Glossary

access control:: the sum of all the technologies, processes, and personnel that are responsible for controlling access to resources
account deprovisioning:: the process of removing access and disabling an account when a user no longer requires access to cloud resources
account hijacking:: an occurrence when an unauthorized party gains access to and takes over a privileged account
account provisioning:: the process of creating user accounts and enabling access to cloud resources
address allocation:: the process of assigning one or multiple IP addresses to a cloud resource; this can be done either statically or dynamically
adverse event:: an event that comes with negative consequences
aggregate risk:: the combined risk of multiple individual security flaws or vulnerabilities
agile:: an SDLC methodology in which development and testing activities occur simultaneously, cyclically, and iteratively
anonymization:: the process of removing information that can be used to identify a specific individual from a dataset
Application Programming Interface (API):: a software-to-software communication link that allows two applications, such as a client and a server, to interact with one another over the Internet
application virtualization:: the process of encapsulating (or bundling) an application into a self-contained package that is isolated from the underlying operating system on which it is executed
applistructure:: includes the applications that are deployed in the cloud and the underlying services used to build them
Artifical Intelligence (AI):: the field devoted to helping machines process things in a smart manner; AI involves giving machines the ability to imitate intelligent human behavior
asymmetric-key (public-key) encryption:: a form of encryption that operates by using two keys — one public and one private
audit planning:: conducted at the very beginning of the audit process and includes all the steps necessary to ensure the audit is conducted thoroughly, effectively, and in a timely fashion
audit report:: a set of documents and artifacts that describe the findings from an audit and explain the audit’s opinion of the system that was examined
audit scope:: a set of statements that identifies the focus, boundary, and extent of an audit
audit scope restrictions:: a set restrictions on what an auditor may and may not audit
authentication:: the process of validating a user’s identity
authenticator:: things used to verify a user’s identity
authorization:: the process of granting access to a user based on their authenticated identity and the policies you’ve set for them
availability:: security principle focused on ensuring that authorized users can access required data when and where they need it
availability management:: the process of ensuring that the appropriate people, processes, and systems are in place in order to sustain sufficient service availability
bandwidth allocation:: the process of sharing network resources fairly between multiple users that share the cloud network
bastion host:: a system that runs outside your security zone that is generally designed to serve a single purpose (such as connecting to the management zone) and has been extremely hardened for enhanced security
black box testing:: a software testing method in which the internal design of the component being tested is not known by the tester
blockchain:: a string of digital information that is chained together by cryptography; each block of information contains a cryptographic hash of the previous block, transaction data, and a timestamp
breakout attack:: a hypervisor security flaw that can allow one guest to break out of their virtual machine and manipulate the hypervisor in order to gain access to other cloud tenants
broad network access:: the cloud characteristic that suggests that cloud computing should make resources and data ubiquitous and easily accessed when and where they’re required
broken authentication:: a vulnerability that allows an attacker to capture or bypass an application’s authentication mechanisms; broken authentication allows the attacker to assume the identity of the attacked user, thus granting the attacker the same privileges as that user
Building Management System (BMS):: a hardware and software control system that is used to control and monitor a building’s electrical, mechanical, and HVAC systems
business continuity (BC):: the policies, procedures, and tools you put in place to ensure critical business functions continue during and after a disaster or crisis
canadian digital privacy act:: a 2015 Canadian regulation that served as a major update to the long-standing Personal Information Protection and Electronic Documents Act (PIPEDA)
capacity management:: the process of ensuring that the required resource capacity exists, at all times, to meet or exceed business and customer needs, as defined in SLAs
cardholder data:: a specific subset of PII that is related to holders of credit or debit cards
chain of custody:: the process of maintaining and documenting the chronological sequence of possession and control of physical or electronic evidence, from creation until its final use (often presentation in court)
change management:: an IT discipline focused on ensuring that organizations employ standardized processes and procedures to make changes to their systems and services
checksum:: a value derived from a piece of data that uniquely identifies that data and is used to detect changes that might have been introduced during storage or transmission
cia triad:: the three primary security principles: confidentiality, integrity, and availability
