AWS Marketplace Talks Secure Digital Transformation
Spurred on by the pandemic, digital transformation continues to accelerate. Chris Grusz, director of AWS Marketplace and Control Tower, discusses how security teams can leverage this transformation to securely innovate and drive better business outcomes.
The sudden acceleration of digital transformation has provided security teams with the opportunity to strengthen their security posture and culture to deliver stronger business outcomes. Chris Grusz, director of AWS Marketplace and Control Tower, explores how organizations can approach security from a technology and cultural perspective.
Day One Mentality
Speed and agility are critical for an organization to meet business objectives. But as development teams build and deploy quickly, security can often lag, causing compliance lapses and financial losses. To keep up with the development lifecycle, security must be established at the beginning of the process—also known as “shifting left.” Establishing security guard rails and procedures upfront provides direction and keeps teams on track. In turn, this enables all teams to work quickly; security teams can protect applications and data without causing delays, and developers can deploy at speed to deliver on business goals.
Shifting left requires a cultural change as well. Security is no longer the sole responsibility of one team—it must be distributed throughout the organization and designed into development and operational processes. The convergence of development, security, and operations teams, also known as DevSecOps, enables teams to apply security in concert.
Understanding and adopting the AWS Shared Responsibility Model is key for organizations that want to stay on target. While AWS is responsible for the operating system, the hypervisor, physical data centers, and additional security elements, organizations are tasked with securing the data that they store within the cloud service. Leveraging a third-party cybersecurity vendor with cloud-native integration allows you to enhance AWS security while protecting your valuable assets. By fulfilling your end of the AWS Shared Responsibility Model, security and development teams can maximize the benefits of operating and building in the cloud.
Procuring your ideal security solution
Choosing your cybersecurity vendor can be challenging. Security isn’t one-size-fits-all, so it’s important to evaluate whether the offering can address your specific industry and business needs. However, there are a few baseline questions you can use to assess vendors:
- Have they leaned into the cloud? Specifically, are they providing the right integrations and innovations that you can leverage with your cloud provider of choice?
- Do they tell a comprehensive story? Many vendors only secure one part of your environment, but ideally, you want a security partner that addresses your security needs across multiple aspects of the cloud—workloads, containers, storage, posture management, network, and more
- Are they constantly innovating and keeping pace with the speed of cloud providers like AWS? And does that innovation also include taking care of today’s threats as well as looking to tomorrow for emerging trends?
- Are they locking you into one platform? Your vendor of choice should be able to support your business needs, including multi-cloud and hybrid as a strategy
Yael Teryohin: Hi everyone. My name is Yael Teryohin, director of cloud growth here at Trend Micro. I've been very fortunate to have been with trend for almost six years, and I've got to work with many different organizations of all different sizes. We have seen a lot of these organizations go through rapid pace of digital transformation.
I think we can all agree that the global pandemic accelerated that digital transformation. Cloud, AI, big data, and automation are all key enablers of this transformation… and one commonality and where we, as Trend Micro, help organizations most in part of that digital transformation is helping them prioritize security and building it into the transformation from the beginning.
In this fireside chat, I'll be joined by Chris Grusz director, AWS Marketplace and Control Services. Chris and I will discuss how the cloud delivers acceleration to digital transformation and how security teams can leverage the transformation to more meaningfully engage with the business and drive better business outcomes. Welcome Chris.
Chris Grusz: Thanks. I'm looking forward to the conversation.
Yael: Wonderful. Well, why don't we start by having you just talk a little bit about your role and about yourself.
Chris: Sure. So, Chris Cruz, I'm director of business development for AWS Marketplace and Control Services, which is Service Catalog and Control Tower. We predominantly work with Trend Micro with the Marketplace front.
My Marketplace organization is really split up between three different pillars. So, I've got one part of my organization that works with the ISB community, like Trend Micro, and gets them into the Marketplace catalog. My second pillar is a team that focuses on the channel organization. Trend Micro, along with a lot of other ISBs, go to market with channel partners. We've adapted Marketplace that channel partners that can now leverage that as part of their go-to market motions.
