AWS Sets MSSP Beachhead With New Security Competency
The new competency—which AWS channel chief Doug Yeum called an ‘industry first’—is designed to help partners differentiate themselves in a crowded security market and make it easier for customers to procure their services.
Amazon Web Services is launching a new partner competency for managed security service providers (MSSPs) and will make their cloud software solutions and services available in the AWS Marketplace.
The AWS Level 1 MSSP Competency, which AWS has been piloting for a year, creates a new baseline standard for managed security services that protect, monitor and respond to security events of essential AWS resources and are delivered to customers as a fully managed service.
The new competency—which AWS channel chief Doug Yeum called an “industry first”—is designed to help partners differentiate themselves in a crowded security market and make it easier for customers to procure their services.
AWS will validate AWS Partner Network members in 10 security service areas defined by AWS security experts, who will work with partners to develop offerings that leverage native AWS security services such as Amazon GuardDuty and AWS Security Hub and third-party solutions from AWS Security Competency ISV Partners.
“We have laid out 10 areas that are important for our customers, and we’ve come up with ... a baseline standard for quality around these 10 areas,” said Yeum, AWS’ head of worldwide channels and alliances. “For us to go and define these areas, come up with the right criteria and work with the partners to get them validated against these criteria—these are all industry firsts.”
The new competency launches Tuesday in conjunction with AWS re:Inforce 2021, the cloud provider’s security, identity and compliance conference, and with 27 partners/sellers that already have been vetted and earned the new designation.
“Security has always been the most important thing for AWS, but it’s also the most important thing for our customers when they make that transition from on-prem to the cloud,” Yeum told CRN. “They’ve had relationships with managed security service providers for the on-prem world, but when they make that transition to the cloud, now they’re looking for MSSPs who have that cloud security expertise. What we want to do is help the customers make that decision and do it in an informed way and do it with some support from AWS. We believe the competency is an important way to do that.”
The new competency is open to AWS Advanced or Premier Tier APN Consulting Partners and AWS ISV Partner Path members. Qualifying partners must meet the specific technical and operational requirements of the 10 security service areas: AWS infrastructure vulnerability scanning, AWS resource inventory visibility, AWS security best practices monitoring, AWS compliance monitoring, monitoring and triaging of security events, 24x7 incident alerting and response, distributed denial of service (DDoS) mitigation, managed intrusion prevention systems, managed detection and response (MDR) for AWS-based endpoints and managed web application firewall (WAF) service.
Partners have to be validated every year, according to Ryan Orsi, AWS’ worldwide security/MSSP practice lead.
“They’re going to be kept to a very high bar, and that bar—the technical requirements—they’ll be evolving as well,” Orsi said. “Security experts all over the company are helping contribute to what the requirements should be for MSSPs for 2023, 2024 and so on.”
The new AWS competency comes on the heels of a report last week from Huntress, an Ellicott City, Md.-based MDR provider, that attackers are actively scanning and abusing vulnerable on-premises Microsoft Exchange Server vulnerabilities that were patched earlier this year.
AWS’ decision to launch its new MSSP competency is “purely based on the requirements that were coming from our customers and some of the observations that we had around demand signals from customers and also just with our discussions with the partners,” according to Yeum.
“This is not a response to anything our competitors are doing,” he said. “This is just purely us saying this is an important competency that we need to add into the portfolio competency that we have for our partners.”
AWS operates under a shared responsibility model for security and compliance. AWS is responsible for the “security of the cloud” and protection of the infrastructure—the hardware, software, networking and facilities that run AWS cloud services. Customers are responsible for “security in the cloud,” with the required configuration work determined by the AWS cloud services that they use.
In developing the new initiative, AWS listened to customers about the security challenges they’re facing, according to Yeum.
“Broadly speaking, they have big challenges around the fact that they’re using multiple-point solutions, and they’re looking for partners who understand those point solutions and are able to bring all that together and … manage those solutions on behalf of the customer,” Yeum said. “The other [challenge] is making that transition and having the right security controls in the cloud. It’s not easy, and operationalizing these things aren’t easy. You’re talking about deploying the cloud security solutions, configuring them and then responding to alerts that are generated by these solutions. Some companies have that in-house expertise, but many don’t, and that’s why they rely on third-party partners to help them.”
Deloitte, an AWS Premier Consulting Partner, earned the new competency during the pilot. The company expects overall managed services growth to be 2.5 times faster than its traditional core offerings and even stronger for the cloud, according to Aaron Brown, a partner in the company’s cyber risk service.
“We spend most of our time supporting clients in an advise-and-implement scenario, helping them adopt the security pillar of the well-architected framework,” Brown said. “Oftentimes, our direct clients, the CISO organizations, are ‘behind the eight ball.’ It could be that they were late to the party, or they just don’t have the capability or capacity to catch up or keep up, and large migrations or environment build-outs are held up due to security requirements not being met. Providing clients with an option for a fully managed security solution can allow them to skip past the AWS security learning curve, skip past the time and effort to integrate and configure new or existing tools, skip past the time required to develop security automation required to scale.”
Companies recognize the need to accelerate their cloud transformation journey, but often at the expense of cyberdefense functions, according to Sean Joyce, global and U.S. cybersecurity leader at London-based PwC, an AWS Advanced Consulting Partner that also earned the new competency.