client-side kms:: a key management service that is provided by the CSP, but the customer generates, holds, and manages the keys
cloud access security broker (CASB):: a software application that sits between cloud users and cloud services and applications, while actively monitoring all cloud usage and implementing centralized controls to enforce security
cloud application:: an application that is accessed via the Internet rather than installed and accessed locally
cloud auditor:: a cloud service partner who is responsible for conducting an audit of the use of cloud services; the audit may be for general security hygiene, but is often for legal or compliance purposes
cloud service:: capabilities made available to a cloud user by a cloud provider through a published interface (a management console or command line, for example)
Cloud Controls Matrix (CCM):: a meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations; published by the Cloud Security Alliance
cloud data portability:: the ability to easily move data from one cloud provider to another
cloud deployment model:: the way in which cloud services are made available through specific configurations that control the sharing of cloud resources with cloud users; the cloud deployment models are public, private, community, and hybrid
cloud resources:: compute, storage, and networking capabilities that a cloud provider shares with a cloud user
cloud service broker:: a cloud service partner who negotiates relationships between cloud service providers and cloud service customers
cloud service category:: a collection of cloud services that share a common set of features or qualities; cloud service categories are labelled XaaS (where “X” can be anything, and “aaS” stands for “as a Service”); the most common cloud service categories are IaaS, PaaS, and SaaS
cloud service customer:: a person or group that is in a business relationship to provision and use cloud services from a cloud service provider
cloud service customer data:: any data objects under the control of the cloud service customer that were input to the cloud service by the cloud customer or generated by the cloud service on behalf of the cloud customer
cloud service derived data:: any data objects under the control of the cloud service provider that were derived by interaction of the cloud customer with the cloud service; may include access logs, utilization information, and other forms of metadata (or, data about data)
cloud service partner:: a person or group that supports the provision, use, or other activities of the cloud service provider, the cloud service customer, or both
cloud service provider (CSP):: an entity making cloud services available for use
cloud service provider data:: any data objects related to the operation of the cloud service that are fully under the control of the cloud service provider; may include cloud service operational data, information generated by the cloud service provider to provide services, and similar data not owned or related to any specific cloud customer
cloud service user:: a person or entity (which may be a device, for example) that uses cloud services on behalf of the cloud service customer
colocation datacenter:: a shared datacenter that leases out equipment and bandwidth to companies
common criteria:: a set of guidelines that establishes processes for products to be evaluated by independent laboratories to determine their level of security
community cloud:: a cloud deployment model where cloud services are provided to a group of cloud service customers with similar requirements; it is common for at least one member of the community to control the cloud resources for the group
confidentiality:: security principle that entails limiting access to data to authorized users and systems; in other words, confidentiality prevents exposure of information to anyone who is not an intended party
configuration management:: the process of tracking and controlling configuration changes to systems and software
containers:: a cloud technology that involves logically decoupling an application from its environment so that the containerized application can be developed, deployed, and run consistently in different environments (public cloud, private cloud, or even a personal laptop)
continual service improvement management:: a lifecycle of constantly improving the performance and effectiveness of IT services by collecting data and learning from the past
continuity management:: the process of ensuring that a CSP is able to recover and continue providing service to its customers, even amidst security incidents or during times of crisis
contract management:: the process of managing contract negotiation, creation, and execution to reduce risk and maximize performance
control plane:: the part of the cloud environment that carries information necessary to establish and control the flow of data through the cloud; enables management of the cloud’s infrastructure and data security
cross-site scripting (XSS):: a specific variant of an injection attack that targets web applications by injecting malicious code
crypto-shredding:: the process of encrypting data and then destroying the keys so that the data cannot be recovered
cryptographic module:: any hardware, software, and/or firmware combination that performs encryption, decryption, or other cryptographic functions
cryptography:: the science of encrypting and decrypting information to protect its confidentiality and/or integrity
cryptojacking:: a form of malware that steals computing resources and uses them to mine for Bitcoin or other cryptocurrencies