In the third and final pillar, I have as a team of Marketplace, customer advisors, and this is a team that sits out in our geographies, and they work with AWS customers as they look to use Marketplace to buy the third-party subscriptions. But collectively our goal is to help our customers transform their business. Looking forward to the conversation today.
Yael: Wow. Sounds like you're really busy. So, I really appreciate you joining our fireside chat and sharing your experiences and thoughts with our customers. You know, AWS has been built on helping customers leverage the cloud to achieve rapid digital transformation.
Our conference is focused on how security is fundamental to digital transformation. I'd love to hear a little bit about your experience with AWS customers and what some of those commonalities amongst those customers that get it right.
Chris: Yeah, that's a good question. I would say the first commonality I see is that the companies that do this well, they take a day one mentality as it pertains to security. And what I mean by that is that they recognize that security is not an afterthought. It needs to be part of your overall cloud strategy. They set the right procedures and guard rails in place upfront so they can innovate, but do it in the right way. A lot of times people think that guard rails actually slow things down, but what we found is that it actually speeds things up because it gives you direction. It effectively keeps you on the road. And there's a lot of studies that actually prove that out. Where if you find something upfront and you can address security early in the process, it's much easier to remediate then something that makes it all the way out to production. And then you're trying to remediate something that's out in [production]. We see that companies that do well, they recognize that security needs to be upfront in the process.
The second thing that we see for companies that do it well is they do a very good job of adopting the AWS shared security model. Under that model, AWS is responsible for the operating system, the hypervisor, and everything below that, including all the physical data centers and security elements. We do all the separation of security and networking, and we do all the certification for our platform as well.
The customers that really recognize that and build on top of it… Effectively, it allows them to take advantage of all of our certifications for things like ISO 27017 for cloud security or ISO 27018 for cloud privacy. We do all that certification for our customers, and then when they build on top of it, they inherit that by default and then we provide a lot of best practices on top of that.
We also look at leveraging third-party ISBs, like Trend Micro, to provide additional security for our customers on top of the AWS platform. And so, the customers that do it well, they take advantage of the shared security model that we provide, and then they complement that with strong solutions out of the market, like Trend Micro.
Yael: Chris, you mentioned guard rails and a metaphor we frequently use with customers is: when you're moving to the cloud, you want to go fast with the car. We love driving fast, but without the brakes you're unsafe. So, security is definitely a part of that.
We're always talking about technology being a transformation, but there's much more to it. There's also cultural transformation. What do you think security teams need to be mindful when it comes to this cultural shift?
Chris: Well, I think they just need to acknowledge that there's a convergence going on as it pertains to security. When you take a look at what's happening between the development teams and security teams and the operations teams, you're really seeing that convergence across those three separate, but very important organizations. The industry term is obviously DevSecOps, and we're seeing that as really being a very important shift from a cultural perspective.
Security is no longer just the CISOs responsibility. It's a shared responsibility across an entire organization. We see that happening with a lot of our big customers, where security is getting distributed throughout the organization and they're embedding that security expertise throughout a company and they're designing to their development and their operational processes.
As part of that, we're also seeing is that you have to have a strong procurement system in place so you can actually manage that software coming in and then effectively manage and track that as well. That's really where the Marketplace value proposition also starts to play into the security aspect for our larger customers.
Yael: The speed, agility, and changing team dynamics that you just spoke of have also presented great opportunities for innovation when it comes to how security and software are procured. Can you tell me a little bit more about that innovation and share some of the business outcomes that it has helped customers achieve?
Chris: From the AWS Marketplace perspective, our charter is to work with a third-party ISB ecosystem and get their software available in that same consumable format that AWS customers are used to buying other AWS services. From an innovation perspective, one of the big things that we innovate on is really providing the functionality so that the ISB community can provide their software in a consumption format. That means providing APIs that you can do a pay-as-you-go model if you're an ISB. Effectively that allows our customers to scale up or down as needed and take advantage of the flexibility of the cloud.
