GLOSSARY

ABAC (attribute-based access control) An access control scenario that grants users access rights based on policies that combine attributes. It considers the attributes of an entity and the connection in making access control decisions. For example, a user who used multifactor authentication, which requires two or more authentication factors, may be granted additional access, while a user who does not use MFA authentication would be granted less.

Amazon Simple Storage Service (S3) A form of storage for use on the Web that provides scalability, data availability, security, and performance and enables you to retrieve any amount of data at any time.

API (application programming interface) A protocol that exposes functionality through an interface to simplify the receipt of requests and delivery of responses. The two major types of APIs are Representational State Transfer (REST) and Simple Object Access Protocol (SOAP).

attestation A formal statement that is officially claimed to be true. Attestations are legally binding. Provider attestations are part of a Service Organization Control 2 (SOC 2) report, for example, indicating a third-party, independent assessment of the security of a cloud service provider.

auto-scaling A method used in the cloud, whereby the amount of computational resources in a server farm, typically measured in terms of the number of active servers, scales automatically based on current load.

automation The processes and tools an organization uses to reduce the manual efforts associated with provisioning and managing cloud computing workloads.

availability zone An isolated data center within a geographical region from which public cloud services originate and operate.

AWS (Amazon Web Services) A public cloud service created and maintained by Amazon that offers compute power, database storage, content delivery, and other functionality to help businesses scale and grow.

Azure A cloud service created by Microsoft for building, testing, deploying, and managing applications and services through a global network of Microsoft-managed data centers.

bastion virtual network An emerging architecture for hybrid cloud connectivity. It can also be used to manage connectivity across multiple accounts in the same cloud provider environment while maintaining a single network connection back to a data center.

broad network access Resources hosted in a cloud environment that are available for access from a wide range of locations and devices. It is an essential characteristic of cloud computing.

CAIQ (Consensus Assessments Initiative Questionnaire) A survey for cloud consumers and auditors provided by the Cloud Security Alliance to assess the security capabilities of a cloud provider.

CASB (cloud access security broker) A software service or appliance that is deployed between an organization’s on-premises infrastructure and a cloud provider’s infrastructure. A CASB acts as a control primarily for Software as a Service (SaaS) and enables the organization to extend the reach of their security policies beyond their own infrastructure.

CCM (Cloud Controls Matrix) A set of security controls created by the CSA that provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.

CCSK (Certificate of Cloud Security Knowledge) A certification used to validate that a professional has a broad foundation of knowledge about cloud security, with topics such as architecture, governance, compliance, operations, encryption, virtualization, and much more.

CCSP (Certified Cloud Security Professional) A certification used to validate that cloud security professionals have the required knowledge, skills, and abilities in cloud security design, implementation, architecture, operations, controls, and compliance with regulatory frameworks.

chaos engineering A testing methodology by which the interrelationships between components in a system are tested by simulating failures in components and studying what knock-on effect occurs throughout the system. It is used to instill the requirement for resiliency in the development phase.

chargeback Also known as IT chargeback. An accounting strategy that applies the costs of IT services, hardware, or software to the business unit in which they are used.

CI/CD (continuous integration/continuous deployment) A set of tools often used with DevOps to establish a consistent and automated way to build, package, and test applications. Also referred to as continuous integration/continuous delivery, depending on the target environment (development or production).

cloud account Any type of account, personal or business, with a cloud service provider.

cloud broker An entity that manages the use, performance, and delivery of cloud services and that negotiates relationships between cloud providers and cloud consumers.

cloud bursting An application deployment model in which an application runs in a private cloud or data center and bursts into a public cloud when the demand for computing capacity spikes.

cloud firewall Also known as a security group. Policy sets that define ingress and egress rules that can apply to single assets or groups of assets, regardless of network location. Additionally, a cloud firewall can apply to assets based on more flexible criteria than hardware-based firewalls, because they aren’t limited to physical topology.

community cloud A cloud service deployment model that provides a cloud computing solution to a limited number of individuals or organizations and that is governed, managed, and secured commonly by all the participating organizations or a third-party managed service provider. All members of a community cloud share similar security and compliance requirements.

configuration management tool A tool used to establish and maintain consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life.

container A logical packaging mechanism in which applications can be abstracted from the environment in which they run. This decoupling enables container-based applications to be deployed easily and consistently, regardless of whether the target environment is a private data center, the public cloud, or even a developer’s personal laptop. Containers can help address portability in cloud environments.

continuous integration server A tool used to support the practice of integrating software very often, typically with any change to an artifact in the source repository. Any time a team member commits a change to the repository, continuous integration can be used to ensure that any change passes a series of tests and that the software can be successfully built, tested, and deployed.

controller Also known as cloud controller. A service that helps manage or orchestrate cloud operations. For instance, if a user were to make a request (for example, request an instance), the cloud controller processes the request and sends it to the appropriate destination, overseeing the process to completion.