cryptoprocessor:: a dedicated chip that carries out cryptographic operations
dashboard:: a single graphical view of multiple alerts and datapoints
data archiving:: the process of removing information from production systems and transferring it to other, longer term storage systems
data-at-rest:: data that is stored on a system or device and not actively being read, written to, transmitted, or processed
data breach:: an incident that occurs when an unauthorized party gains access to confidential or protected data; this access can include any type of data, with the key factor being the fact that it is viewed, retrieved, or otherwise accessed by someone who shouldn’t have access
data classification:: the process of categorizing and organizing data based on level of sensitivity or other characteristics
data custodian (data processor):: an individual that processes the data on behalf of the data owner; the data custodian is responsible for adhering to the data owner’s established requirements for using and securing the data and must process the data in accordance with the data owner’s established purposes
data de-identification:: the process of removing information that can be used to identify a specific individual from a dataset
data discovery:: the process of finding and identifying sensitive information in your environment
data dispersion:: the process of replicating data throughout a distributed storage infrastructure that can span several regions, cities, or even countries around the world
data-in-transit (data-in-motion):: data that is actively being transmitted across a network or between multiple networks
data-in-use:: information that is actively being processed by an application
data localization law 526-fz:: a Russian law established in 2015 that mandates that all personal data of Russian citizens be stored and processed on systems that are located within Russia
data loss prevention (DLP):: a set of technologies and practices used to identify and classify sensitive data, while ensuring that sensitive data is not lost or accessed by unauthorized parties
data owner (data controller):: the individual who holds the responsibility for dictating how and why data is used, as well as determining how the data must be secured
data portability:: The ability to easily move data from one system to another, without needing to re-enter the data
data retention policy:: an organization’s established set of rules around holding on to information
data subject:: the person whose data is being used
data tampering:: an attack on the integrity of data by intentionally and maliciously manipulating data
decryption:: the process of using an algorithm (or cipher) to convert ciphertext into plaintext (or the original information)
defense-in-depth:: applying multiple, distinct layers of security technologies and strategies for greater overall protection
degaussing:: a data erasure method that involves using strong magnets to destroy data on magnetic media, like hard drives
deserialization:: reconstructing a series of bytes into its original format (like a file)
digital forensics:: a branch of forensic science that deals with the recovery, preservation, and analysis of digital evidence associated with cybercrimes and computer incidents
digital rights management (DRM):: processes focused on protecting intellectual property throughout its distribution lifecycle
digital signature:: a piece of information that asserts or proves the identity of a user using public-key encryption
direct identifiers:: pieces of information that can be used on their own to identify an individual; SSN is a perfect example of this, because there is a 1:1 assignment of Social Security Number to human being
directory service:: a relational hierarchy of cloud identities that manages the storage and processing of information, and acts as the single point through which cloud users can locate and access cloud resources
disaster recovery (DR):: a subset of business continuity focusing on recovering your IT systems that are lost or damaged during a disaster
distributed denial of service (DDoS):: a coordinated attack by multiple compromised machines causing disruption to a system’s availability
distributed IT model:: a computing model in which components of your information systems are shared among multiple computers and locations to improve performance and efficiency
distributed resource scheduling (DRS):: a feature that enables clustered environments to automatically distribute workloads across physical hosts in the cluster
domain name system (DNS):: a decentralized naming system that translates domain names (like websites) to their IP addresses, and back
domain name system security extensions (DNSSEC):: a set of security extensions to standard DNS that support the validation of the integrity of DNS data; DNSSEC can help prevent DNS hijacking, DNS spoofing, and man-in-the-middle attacks
durability:: the concept of using data redundancy to ensure that data is not lost, compromised, or corrupted
Dynamic Application Security Testing (DAST):: also known as dynamic code analysis, this form of testing involves assessing the security of code during its execution
Dynamic Host Configuration Protocol (DHCP):: a protocol that assigns and manages IP addresses, subnet masks, and other network parameters to each device on a network
dynamic masking:: the process of masking sensitive data as it is used in real-time, rather than creating a separate masked copy of the data
dynamic optimization (DO):: the automated process of constantly reallocating cloud resources to ensure that no physical host or its resources become overutilized while other resources are available or underutilized
