CCAK

I have a  question in Chapter2 of the CCAK Study Guide.

In 2.3.2 "Geographic and Organization Structure Considerations (Page 108)", it said "The cloud customer inherits certain controls from the CSP directly or through a third-party organization, such as a colocation vendor or IT services provider."

Could you tell me who "collocation vendor and IT services provider" is?

My understanding of "collocation vendor" is to provide  space in data center to customers. I do not know why "collocation vendor" relates to the compliance for CSC.

Regards,

    - Morozumi

Great question!

AFAIK this refers to a situation such as the following.

Consumer procures SAAS services. Saas provider is running their workloads on an infrastructure provider, or has their hardware in a co lo. 

The Consumer is accountable for all controls, including software security as well as e.g. datacenter controls, does not implement all of them, but 'inherits' most from a provider. In the example that could be the SaaS provider or the co lo. 

The compliance paperwork should show that trail, elsewhere it is called 'compliance inheritance'. 

Physical building access control is an example.

BTW, it seems that even hiperscalers use colo here and there. 

Does this answer your question? 

I have a  question in Chapter2 of the CCAK Study Guide.

In 2.3.2 "Geographic and Organization Structure Considerations (Page 108)", it said "The cloud customer inherits certain controls from the CSP directly or through a third-party organization, such as a colocation vendor or IT services provider."

Could you tell me who "collocation vendor and IT services provider" is?

My understanding of "collocation vendor" is to provide  space in data center to customers. I do not know why "collocation vendor" relates to the compliance for CSC.

Regards,

    - Morozumi