CSA (Cloud Security Alliance) The world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

CSP (cloud service provider) A company that offers some component of cloud computing—typically Infrastructure as a Service (IaaS), Software as a Service (SaaS), or Platform as a Service (PaaS)—to other businesses or individuals.

custodian Also known as a data custodian. In IT, an entity that is responsible for the safe custody, transport, and storage of data and implementation of business rules. In other words, a custodian is in charge of the technical environment and database structure to protect end-user data.

customer managed key An encryption key that is managed by a cloud customer, while the cloud provider manages the encryption engine.

DAM (database activity monitor) A suite of tools that can be used to support the ability to identify and report on fraudulent, illegal, or other undesirable behavior, with minimal impact on user operations and productivity. It performs this activity via inspection of SQL code and can therefore be considered a layer 7 firewall for SQL.

DAST (dynamic application security testing) A process of testing an application or software product in an operating state. This kind of testing is helpful for industry-standard compliance and general security protections for evolving projects.

data Information processed or stored by a computing device, which may be in the form of text documents, images, audio clips, software programs, or other types of media.

data dispersion A process that permits data to be replicated throughout a distributed storage infrastructure. It enables a service provider to offer storage services based on the level of the user’s subscription or the popularity of the item. Can be thought of as a form of redundant array of independent disks (RAID), but multiple servers are involved.

dedicated hosting A type of Internet hosting in which the client leases an entire server that is not shared with anyone else. This is more flexible than shared hosting, as organizations have full control over the server(s), including the choice of operating system, hardware, and more.

deployment model A model that represents a specific type of cloud environment, primarily distinguished by ownership, size, and access. Four common cloud deployment models are public cloud, community cloud, private cloud, and hybrid cloud.

DevOps A software engineering culture and practice that aims at unifying software development (Dev) and software operation (Ops). The main characteristic of the DevOps movement is to advocate automation and monitoring at all steps of software construction, from integration, testing, and releasing, to deployment and infrastructure management.

DevSecOps A practice that strives to automate core security tasks by embedding security controls and processes into the DevOps workflow.

Direct Connect A service offered by AWS that enables private connectivity between AWS and your data center, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. Microsoft Azure ExpressRoute and Google Cloud Dedicated Interconnect products are similar.

DLP (data loss prevention) A strategy for ensuring that end users do not send sensitive or critical information outside the corporate network. Also used to describe software products that help a network administrator control what data end users can transfer.

EC2 (Elastic Compute Cloud) A web service offered by Amazon that provides secure and resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

e-discovery The electronic aspect of identifying, collecting, and producing electronically stored information (ESI) in response to a request for production in a lawsuit or investigation. ESI includes, but is not limited to, e-mails, documents, databases, voicemail, social media, and web sites.

elasticity The ability of a cloud service provider to provide on-demand offerings by nimbly switching resources when demand goes up or down. It is often an immediate reaction to clients’ dropping or adding services in real time.

ENISA (European Network and Information Security Agency) An organization that enhances the cybersecurity prevention work and capability of the European Union and its member states and, as a consequence, the entire business community, to prevent, address, and respond to network and information security challenges.

entitlement The mapping of an identity (such as roles, personas, and attributes) to an authorization. In other words, an entitlement indicates what a unique user identity is allowed (and not allowed) to do with specific resources or systems. For documentation purposes, we keep these in an entitlement matrix.

entitlement matrix A document that outlines the various resources and functions allowed to be used by specific users, groups, and roles.

ephemeral Describes something that will change rapidly or last for a very short amount of time. For instance, ephemeral storage is not written to disk for long-term storage.

essential characteristics The characteristics that make a cloud a cloud: the essential characteristics are resource pooling, on-demand self-service, a broad network, rapid elasticity, and measured service. If something has these characteristics, we consider it cloud computing, and if it lacks any of them, it is likely not a cloud.

event-driven security A type of security system that triggers actions automatically in response to a security event. This type of security can define events that will generate security actions and use the event-driven capabilities to trigger automated notification, assessment, remediation, or other security processes. Certain cloud providers support event-driven code execution. In these cases, the management plane detects various activities that can in turn trigger code execution through a notification message or via serverless hosted code.

federated identity Also known as federation. The practice of interconnecting the cloud computing environments of two or more service providers for the purpose of load balancing traffic and accommodating spikes in demand.