e-discovery (electronic discovery):: the process of electronic data being collected, secured, and analyzed as part of civil or criminal legal cases
Electronic Discovery Reference Model (EDRM):: a model that provides an overall look at the e-Discovery process
encryption:: the process of using an algorithm (or cipher) to convert plaintext (or the original information) into ciphertext
ephemeral storage:: temporary storage that accompanies more permanent storage
Evaluation Assurance Levels (EAL):: a numeric score that is assigned to a product to describe how thoroughly it was tested during the Common Criteria process
event:: an observable occurrence in a system or network
factor:: an individual method that can be used to authenticate an identity
federated identity:: the act of linking a user’s (or system’s) identity on one system with their identity on one or more other systems
federation:: the process of linking an entity’s identity across multiple separate identity management systems, like on-prem and cloud systems
filtering:: the process of selectively allowing or denying traffic or access to cloud resources
FIPS 140-2:: a US government standard and program that assesses and validates the security of cryptographic modules
firewall:: a hardware or software system that monitors and controls inbound and outbound network traffic
full-scale test:: a business continuity/disaster recovery test that involves shutting down all operations at the primary location and shifting them to the BCDR site; the only type of test that provides a complete view of what would happen during a disaster
functional policies:: policies that set guiding principles for individual business functions or activities
functional testing:: a type of software testing that evaluates individual functions, features, or components of an application rather than the complete application as a whole
gap:: any deviation between what was discovered during the audit and the requirements in those standards/regulations/laws
gap analysis:: a comparison of actual results with desired results
general data protection law (LGPD):: a Brazilian law that was published in 2018 and modeled after GDPR; it establishes standards for managing the privacy of Brazilian citizen personal data
General Data Protection Regulation (GDPR):: considered by most to be the world’s strongest data privacy law; replaced the EU’s 1995 Data Protection Directive with hundreds of pages of regulations that require organizations around the world to protect the privacy of EU citizens
Generally Accepted Privacy Principles (GAPP):: a privacy framework that was published in 2009 by a Privacy Task Force created by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA)
governance:: the policies, procedures, roles, and responsibilities in place to ensure security, privacy, resiliency, and performance
Gramm-Leach-Bliley Act (GLBA):: also known as the Financial Modernization Act of 1999, a US federal law that requires financial institutions to safeguard their customer’s PII
Hardward Security Module (HSM):: a physical device that safeguards encryption keys
hashing:: the process of taking an arbitrary piece of data and generating a unique string or number of fixed-length from it
health insurance portability and accountability act (HIPAA):: a law passed in 1996 that establishes minimum standards for protecting a patient’s privacy, and regulates the use and disclosure of individuals’ health information, referred to as Protected Health Information (PHI)
honeypot:: a decoy system that mimics a sensitive system in order to lure attackers away from the legitimate target
host cluster:: a group of hosts that are physically or logically connected in such a way that they work together and function as a single host
host-based DLP:: data loss prevention that involves installation of a DLP application on a workstation or other endpoint device
hybrid cloud:: a cloud deployment model that uses a combination of at least two different cloud deployment models (public, private, or community)
hypertext transfer protocol secure (HTTPS):: TLS over HTTP — the gold standard for protecting web communications
hypervisor:: a computing layer that allows multiple operating systems to run simultaneously on the same piece of hardware, with each operating system seeing the machine’s resources as its own dedicated resources
identification:: the process by which you associate a system or user with a unique identity or name, such as a username or email address
identity and access management (IAM):: the sum of all the technologies, processes, and personnel that are responsible for controlling access to resources
identity provider:: a trusted third-party organization that stores user identities and authenticates your credentials to prove your identity to other services and applications
IEC:: International Electrotechnical Commission
impact:: a metric that defines how disastrous something would be if it were to happen
incident:: a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices
incident handling:: the process of preparing for, addressing, and recovering from security incidents
incident management:: the process of monitoring for, responding to, and minimizing the impact of incidents
incident response plan:: a set of policies and procedures that identifies steps to follow when an incident occurs, as well as roles and responsibilities of all stakeholders
indirect identifiers:: information that can help narrow down a set of individuals, but cannot be used to identify a single individual on its own; examples of indirect identifiers include birthdates, race, gender, and the other identifiers that apply to multiple people
