Hi, Simon. The reason I ask is that in my 3rd party assessments, some organizations consider a cloud service provider (CSP) to be large providers like Microsoft (Azure), Amazon (AWS), and Google (Google Cloud Platform). For those CSPs, most all organizations understand the various platforms (SaaS, PaaS, and IaaS) and most have a good understanding of where the security control responsibilities lay between the CSP and the customer. However, when a 3rd party vendor whose been serving customers from their on-prem data centers suddenly decide to move some or all those services to a large CSP (like Azure), even though the transition should appear transparent, the vendor's customers need to be informed. I think those customers need to have a discussion with the vendor regarding who is now responsible for data protection, notifications, monitoring and reporting, etc., which may change when the vendor has moved to the CSP. This scenario also makes the vendor appear as a "CSP", since now they've moved their services from on-prem into a cloud environment. With my understanding, such a move may require a contract review between the vendor and customer, with the need to address those security control responsibilities for the customer's protection. Your thoughts are appreciated. Thank you.
------------------------------
Gary Cohen
Info Sec Analyst IV
DISYS LLC
------------------------------
Original Message:
Sent: Dec 05, 2020 03:29:14 PM
From: Simon Waters
Subject: Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?
I think the answer is just "Yes", and they don't have to be that "mini", for example NetFlix was "just" an AWS customer last time I looked.
What is the purpose you want to make a distinction for?
Whilst a cloud usually has elements of virtualisation and dynamic scalability they aren't required, and if they were doing it without those before and they've done the migration right, they may have reduced the risks.
https://cloudsecurityalliance.org/blog/2020/04/30/what-is-a-cloud-service-provider/
------------------------------
Simon Waters
Founder
Insufficient Entropy
Original Message:
Sent: Dec 04, 2020 10:24:34 AM
From: GARY COHEN
Subject: Can 3rd party vendors be considered Cloud Service Providers (CSPs) if they offer SaaS services on Azure, AWS, or another large CSP?
I know what the definition of a CSP is, but an example where a business moves some or all of its data center apps to Azure, AWS, or some other larger CSP, could that vendor be considered a CSP who offers a SaaS service? Their service may remain intact to their customers, but once they move it from on-prem to a CSP, doesn't that make them a "mini" CSP?
------------------------------
GARY COHEN
INFO SEC ANALYST IV
SELF
------------------------------