AWS Unveils Cloud Security Competency Program for MSSPs

Amazon Web Services has unveiled a revamped competency for managed security service providers (MSSPs) that is intended to make it simpler for end customers to identify AWS partners that have the most security services expertise.

As IT organizations of all sizes continue to struggle with cloud security issues, many of them are looking to AWS to identify external security expertise they can tap, said Doug Yeum, channel chief for AWS. The Level 1 Managed Security Services provides a starting point for customers to identify which MSSPs have attained an AWS security certification.

In addition, MSSPs that are certified will also be able to offer their services via the AWS Marketplace. “It’s an industry first,” said Yeum.

Vulnerability Scanning, DDoS, Compliance Among Competencies

The Level 1 Managed Security Services competency spans 10 specific security capabilities that cover technical and operational requirements defined by AWS security experts when, for example, employing AWS Security Hub or Amazon GuardDuty services. Those attributes include AWS infrastructure vulnerability scanning; AWS resource inventory visibility; AWS best practices for security monitoring; AWS compliance monitoring; 24/7 incident alerting and response; distributed denial of service (DDoS) mitigation; managed detection and response (MDR), and managed web application firewall, among others.

MSSPs that have already been certified by AWS include 5 Pillars, Accenture, Alert Logic, Arctic Wolf, Armor, Atos, Capgemini, Claranet, CloudHesive, Deepwatch, Deloitte, Enimbos, eSentire, IBM, Infosys, Leidos, Mission Cloud, Obserivan, Proficio, PwC, RedBear IT, SecureWorks, Smartronix, Sophos, Tech Mahindra, Versent and Wipro.

Cloud Misconfiguration Fixes

Customers are struggling with cloud security not because the underlying platforms are insecure. Rather, the process used to provision infrastructure and deploy applications are often deeply flawed. It’s not uncommon for developers using tools such as Terraform to provision infrastructure as code to misconfigure cloud services in ways that leave, for example, ports open through which data can be exfiltrated.

Further reading: Cloud Bucket Vulnerability Management in 2021

In the wake of a series of high-profile software supply chain breaches, there’s now more focus than ever on application security. In the absence of internal application security expertise, many of those same organizations are now turning to MSSPs to help them manage application security. With the launch of a Level 1 Managed Security Services competency, AWS is now employing a certification to direct customers to specific MSSP partners.

Other Cloud Services to Follow?

It’s not clear how many MSSPs will attain that competency, but MSSP partners that receive sales leads from AWS will need to achieve that competency to maintain their relationship with AWS. The internal sales teams within AWS will be directing end customers toward MSSPs that have been certified by AWS.

Of course, the challenge is that in the age of multiple clouds, end customers will be looking for MSSPs that have expertise that is applicable to any cloud environment. As such, MSSPs could soon find themselves being required to attain certifications for each cloud environment they support.

The time, effort and cost required to attain those certifications are considerable, so the only way MSSPs can justify that investment is if those certifications actually drive additional revenue opportunities at the expense of rivals that don’t bother to become certified.

One way or another, most MSSPs should expect more cloud service providers taking a carrot and stick approach to ultimately force the issue.

Michael Vizard
Michael Vizard is a seasoned IT journalist, with nearly 30 years of experience writing and editing about enterprise IT issues. He is a contributor to publications including Programmableweb, Channel Insider, IT Business Edge, CIOinsight and UBM Tech. He formerly was editorial director for Ziff-Davis Enterprise, where he launched the company’s custom content division, and has also served as editor in chief for CRN and InfoWorld. He also has held editorial positions at PC Week, Computerworld and Digital Review.

Top Products

Top Cybersecurity Companies

Related articles