Information Rights Management (IRM):: a data security technology that protects data (typically files, but also emails, webpages, and other information) from unauthorized access by limiting who can view, copy, forward, delete, or otherwise modify information
information security:: the practice of protecting information by maintaining its confidentiality, integrity, and availability
information security management:: codifies the protection of your environment’s confidentiality, integrity, and availability as part of your overall IT management objectives
information security management system:: a set of people, processes, and technologies that manages the overall security of a company’s systems and data
infrastructure as a service (IaaS):: the cloud service category that provides infrastructure capabilities to the cloud service customer
infrastructure as code (IaC):: a tool that allows developers to view and manipulate their IT environments directly from lines of code using a programming or configuration language
injection attack:: a broad class of attacks in which a malicious actor sends untrusted commands or input to an application
input validation:: the process of ensuring that all input fields are properly checked and approved by the application prior to processing the input; requires locking down your application code to only allow expected input types and values, and filtering any suspicious or untrusted inputs
insecure deserialization:: an occurrence when an application or API takes an untrusted stream of bytes and reconstructs it into a potentially malicious file
insider threat:: the potential for someone who has or has had legitimate system or data access to intentionally or unintentionally compromise a system, data, or organization
interaction identifier:: a mechanism used to link all relevant events for a single user interaction
intergrity:: the security principle that involves maintaining the accuracy, validity, and completeness of information and systems; ensures that data is not tampered with by anyone other than an authorized party for an authorized purpose
International Information System Security Certification Consortium (ISC)²: the nonprofit organization behind the CCSP, CISSP, and other information security certifications
International Standard on Assurance Engagements 3402 (ISAE 3402):: an international assurance standard that closely mirrors SSAE 18 (and its predecessor SSAE 16)
Internet of things (IoT):: a term used to describes everyday devices, such as smart home devices, that are connected to the Internet
Internet Small Computer Systems Interface (iSCSI):: an IP-based storage standard that enables the use of SCSI over TCP/IP networks
interoperability:: the ability for two or more systems to seamlessly work together by sharing information and using that information as necessary
intrusion detective system (IDS):: a hardware appliance or software application that monitors networks and systems, and alerts designated personnel of any malicious or unauthorized activity
intrusion prevention system (IPS):: a hardware appliance or software application that is designed to actually block suspected attacks, in addition to alert on them
ISO:: International Standards Organization
kubernetes:: an open-source platform for managing containerized workloads
kvm switch (KVM):: an input/output device that allows a user to access and control multiple computers from a single keyboard, video display, and mouse
layered security:: see defense-in-depth
least privilege:: the security practice that asserts that access to information should only be granted on a need to know basis
legal hold:: the process of preserving any data that is, will, or might be relevant during a legal investigation
lift-and-shift:: the process of taking applications and workloads from one environment and seamlessly placing them in another, usually cloud-based, environment
likelihood:: a metric that describes the probability that an event will actually occur
limit:: acts as the opposite of a reservation and sets a maximum amount cloud compute resources that can be used
log injection attack:: an occurrence when an attacker creates false log entries or injects malicious content into logs through unvalidated input
log management infrastructure:: the hardware, software, networks, and media used to generate, transmit, store, analyze, and dispose of log data
logical unit number (LUN):: a unique identifier that’s used to label each individual chunk; can represent a single disk, a partition of a disk, or an array of disks, depending on how much storage space a cloud tenant provisions
machine learning (ML):: a subset of AI that focuses on allowing machines to alter themselves as they are exposed to additional data
maintenance mode:: allows a provider to gracefully move a tenant’s workloads to another physical host while maintenance is being performed
management plane:: the interface and set of functions that supports and enables control of a cloud environment and the hosts within it
masking:: the process of partially or completely replacing sensitive data with random characters or other nonsensitive data
measured service:: delivery of cloud services in such a way that its usage can be monitored, accurately reported, and precisely billed
metadata:: filenames, file headers, or other information that provides valuable insight about the data and its contents; often referred to as data about data
metastructure:: the set of mechanisms that connects the infrastructure layer to the applications and data being used
