are continuously governed by guardrails, which are pre-packaged governance rules that you can select and apply enterprise-wide or just to a few accounts. This has been a feature request that a lot of customers have been asking for for a long time.”
Control Tower will allow managed service providers to more quickly bring customers onto the cloud and switch on their environments, according to McCann.
"Whereas in the past, you might have said, 'I'll get back to you in two days,' now you can say 'I'll have you up and running in two hours,’" he said.
Most people may question the reach of a service like this, Nunnikhoven said, “but remember that multiple AWS accounts is a common deployment and security strategy in order to separate concerns within the organisation.”
AWS Security Hub
Schmidt announced the generally availability of AWS Security Hub, which gives customers a single place to manage security and compliance. It aggregates, organises and prioritises security alerts from multiple AWS services such as GuardDuty, Inpector and Amazon Macie, along with AWS partner solutions, and conducts continuous compliance checks.
“Your findings are visually summarized for you on an integrated dashboard with actionable graphs and tables that help you focus your investigative efforts in the right place at the right time,” Schmidt said.
Twenty-five partner integrations with Security Hub currently are available.
“You get not only alerting, but the actionable movement towards a secure environment after the alert occurs if you use a partner integration,” Schmidt said.
Security Hub will be helpful to AWS partners, according to Amit Gupta, vice president of product management for San Francisco’s Tigera, an enterprise software company providing security and compliance solutions for Kubernetes platforms.
“It works great for partners because now, at least from a customer's perspective, there's one central place where you have access to all the security telemetry data, so that is good,” he said.