What is a Cloud Service Provider?

By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance

Defining what is a Cloud Service Provider is not as easy as one might think, especially if you are an enterprise organization wondering if your vendors are servicing you from the cloud or not.

A cloud service provider, or CSP, is a company that offers some component of cloud computing; typically when you search the internet a cloud service is defined as, infrastructure as a service (IaaS), software as a service (SaaS) or platform as a service (PaaS) to other businesses or individuals. We know the usual suspects; Microsoft Azure, AWS and Google Cloud, but it is not always that simple.

A refined more adequate definition would be “A Cloud Service is any system that provides on-demand availability of computer system resources, e.g; data storage and computing power, without direct active management by the user”. While this may seem a bit broad that is because it should be. Cloud services come in many forms and sizes even to the point where it may not be exactly clear to the average user, if their vendor or supplier should technically be classified as a cloud service provider or not.

What are the benefits of using a Cloud Service Provider? What does it look like to leverage one for cloud services?

One benefit of using cloud computing services is that firms can avoid the upfront cost and complexity of owning and maintaining their own IT infrastructure, and instead simply pay for what they use, when they use it.

Today, rather than owning their own computing infrastructure or data centers, companies can rent access to anything from applications to storage. What that means is that if you have a supplier that handles and processes your companies healthcare data for instance, they may in fact be storing and processing your information in the cloud, either by outsourcing services or in some cases using an internal cloud or “private cloud” that they developed themselves by implementing it within the organization's dedicated resources, and infrastructure using “on-prem” services.

To add another twist, in other cases organizations may be using a diversified approach or “Hybrid Cloud” where they utilize both a private and public approach.

Let’s look at a simple use case example:

A large global bank has built their own private cloud. They wanted to take advantage of benefits of cloud computing like

• Rapid and simple deployment
• Less time to market for services
• Cost efficiency
• More utilization of server resources
• Less capital and operational costs
• This is managed by ABC bank Cloud datacenter services
• Better perceived security by managing and controlling it internally

However, one question they had was what if due to some natural disaster or a fire accident they lose their datacenter? They can’t afford to lose their data. They wanted a Disaster recovery solution, which would simply replicate all their data and services somewhere else. So, they outsourced services in a public cloud using AWS infrastructure so now they have the best of both worlds.

How do you define your supplier as a cloud service or not?

So, having said all that, we come to the question, how do you define your supplier as a cloud service or not? Well, think of it this way: the basic concept behind the cloud is that the location of the service, and associated processes and assets such as the hardware and operating system(s) and/or applications on which it is running, are largely immaterial to the user. They may have a separate business unit that is a private cloud that is dedicated to serving the entire internal organization, they may use a 3rd party service like AWS or Azure and in some cases may use both. In any event they are servicing you from the cloud and you should expect that they have cloud specific controls like the CSA Cloud Control Matrix (CCM) to address the applicable scope of service and to mitigate the associated risks.

How do you ensure your CSP is secure?

It would be prudent to require that your CSP submit a self-assessment against the CCM’s extended question set, the Consensus Assessment Initiative Questionnaire (CAIQ) or what is better known as CSA Security Trust Assurance and Risk (STAR) STAR Level 1 and is the first of three levels of transparency and Assurance provided by the STAR Program.

The CAIQ offers an industry-accepted way to document what security controls exist in cloud services, providing security control transparency and to some extent assurance. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM). Therefore, it helps cloud customers to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure. CSA took into account the combined comprehensive feedback that was collected over the years from its partners, industry experts and the CCM working group. It allows the cloud user to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experience and because it is posted on the STAR public registry and updated on a regular basis, you can easily monitor the provider’s ongoing compliance posture providing a higher level of peace of mind for the user. Because the CCM aligns itself with over 40 of the leading standards and regulations, it basically eliminates the need for any other questioner.

If you would like discuss this subject in more detail with one of our experts or find out more about the STAR Program, contact us at [email protected] and visit the dedication website at https://cloudsecurityalliance.org/star/