FedRAMP (Federal Risk and Authorization Management Program) An assessment and authorization process that US agencies have been directed to use by the Office of Management and Budget to ensure that security is in place when accessing cloud computing products and services.

GDPR (General Data Protection Regulation) A regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

HSM (hardware security module) A physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. An HSM traditionally comes in the form of a plug-in card or an external device that attaches directly to a computer or network server.

hybrid cloud A composition of two or more clouds (such as private and public) that remain distinct entities but are bound together, offering the benefits of multiple deployment models. It can also be used to refer to a traditional data center and a public cloud.

hypervisor Computer software, firmware, or hardware that creates and runs virtual machines.

IaaS (Infrastructure as a Service) A cloud computing service model. An IaaS cloud provider will host the infrastructure components traditionally found in an on-premises data center, including servers, storage, and networking hardware, as well as the virtualization or hypervisor layer. In this service model, the customer assumes the most responsibility for security.

IAM (identity and access management) The security and business discipline that addresses the need to ensure appropriate access to resources across increasingly heterogeneous technology environments and to meet increasingly rigorous compliance requirements.

IAST (interactive application security testing) A testing process that analyzes the behavior of an application in the testing phase, using a combination of RASP (runtime application self-protection) and DAST (dynamic application security testing), to aid in identifying vulnerabilities within an application, enabling developers to reduce risk during the development process.

IdEA (identity, entitlement, and access) management A solution that leverages directory services to provide access control, giving the right users access to the resources they are allowed to access at a particular time.

identity provider (IdP) A system entity that enables organizations to create and maintain identity information for individuals across a wide range of online services or applications that require user identification.

image A copy made available to a consumer supplied by a provider, or a previously created image used to build server instances.

immutable An object whose state cannot be changed after it is created. In the cloud, an immutable infrastructure means that servers are not altered after they are deployed. If anything needs to be changed, a new server instance will be made from a similar image and the changes will be applied accordingly and then redeployed.

infostructure Any structured or unstructured data that is stored in a cloud environment.

infrastructure The moving parts that serve as the foundation of a computing system, often consisting of compute, network, and storage; it is owned by the provider in a public cloud.

instance A server running an image of your server, for which you have complete responsibility with regard to maintenance and ensuring secure operation.

interoperability The ability for multiple instances to work at the same time without any restrictions.

ISO/IEC (International Standards Organization/International Electrotechnical Commission) A technical committee that develops, maintains, and promotes a series of IT standards, such as ISO/IEC 27001 and ISO/IEC 27017.

isolation A practice that ensures that processes in one virtual machine or container cannot be visible to another. It allows for multiple tenants to reside on the same infrastructure.

jump kit A set of software tools used for incident response in cloud environments.

jurisdiction Determines applicable laws based on geographic location.

KMS (key management system) A system that manages keys within a cryptosystem; it deals with the generation, exchange, storage, replacement, use, and destruction of cryptographic keys.

Lambda A platform offered by Amazon Web Services as an event-driven, serverless computing platform. Microsoft Azure and Google Cloud Functions are competing serverless computing products.

load balancing A process that distributes workloads across multiple computing resources. Often available as an application or network load balancer service.

management plane The element of a system that controls the management of infrastructure, platforms, applications, and resources though the use of API calls and web consoles.

measured service A process by which the cloud provider measures and monitors a system to ensure that users consume only what they are allowed to consume and, if required, are billed for it.

metadata Information about other data, typically used for discovery and identification.

metastructure Protocols and mechanisms that provide the interface between the infrastructure and other layers within the system.

MFA (multifactor authentication) A process whereby the user needs to confirm their identity through the use of two or more authentication factors, such as something you know (password), something you have (smart ID card), or something you are (biometrics).

microservices Also known as microservice architecture. A method of developing software applications as a suite of individual and independent services.

migration The process of moving from one system to another—for example, moving processes from a data center to the cloud.

multitenancy A mode of operation in which multiple individual tenants (such as companies in a public cloud) are operating in a shared environment. The tenants are logically isolated but physically integrated.

