Top New AWS Services Unveiled At re:Inforce 2019 Security Conference

‘Extending AWS Marketplace into existing procurement systems is a win for organizations and AWS partners, says Mark Nunnikhoven, vice president of cloud research at Trend Micro. ‘It removes a big roadblock for customers by allowing them to use their existing procurement systems and process, and that will make it easier to test and acquire new technologies.’


New Amazon Web Services rolled out at the debut re:Inforce conference allow enterprises to integrate AWS Marketplace with their procurement systems for greater control of software spending, and capture and inspect network traffic at scale through virtual private cloud traffic mirroring. The cloud provider also announced the general availability of AWS Control Tower, which makes it easier for customers to set up and continuously govern compliant multi-account AWS environments, and AWS Security Hub, which provides customers a central place to manage security and compliance across an AWS environment.

Read on to find out more about the new services highlighted at re:Inforce, a conference on security, identity and compliance held in Boston this week.

Sponsored post

AWS Marketplace Procurement System Integration

AWS Marketplace Procurement System Integration is a new feature that allows enterprises to integrate AWS Marketplace with their procurement systems to give chief information officers (CIOs) more control over their informational technology (IT) spending and centralized governance of purchase orders.

IT teams can use the new feature to search, purchase, deploy, pay and manage thousands of software products in AWS Marketplace and get instant budget visibility.

“We want to make it super easy for builders to find, buy and deploy software that they need from over 4,800 listings across the Marketplace,” said Stephen Schmidt, AWS’ chief information security officer.

The first integration is with San Mateo, Calif.-based Coupa and its cloud platform for business spend management. Support for additional vendors will be coming out soon, according to Schmidt. Builders also can develop their own integrations for any procurement system supporting cXML (commerce eXtensible Markup Language), a protocol for the communication of business documents between procurement applications, e-commerce hubs and suppliers.

“CIOs often struggle to get control of IT spending that is happening in different departments and systems across the company because of siloed purchases and processes,” Coupa chief executive officer Rob Bernshteyn said in a statement. "By running the entire AWS Marketplace purchase process -- from search through payment and beyond -- on the Coupa platform, IT leaders can now bring order to this spend.”

The new feature should be a boon for large AWS software reseller partners because it will fast-forward the procurement approval process, according to Dave McCann, vice president of AWS Marketplace, Service Catalog and migration services.

“The way it's going to help the big resellers is in speed of winning a contract,” McCann said. “Resellers…are typically negotiating the price with the buyer for very large contracts, and then waiting for that contract to get approved. We think it's going to compress the timeline.”

While AWS Marketplace Procurement System Integration seems like an odd thing to call out at a security event, it addresses a key concern of major organizations and partners, according to Mark Nunnikhoven, vice president of cloud research at Trend Micro, an enterprise data security and cybersecurity company whose U.S. headquarters is in Irving, Texas.

“Extending AWS Marketplace into existing procurement systems is a win for organizations and AWS partners,” he said. “It removes a big roadblock for customers by allowing them to use their existing procurement systems and process, and that will make it easier to test and acquire new technologies.”

VPC Traffic Mirroring

The easier it is to see what happens to a network, the easier it is to secure it, Schmidt said. But many customers have thousands of virtual private clouds (VPCs) and use 20 to 40 security tools that require some form of collection process.

“Deploying an agent or a collector for each tool is a recipe not only for inefficiency, but also for an outage or a vulnerability in your infrastructure, so we decided to solve that,” Schmidt said.

AWS likens VPC Traffic Mirroring to a “virtual fiber tap” that gives direct access to network packets flowing through VPCs. VPC Traffic Mirroring allows customers to capture and inspect network traffic at scale to detect network and security anomalies, gain operational insights, implement compliance and security controls, and troubleshoot issues. It forwards traffic natively from VPCs to a user’s tools of choice without an agent or a bump in the wire and without performance impact to infrastructure, according to Schmidt. Traffic can be mirrored from any EC2 instance powered by the AWS Nitro system.

