{"id":5013,"date":"2019-03-18T14:11:57","date_gmt":"2019-03-18T14:11:57","guid":{"rendered":"http:\/\/dev1.replior.mobi\/?p=5013"},"modified":"2019-03-18T14:11:57","modified_gmt":"2019-03-18T14:11:57","slug":"the-dichotomy-of-a-service-provider","status":"publish","type":"post","link":"https:\/\/complior.se\/en\/the-dichotomy-of-a-service-provider\/","title":{"rendered":"The Dichotomy of a Service Provider"},"content":{"rendered":"

Dichotomy: Stemming from the 17<\/em>th<\/sup><\/em> Century Greek word Dicho- (Duality) -Tomia (incision, cutting) means: A division into two parts or classifications, esp. when they are sharply distinguishable or opposed. (wordreference.com)<\/em><\/p>\n\n\n\n

An Introduction of Cloud Service Provider Actors, Approach, and Gray Areas<\/strong><\/h2>\n\n\n\n

This is the first of a series of posts about the mutual relationship between a Cloud Service Provider (SP) and its customers, within the realm of PCI-DSS.<\/p>\n\n\n<\/p>\n\n\n

As a QSA and a former PCI DSS compliance manager at one of the biggest PCI DSS certified level 1 SPs in Sweden, I have often experienced the challenges that the mutual responsibilities of a SP and a customer present, from both perspectives.<\/p>\n\n\n\n

As a PCI DSS compliance manager, I had to deal with:<\/h3>\n\n\n\n
    \n
  1. My company System engineers<\/li>\n\n\n\n
  2. My company management<\/li>\n\n\n\n
  3. My company QSA<\/li>\n<\/ol>\n\n\n

     <\/p>\n

     <\/p>\n\n\n

    For my company audit:<\/h4>\n\n\n\n
      \n
    1. Customer System engineers<\/li>\n\n\n\n
    2. Customer management<\/li>\n\n\n\n
    3. Customer QSA<\/li>\n<\/ol>\n\n\n<\/p>\n\n\n

      There are at least six different actors working toward one goal for a normal customer\u2019s audit: the compliance of the customer.<\/p>\n\n\n\n

      In the next posts I will dig into the technical and governance nuances involved, detailing who is who and who does what. For now, let\u2019s just assume that a common approach is to establish a mutual responsibilities Matrix between a customer and service provider similar to the one depicted in the PCI SSC council supplement for cloud guidelines<\/a>, based on the kind of service(s) that the SP provides to the customer. Such a matrix is a crucial part of the audit since it depicts which requirements are applicable.<\/p>\n\n\n\n

      The Matrix is often very technical and detailed. The more detailed it is, the clearer the role of the actors involved becomes and the easier the audit. Yes, it is a large task that requires periodic tweaking and tuning according to the agreement between the SP and the customer.<\/p>\n\n\n\n

      Depending on the agreement, there might be five different scenarios for each sub requirement of PCI DSS compliance:<\/p>\n\n\n\n