NIST 800-53 A guideline created by the National Institute of Standards and Technology (NIST) regarding the security and privacy controls for federal information systems and organizations.

NIST 800-61 A guideline created by the National Institute of Standards and Technology (NIST) regarding computer security incident handling (incident response).

NIST 800-145 A document in which the National Institute of Standards and Technology (NIST) defines cloud computing.

OAuth protocol An industry standard for authorization, which handles authorization for web, desktop, mobile, and Internet of Things (IoT) devices.

on-demand The ability to provision computing capabilities automatically and unilaterally without any human interaction.

OpenFlow A software defined networking (SDN) communications protocol that enables network controllers to determine the path of network packets across a network of switches.

OpenID An open source standard that enables users to sign into multiple web sites using a single existing account, without requiring new passwords. It can provide authentication on top of OAuth authorization capabilities. The latest version is OpenID Connect (OIDC).

orchestration The ability to automatically arrange, coordinate, and manage computer systems.

PaaS (Platform as a Service) A cloud computing service model. This complete development and deployment environment in the cloud is designed to support the complete web application lifecycle: building, testing, deploying, managing, and updating. It enables you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications.

packet encapsulation A method for designing modular communication protocols in which logically separate functions in a network are abstracted from their underlying structures by inclusion or hiding information within higher-level objects.

pools A set of resources ready to be used at any time. In cloud computing, resource pools usually focus on compute, network, storage, and container pools.

portability The ability to reuse or move applications and/or systems from one environment to another.

private cloud A cloud infrastructure operated solely for one organization that is managed either by the organization or by a third party and is either on or off premises.

public cloud A cloud infrastructure owned by an organization selling cloud services to a large number of users.

RASP (runtime application self-protection) A security technology that works to detect and protect against application attacks in real time.

raw storage Storage directly connected to a virtual machine that is generally not available in the public cloud.

RBAC (role-based access control) A method of access security that determines the access an individual is granted based on their role in the organization.

region The jurisdiction in which the workload will operate, which is typically user-defined within your cloud provider’s settings.

relying party The system that relies on an identity assertion from an identity provider.

resiliency The ability for a cloud provider to maintain operations while facing challenges. This is done through the use of another redundant set of IT resources in the same cloud.

RESTful (Representational State Transfer) API An application program interface that uses HTTP requests to GET, PUT, POST, and DELETE data.

SaaS (Software as a Service) A cloud-based software solution and service model in which the provider assumes the most responsibility for security.

SAML (Security Assertion Markup Language) An OASIS open standard that defines an SML framework supported by both enterprise tools and cloud providers to federate identity management. It supports both authentication and authorization and creates assertions between an identity provider and a relying party.

SAST (static application security testing) A white-box testing tool that determines security vulnerabilities from the inside-out by examining the source code of an application. SAST can be used at all points of the software development lifecycle (SDLC).

SCIM (System for Cross-domain Identity) A standard that allows for the automations of user provisioning, communicating user identity data between identity providers and service providers, and requiring user identity information. Note that SCIM is used for provisioning, not for federation.

SDI (software defined infrastructure) Also known as infrastructure as code (IaC). A process for automating deployment of a virtual infrastructure using templates.

SDLC (software development lifecycle) A framework that outlines the tasks and responsibilities that must take place during software development.

SDN (software defined networking) The process of disassociating network packets from the control plane, improving network performance and monitoring. Serves as the foundation of an automated network environment.

SDN firewall Also known as a security group in an IaaS environment. A software defined networking (SDN)–based firewall that works as a packet filter and a policy checker. Firewall rules can be applied to a single asset or a group of assets—for example, firewall rules may apply to any asset with a particular tag.

SDP (Software Defined Perimeter) An approach that combines a device and user authentication to dynamically enable network access to resources and to enhance security.