“There’s tremendous opportunity for organizations to quickly and efficiently evolve their cyber operating models leveraging AWS-native technology coupled with a services partner with the requisite expertise and experience,” Joyce said. “The AWS Level 1 MSSP competency program provides a taxonomy and baseline that will help enterprises select a qualified services partner, filling gaps they often face in skilled cloud and cyber resources, while taking advantage of established processes, automations and technology accelerators.”
Atos sees AWS’ new MSSP competency program as instrumental to the success of its clients’ cybersecurity objectives, according to Wim Los, senior vice president of cloud enterprise solutions for the French solution provider, an AWS Advanced Consulting Partner.
“With its multiple security domains, customers will have secure, enhanced operations from end to end of the business,” Los said via email. “The initiative’s objective is to deliver cybersecurity supervision services for public, private and hybrid cloud environments in order to operate and respond to cloud-native security controls and anticipate threats in a prescriptive versus predictive mode.”
AWS Marketplace Listings
AWS Level 1 MSSP Competency partners’ solutions and fully managed services are available directly from the partners or under the MSSP category in the AWS Marketplace, the online store where customers can buy or sell software that runs on AWS.
Competency partners will be showcased on a solution page that highlights specific use cases for MSSPs, and customers can filter listings by MSSP category type.
“It provides customers more of a guided buying experience,” said Mona Chadha, director of category management for AWS Marketplace. “While the Marketplace has over 10,000 solutions, and a lot of them are solutions within security—for example, a web application firewall or threat management detection solution—now they’re able to find a holistic solution in the Marketplace to actually procure. They’re able to find that in a consumption-based model that they like, and that’s very similar to how they procure AWS services.”
Sophos, an Abingdon, England-based cybersecurity company, has earned the competency and is offering a threat protection, monitoring and response package in AWS Marketplace.
“The AWS Level 1 MSSP Competency is something that is absolutely needed out there in the industry, and AWS is certainly first to market with a program like this,” said Scott Barlow, vice president of global MSP and cloud alliances for the AWS Advanced Technology Partner. “The fact that it recognizes that we’ve met all of the AWS requirements for a baseline of managed security services to protect and monitor AWS resources 24 x 7 is fantastic and a great validation of our technology and the company.”
Sophos’ threat protection, monitoring and response package combines cloud security, posture management and compliance through its Cloud Optix product with Sophos Firewall and its service security for cloud workload protection, as well as endpoint protection.
“You’re able to leverage our Cloud Optix product to reach in and pull the telemetry from Amazon GuardDuty, AWS Security Hub, as well as AWS CloudTrail, so that now we have that telemetry that we can actively respond to and remove any of the manual work that’s required to analyze and triage security events,” Barlow said.
Sophos will leverage its global channel of about 60,000 channel partners and 15,000 managed service and cloud service providers to deliver and implement the security service to small and midsize businesses.
“Partners have responded to the offering very enthusiastically,” Barlow said. “One partner that I was in a conversation with last week said that the offering is exactly what they’ve been looking for through a next-generation security provider.”
IBM , an AWS Premier Consulting Partner , has earned the new competency. IBM Security Services is offering IBM Security X-Force Incident Response Retainer Services, an annual subscription for planning, preparation and responding to security incidents, through the AWS Marketplace.
A cybersecurity skills shortage is impacting everyone, and when it‘s compounded with the growing complexity of security systems, managed security services are only growing in importance with clients, according to Michael Sanders, director of cloud security strategy for IBM Security Services.
“Certifications like the AWS Level 1 MSSP Competency program help CISOs justify the need for help from third parties, accelerating access to the skills and expertise,” Sanders said. ”IBM Security has been securing AWS and other cloud workloads for years. The AWS competency is an important affirmation of our investment and will open the door for IBM Security to fulfill customers’ critical requirement for advisory consulting, threat management consulting and managed security services.”
Alert Logic Launchpad For AWS MSSPs
Houston-based MDR provider Alert Logic has earned the competency and is offering MDR Essentials—a package that includes vulnerability, asset visibility and endpoint protection—through the AWS Marketplace.
Dan Webb, vice president of partner sales and alliances at Alert Logic, sees the competency as a milestone for the cybersecurity industry.
“It’s the first time that there’s been a competency that’s directly recognizing the fact that, while there’s a number of companies that do have the resources and means to manage their own security responsibilities and build in-house security operations, the vast majority of companies don’t have that and really need help with security and their shared security responsibility to enable them to be successful with their cloud programs,” Webb said.
And AWS’ prescriptive requirements for the competency “vets out a lot of the kind of pretenders,” according to Webb.
“You’re very unlikely to kiss a frog and have a bad experience if you follow the competency model,” he said.
An AWS Advanced Technology Partner, Alert Logic also is launching a program n Wednesday—the Alert Logic Launchpad for AWS MSSPs—to help other MSP partners earn the AWS Level 1 MSSP Competency through an accelerated 15-day path.
“We recognize a number of MSPs out there are seeing security is no longer nice to have or an add-on as a line item on the bill of materials for their managed service offerings,” Webb said. “They’re now seeing it as fundamental, especially when they’re providing managed services for AWS customers. If you have the ability to go and get yourself badged as an MSSP, as well as being an AWS MSP, then you’re really in a very rare group, and it’s a strong differentiator in the market.”