Now purchasing is kind of one aspect of it, but another aspect is how you manage those subscriptions once you've purchased them. One of the innovations that we just launched at our most recent [AWS] re:Invent is Managed Entitlements. That allows customers now subscribed to Trend Micro at their overall account level, but now they can grant blocks of Trend Micro down to all their sub-accounts.
A lot of times our enterprise customers don't just have one cloud account—they have dozens or even hundreds. They need an easy way to distribute those subscriptions once they've actually purchased them at that top-level administrator account. The other thing that we've seen that we've innovated on is just cost tagging and providing visibility to what's actually going on within an organization.
Not only for something that they're buying, like Trend Micro, but for all their software. They can see if there's maybe a security incident, what products are out there, which ones are using certain operating systems and then they can remediate effectively. A lot of the cost tagging functionality that we've built in our platform is [really helping our customers innovate and move quickly, but also move fast when there is a problem and they need to figure out what's going.
Another recent innovation that we've had is Private Marketplace, where it effectively allows our customers to take the 10,000 listings in the Marketplace catalog and curated down to only those enterprise standards. Then they can actually provide a subset of the Marketplace catalog out to the developer teams, and that allows them to deploy products on demand, but also make sure that people adhere to those corporate standards.
We've seen a lot of customer interest in that feature and it's allowed them to move even quicker using Private Marketplace. We've also opened that up to actually have an API so that you can actually update that approved vendor list from a different environment. If you might have a CMDB environment or an ITOM tool that has your approved vendor list, you can now pull all those listings over via API, into Private Marketplace.
Another big one, the final one that I'll mention, is their integration with procurement systems. A lot of our customers use large enterprise systems like Ariba or Coupa, and they might want to have that for their overall purchasing process, but they still want to provide that on demand, purchasing experience out of Marketplace. We’ve done all the integration to integrate the systems like Coupa or Ariba, so you have a really good on-demand experience that compliments your overall procurement department.
Yael: It's pretty incredible to see the AWS Marketplace really innovating and all these new services that have come out, so congratulations on that. Many of our customers that are listening in today, procure Trend Micro through the AWS Marketplace and that's some of the greatest feedback we've gotten is that they really only pay for what they use. I'm sure the procurement teams love that.
So, one final question I wanted to ask you… You personally deal with a lot of AWS customers, you see successes and of course, challenges that they have with the various security solutions they choose. Do you have any advice that you can share on what customers should be looking for when selecting a security part?
Chris: Yeah, there's a couple of things that I always steer people to take a look at. So first of all, is the security part that they're looking at—are they truly leaned into the cloud?
It's not enough just to maybe have an agent that runs on the cloud, but have they done the right integrations and the right innovation to actually leverage what's going on with that cloud provider? And by truly integrated, I mean, taking advantage of features like Marketplace and our APIs for billing, but can also be features that are part of our underlying compute platform.
Are they taking advantage of auto-scaling so that when a customer scales up or down their compute platform… is the software that they're getting also able to take advantage of auto-scaling.
Another thing that I'd take a look at and really encourage is to look at security ISBs that have a complete story. It's great if you've got a security vendor that might only be able to secure a part of your environment, but the ones that are really going to add you the most value are the ones that have a complete story that can secure what you're doing today on prem, or maybe within just a private cloud. Then also leveraging what's going on in the public cloud environment and having a complete story across your entire ecosystem.
The third piece that I always look at is that ISP or that security provider, are they constantly innovating? Technology changes by the day. So are they innovating? Not just for what you might be using today or maybe where you're going with cloud, but also for what's on the horizon.
Containers is a really good example. Are you providing solutions that are only going to secure a small subset or are they also innovating for other technology trends on the horizon? So if you do choose to go use those different compute platforms, you're not cornered into one ISB and need to make a jump to another.
Yael: Thank you Chris, for your time and insight today. I think you really provided some great information and it's been incredible, like I said, to watch AWS and the Marketplace grow. Thank you for your time. Back to the hosts.