SecaaS (Security as a Service) A security-focused SaaS product that can be used to protect cloud and traditional IT assets. It enables you to enforce your policy on all desired systems, regardless of their physical locations.

security group Defines network rules regarding how an instance handles incoming and outgoing traffic, with rules applied similarly to an SDN firewall.

segmentation The division of a server’s memory into different parts to separate systems and applications from one another.

segregation A process by which a cloud provider divides up resources among different groups.

self-service A process that enables access to physical or virtual resources as needed without having to interact with a human.

serverless computing A model in which the cloud provider runs and manages the server, enabling users to run all or some of an application stack within a cloud provider’s environment without the users having to manage any operating systems or containers.

service model The different fundamental categories of cloud services: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).

SIEM (security information and event management) An approach to system log and event data management from virtual and real networks as well as applications and systems, which analyzes the system or network to provide real-time reporting and alerting on information or events that require action.

SOAP (Simple Object Access Protocol) A web-based API based on a lightweight XML-based protocol for exchanging information.

SOC (Service Organizational Control) An attestation engagement standard by the American Institute of CPAs (AICPA) that is used by many providers to demonstrate controls in place. Multiple SOC reports include SOC l (Internal Controls over Financial Reporting), SOC 2 (Trust Services Criteria), and SOC 3 (redacted SOC 2). Note that SOC is undergoing a name change to System and Organizational Controls.

software defined security A security model in which security processes are working in an automated fashion.

SOX (Sarbanes-Oxley) An auditing law passed by the US Congress that is used for publicly traded companies in the United States. Its main focus is to protect investors from fraudulent financial reporting by maintaining internal control over financial reporting from a cloud perspective. Many of the SOX compliance activities relate to application security controls (applistructure).

SSAE 16/18 An audit standard by the American Institute of CPAs that is used to perform SOC attestation engagements.

SSO (single-sign-on) An access control system that allows for the use of a single ID and password to gain access to a service. Examples of SSOs include Kerberos and Security Assertion Markup Language (SAML), used to perform federation with cloud service providers.

STAR (Security Trust Assurance and Risk) A Cloud Security Alliance (CSA) repository that can be used to perform due diligence of potential cloud service providers (CSPs). Entries include self-assessments, which are vendor-supplied responses to the CSA’s Consensus Assessment Initiative Questionnaire (CAIQ). CSPs may also list third-party assessment–based certifications based on ISO standards and attestations based on AICPA SOC reports.

storage gateway Also known as hybrid storage gateway. An on-premises storage appliance (virtual or physical) that can interconnect local and cloud storage. A gateway can perform actions such as de-duplication, compression, encryption, and so on.

tag Also known as resource tag. Consists of a name/value pair and is used in cloud services to identify and perform actions on individual resources or a collection of resources.

TDE (Transparent Database Encryption) A database encryption system that encrypts a whole database at the file level as a means to support encryption-at-rest compliance for database files.

treaties A formally concluded and ratified agreement between countries. Applicable treaties for cloud discussion include US/EU Safe Harbor and its replacement, EU/US Privacy Shield, which provides companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

version control repository A storage location for software projects that supports multiple versions of software to facilitate easy rollback and other functionality. Often available in both public and private deployment models. Public repositories have been used to uncover corporate credential files (such as access keys).

virtualization A system that abstracts hardware from guest operating systems. Virtualization allows for multiple virtual machines (aka guest operating systems) to run in an isolated fashion on the same physical server.

VLAN (virtual local area network) A group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire (such as the same broadcast domain), when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.

VM (virtual machine) A software program or an operating system that not only exhibits the behavior of a separate computer but is also capable of performing tasks such as running applications and programs like a separate computer. A VM, usually known as a guest, is created within another computing environment, referred as a host. Multiple VMs can exist within a single host at one time. In a cloud environment such as AWS, these VMs are referred to as instances.

volatile memory Computer storage that maintains its data only while the device is powered on. Of most significance from a security perspective, volatile memory can hold cryptographic keys and unencrypted data.

VPC (virtual private cloud) A pool of shared resources in the cloud that lets you provision a logically isolated section, where you can launch resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

WAF (web application firewall) A firewall that filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter based on the content of HTTP traffic, while regular firewalls restrict traffic based on IP and port. A WEF can be traditional or cloud based.

workload In computing, the amount of processing that the computer has been given to do at a given time. The workload consists of some amount of application programming running in the computer and usually some number of users connected to and interacting with the computer’s applications.

XACML (eXtensible Access Control Markup Language) A standard that defines a declarative fine-grained, attribute-based access control policy language; an architecture; and a processing model describing how to evaluate access requests according to the rules defined in policies.