The feature launched with 19 security leader partners who have integrated it into solutions available in AWS Marketplace, including IronNet Cybersecurity, a Fulton, Md., network traffic analysis solutions provider.

"The new Amazon VPC traffic mirroring capability provides the IronDefense platform with native access to critical virtual network data that allows it to seamlessly monitor network anomalies across AWS and enterprise networks to identify advanced threat actors,” Michael Ehrlich, IronNet’s chief technology officer, said in a statement. "The ability to monitor hybrid environments and automatically share IronDefense threat insights across cloud and non-cloud environments to industry peers through our unique IronDome collective defense capability enhances our ability to protect companies, industries and nations at scale.”

With VCP Traffic Mirroring, AWS is catching up to other cloud providers such as Microsoft Azure and Google Cloud, which do a better job of providing the capability, according to Ameesh Divatia, co-founder and CEO of Baffle, a Santa Clara, Calif.-based advanced data protection vendor and AWS Technology Partner.

“This is actually very useful for third parties, because now you have access to traffic from the VPC, and you are able to detect abnormal behavior using machine learning and artificial intelligence,” he said. “Overall, this is an enhancement of AWS’ commitment of providing security off the cloud.”

AWS Control Tower

AWS Control Tower, designed to help customers set up and govern multi-account AWS environments, is now generally available in AWS’ US East (N. Virginia), US East (Ohio), US West (Oregon) and Europe (Ireland) Regions.

Control Tower provides prescriptive guidance for customers on how to establish a landing zone and create workflows to provision compliant accounts, according to Schmidt.

“It integrates with IAM, our identity and access management platform, and offers pre-configured architectures for network design, cross-account logging and audit console,” he said. “Most importantly, workloads which are deployed in landing zones are continuously governed by guardrails, which are pre-packaged governance rules that you can select and apply enterprise-wide or just to a few accounts. This has been a feature request that a lot of customers have been asking for for a long time.”

Control Tower will allow managed service providers to more quickly bring customers onto the cloud and switch on their environments, according to McCann.

"Whereas in the past, you might have said, 'I'll get back to you in two days,' now you can say 'I'll have you up and running in two hours,’" he said.

Most people may question the reach of a service like this, Nunnikhoven said, “but remember that multiple AWS accounts is a common deployment and security strategy in order to separate concerns within the organization.”

AWS Security Hub

Schmidt announced the generally availability of AWS Security Hub, which gives customers a single place to manage security and compliance. It aggregates, organizes and prioritizes security alerts from multiple AWS services such as GuardDuty, Inpector and Amazon Macie, along with AWS partner solutions, and conducts continuous compliance checks.

“Your findings are visually summarized for you on an integrated dashboard with actionable graphs and tables that help you focus your investigative efforts in the right place at the right time,” Schmidt said.

Twenty-five partner integrations with Security Hub currently are available.

“You get not only alerting, but the actionable movement towards a secure environment after the alert occurs if you use a partner integration,” Schmidt said.

Security Hub will be helpful to AWS partners, according to Amit Gupta, vice president of product management for San Francisco’s Tigera, an enterprise software company providing security and compliance solutions for Kubernetes platforms.

“It works great for partners because now, at least from a customer's perspective, there's one central place where you have access to all the security telemetry data, so that is good,” he said.

But AWS’ top two competitors already have similar products – Microsoft Azure Security Center and Google Cloud Command Center, said Amith Nair, vice president of product marketing at HashiCorp, a San Francisco provider of multi-cloud infrastructure automation software and an AWS Advanced Technology Partner.

“Many customers use lots of vendors to solve different security needs, and so visibility and monitoring across all these different metrics is a constant challenge,” Nair said. “Having something like the Security Hub really helps them consolidate a lot of these challenges into one location – a single point of management and a single point of monitoring.”