The Inner Circle

Expand all | Collapse all

Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?

  • 1.  Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?

    Posted Dec 04, 2020 10:25:00 AM
    I know what the definition of a CSP is, but an example where a business moves some or all of its data center apps to Azure, AWS, or some other larger CSP, could that vendor be considered a CSP who offers a SaaS service?  Their service may remain intact to their customers, but once they move it from on-prem to a CSP, doesn't that make them a "mini" CSP?

    ------------------------------
    GARY COHEN
    INFO SEC ANALYST IV
    SELF
    ------------------------------


  • 2.  RE: Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?

    Posted Dec 05, 2020 03:29:00 PM

    I think the answer is just "Yes", and they don't have to be that "mini", for example NetFlix was "just" an AWS customer last time I looked.

    What is the purpose you want to make a distinction for?

    Whilst a cloud usually has elements of virtualisation and dynamic scalability they aren't required, and if they were doing it without those before and they've done the migration right, they may have reduced the risks.

    https://cloudsecurityalliance.org/blog/2020/04/30/what-is-a-cloud-service-provider/



    ------------------------------
    Simon Waters
    Founder
    Insufficient Entropy
    ------------------------------



  • 3.  RE: Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?

    Posted Dec 07, 2020 06:43:00 AM
    Hi, Simon.  The reason I ask is that in my 3rd party assessments, some organizations consider a cloud service provider (CSP) to be large providers like Microsoft (Azure), Amazon (AWS), and Google (Google Cloud Platform).  For those CSPs, most all organizations understand the various platforms (SaaS, PaaS, and IaaS) and most have a good understanding of where the security control responsibilities lay between the CSP and the customer.  However, when a 3rd party vendor whose been serving customers from their on-prem data centers suddenly decide to move some or all those services to a large CSP (like Azure), even though the transition should appear transparent, the vendor's customers need to be informed.  I think those customers need to have a discussion with the vendor regarding who is now responsible for data protection, notifications, monitoring and reporting, etc., which may change when the vendor has moved to the CSP.  This scenario also makes the vendor appear as a "CSP", since now they've moved their services from on-prem into a cloud environment.  With my understanding, such a move may require a contract review between the vendor and customer, with the need to address those security control responsibilities for the customer's protection.  Your thoughts are appreciated.  Thank you.

    ------------------------------
    Gary Cohen
    Info Sec Analyst IV
    DISYS LLC
    ------------------------------



  • 4.  RE: Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?

    Posted Dec 07, 2020 09:40:00 AM
    Hi Gary,
    Yes, I believe it should be necessary to have such discussion and for those service contracts to be reviewed for transparency purposes. Such a review may prompt a reconsideration by the customers whether or not they want to "accept" the risks associated with the new service "model". And for those accepting the risks, what they need to do on their part to manage those risks.

    ------------------------------
    Michael Bayere
    Principal Officer
    CAS Assurance, LLC (CPA)
    Miramar FL
    ------------------------------



  • 5.  RE: Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?

    Posted Dec 08, 2020 07:50:00 AM
    The short answer is yes. CSPs include all IaaS, PaaS and SaaS providers regardless of size of the vendor.

    ------------------------------
    Jane Odero Greene
    Application Security Analyst
    Facebook
    ------------------------------



  • 6.  RE: Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?

    Posted Dec 08, 2020 08:36:00 AM
    Thank you Jane for your response.  Please provide your supporting statements to my argument and the more detailed reply I gave to Simon, if you please.

    ------------------------------
    Gary Cohen
    Info Sec Analyst IV
    DISYS LLC
    ------------------------------



  • 7.  RE: Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?

    Posted Dec 08, 2020 10:59:00 AM
    Being a CSP is irrespective to where the infrastructure services are being consumed be it the big 3 (AWS, Azure, GCP), the vendor's own data center, or another 3rd party. From a security perspective your strategy and focus should consider baseline controls based on the service model and the associated tenant responsibility for security. Whether you are considering a SaaS CSP whose service runs in AWS or another platform, you should always have a baseline for assessing the security of the service and the infra on which it is hosted and weight the outcome against your organization's risk tolerance.

    ------------------------------
    Jane Odero Greene
    Application Security Analyst
    ------------------------------



  • 8.  RE: Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?

    Posted Dec 08, 2020 01:40:00 PM
    Thank you Jane.  What I'm attempting to do is determine whether there's a need to clarify/define the use of the term CSP when we refer to something like Azure/AWS/GP versus a vendor who provides a service in the cloud.  Because 'CSP' seems to be an acronym that can be used to reference both examples, the security control responsibilities vary depending on who's involved in providing the cloud services.

    ------------------------------
    Gary Cohen
    Info Sec Analyst IV
    DISYS LLC
    ------------------------------



  • 9.  RE: Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?

    Posted Dec 08, 2020 01:58:00 PM
    Gary, the simple answer is there is no need to make any distinction for a cloud service provider based on the criteria you're presenting. A cloud service provider is any provider who offers a service based on the cloud service models. I recommend you further read this NIST publication to get more insight nist sp 500 291

    ------------------------------
    Jane Odero Greene
    Application Security Analyst
    ------------------------------