AWS Marketplace
Spacelift utilizes AWS Marketplace Vendor Insights to facilitate customer transactions
In this blog post, we explore the challenge facing software buyers and sellers when gathering security and compliance information and how AWS Marketplace helps to address that challenge with its Vendor Insights feature. We also explain how software vendor Spacelift has benefited from creating a Vendor Insights profile for its SaaS product listed in AWS Marketplace.
The software purchasing risk management problem
The process of buying software requires increasing levels of due diligence and risk management. Customer procurement teams are asking prospective vendors to complete rigorous assessment exercises as part of the software product evaluation and selection process. This increased rigor has put pressure on procurement teams as they work to satisfy business-line demand for software products. Additionally, it has increased pressure on vendors who seek to meet sales goals by completing transactions as quickly as possible. For the procurement teams, this has created a process burden in which they must expend time and energy gathering and analyzing risk assessment information from potential vendors.
For software vendors, meeting buyer requests for risk assessment information is costly. They must maintain governance, risk, and compliance (GRC) staff in order to fulfill buyer requests. Those staff spend significant time responding to requests, typically via a manual approach that includes receiving questionnaires from procurement teams, populating them, and emailing them back. It is estimated that this process can add 8–10 weeks to procurement processes and carries a significant human resource cost for vendors.
AWS Marketplace understands the significance of this dynamic and has heard from both independent software vendor (ISV) partners and buyers that it is a burden they would like help with. In response, AWS Marketplace Vendor Insights was created to streamline the exchange of security and compliance information, accelerating transactions and creating a better transactional experience. The result is customers acquiring and gaining value from software more quickly and vendors experiencing shorter sales and fulfillment cycles, leading to growth opportunities.
In this blog post, we explore how Spacelift used AWS Marketplace Vendor Insights to expedite transactions with their customers and streamline their sales process. We will learn about the experiences they and their customers have enjoyed and how they’ve benefited from using this feature.
Background on Vendor Insights
To begin, let’s look at how Vendor Insights works.
Every AWS Marketplace product listing has what is known as a product detail page (PDP). That page includes details such as what the product does, pricing, product reviews, and support information.
When an ISV creates a Vendor Insights profile for their products (currently, only SaaS products are supported), a new section appears on their PDP. That Vendor Insights section provides a brief overview of the security profile and includes a link for more details. By having this content on a PDP, the Vendor Insights profile becomes an active mechanism that prospective customers can use when conducting research and due diligence on products they’re considering procuring.
The information provided in the publicly facing Vendor Insights security profile provides an overview but does not provide sufficient detail that would be needed to satisfy risk assessment processes. This is by design, as such information is confidential and only shared with entities that the ISV intentionally shares it with.
To that end, Vendor Insights provides a mechanism by which prospective buyers request (and ISVs provide) access to the information behind the profile. This lets the ISV evaluate the request, verify its validity, and execute a nondisclosure agreement with them if they require it and one is not already in place.
Once access to the security profile is granted, prospective buyers retain it for a minimum of 60 days, allowing them to use the information for their risk assessment process. Access continues if a purchase is made through AWS Marketplace and will be in place until the purchase agreement expires.
When a customer is close to making a purchase decision, they typically reach out to prospective vendors as part of the risk assessment process mentioned previously. The manual effort we described then takes place. However, when an ISV has a Vendor Insights profile, and the buyer is an AWS customer, that process can take place within AWS Marketplace, eliminating the need for manual processes.
Creating a Vendor Insights security profile
A Vendor Insights profile consists of three potential components. One of these is required, two are optional.
First, the foundation of the profile (and the required element) is a self-assessment completed by the ISV, composed of 125 questions covering common security and compliance controls. These questions were selected based on their commonality and frequency among the buyers and vendors that AWS studied. This self-assessment is a one-time exercise, only needing to be updated when a control in the vendor’s production environment changes.
Second, product certifications are associated with the listed SaaS product. Currently, Vendor Insights supports:
- Service Organization Control Type 2 (SOC2)
- International Organization for Standardization (ISO-27001)
- Federal Risk and Authorization Management Program (FedRAMP)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
While optional, since not all SaaS products have attained these, this step is strongly encouraged as displaying these certifications on a PDP makes the product more discoverable. This is particularly true of certifications required by customers in regulated industries such as healthcare (HIPPA), federal agencies (FedRAMP), and financial services (PCI DSS) that require them from the software that they purchase.
Third, and also optional at this time, is the use of AWS Config to run automated, periodic checks of 125 controls within the SaaS production environment. This option provides ISVs with the ability to demonstrate continuous compliance, creating a higher level of customer confidence in their adherence to required controls.
Background on Spacelift
Spacelift powers highly regulated global organizations and helps manage the undifferentiated heavy lifting of needing to ship and manage complicated infrastructures. When powering critical infrastructure for capital markets, exchanges, financial services, and fintechs, passing security muster easily and early in the procurement process is a requirement. Vendor insights helps them do this seamlessly.
Examples of how Vendor Insights worked for Spacelift
Let’s look at three real-life scenarios that Spacelift has experienced in using Vendor Insights to meet customer and partner needs and modernize their sales process.
First, an organization that Spacelift is creating a partnership with had asked them to complete a Vendor Risk Assessment (VRA) questionnaire. When Spacelift shared their Vendor Insights profile with this organization, the request for the VRA was rescinded and Spacelift was immediately placed on that organization’s Tier 1 vendor list. The Vendor Insights profile eliminated the need for a time-consuming VRA process and provided high credibility from the partner organization’s viewpoint.
Second, the ability to streamline the procurement process using Vendor Insights was a key element of an important customer win for Spacelift. In this scenario, the customer was in urgent need of a solution but still needed to execute a risk management process as part of procurement. By having the information the customer needed ready and available for immediate viewing in AWS Marketplace, Spacelift met both the risk assessment and speed of procurement requirements.
Third, Spacelift’s sales team has experienced greater efficiency and accelerated deal closures by adapting their sales processes to include Vendor Insights when possible. In scenarios in which customers are purchasing through AWS Marketplace, Spacelift’s sales team has been trained to route requests for security and compliance information through Vendor Insights. In these cases, they advise buyer procurement teams to use the request access feature on the Vendor Insights profile, saving several weeks when compared to the legacy approach. Spacelift’s sales team has been very happy with the ability to close deals faster by proactively sharing required data with customers via Vendor Insights.
Conclusion
In this post, we described the challenges faced by software buyers and sellers as they seek to complete security and compliance risk assessments as part of the procurement process. We discovered how AWS Marketplace Vendor Insights addresses those challenges. We also learned from software vendor Spacelift about how they have used Vendor Insights to demonstrate a strong security posture and complete transactions more quickly.