multifactor authentication (MFA):: a control that requires more than one form of authentication be used for user authentication in order to reduce the risk of granting access to someone impersonating someone else
multitenancy:: allocation of cloud resources such that multiple tenants and their data reside on the same physical hardware and share the same physical resources
network controller:: a centralized point of control used to configure, manage, and monitor a physical and virtual network infrastructure
network-based DLP:: data loss prevention that involves monitoring outbound traffic near the network perimeter
network security group:: a feature popularized by Microsoft that effectively combines the concepts of security groups with network ACLs; network security groups allow you to control traffic to and from either an OS or an entire network
nonrepudiation:: the ability to ensure that the origin or author of data cannot be disputed
North American Electric Reliability Corporation (NERC):: a nonprofit regulatory body that oversees the bulk power system in North America; NERC enforces a set of reliability standards known as the NERC Critical Infrastructure Protection standards
OAuth:: an open standard that applications can use to provide clients with secure access delegation
object:: file storage that can be accessed directly through an API or web interface, without being attached to an operating system
on-demand self-service:: a characteristic of cloud that allows a cloud service customer to provision cloud resources and capabilities with little or no interaction with the cloud service provider
Open Web Application Security Project (OWASP):: an online community that is dedicated to providing organizations around the world with free, practical resources to support application security
OpenID:: an open standard and a decentralized authentication protocol that allows users to authenticate to participating applications (known as relying parties)
orchestation (application or service):: the process of bundling and integrating two or more applications or services to automate a process
organizational policies:: policies that govern how an organization is structured, and guides the organization in running systematically and efficiently; higher level policies that don’t govern specific functions within an organization
parallel test:: a type of business continuity/disaster recovery test that involves bringing the secondary site up to full operational capacity, while maintaining all operations in the primary site
patch management:: the part of configuration management that includes all processes for finding, testing, and applying software patches (or code changes) to your systems
PCI DSS:: Payment Card Industry Data Security Standard (PCI DSS) is a proprietary security standard established by Visa, MasterCard, American Express, Discover, and JCB International in 2004
penetration testing:: the process of conducting a simulated attack on a system or application in order to discover exploitable vulnerabilities
performance monitoring:: routine collection and analysis of performance metrics for key components of the cloud environment; key components that should be monitored include network, compute, and disk, and memory
Personal Information Protection And Electronic Documents Act (PIPEDA):: a Canadian regulation that applies to the collection, use, and disclosure of personal information throughout the course of all commercial activities in Canada; this was replaced by the Canadian Digital Privacy Act in 2015
personally identifiable information (PII):: personal information, such as birthdates, addresses, and Social Security numbers, that can be used to identify an individual
platform as a service (PaaS):: the cloud service category that provides platform capabilities so that the cloud customer can run code and develop applications using programming libraries that are managed and controlled by the cloud service provider
policy:: formal documentation of a desired or required standard for a system or an organization
portability:: the ease with which a party can move or reuse application or service components
privacy:: entails limiting access to personal information to authorized parties for authorized uses; in essence, privacy is maintaining the confidentiality of personal information, specifically (rather than just any kind of sensitive data)
private cloud:: a cloud deployment model where cloud services are provided to a single cloud service customer who controls their own cloud resources
private key:: the key in public-key encryption that remains a secret of the owner and is required to decrypt messages that come in from anyone else
privilege escalation:: an occurrence when an unprivileged (or regular) application user is able to upgrade their privileges to those of a privileged user (like an administrator)
privileged access management:: all technologies and processes involved in managing the entire lifecycle of accounts with the highest privileges
problem mangagement:: the process of managing any and all problems that happen or could happen to your IT service
procedure:: a series of steps that should be followed to accomplish a particular result
Process for Attack Simulation and Threat Analysis (PASTA):: a risk-based threat model, developed in 2012, that supports dynamic threat analysis
protected health information (PHI):: information related to the past, present, or future health status of an individual that was created, used, or obtained in the course of providing healthcare services, including payment for such services
protection profiles:: establish a set of security standards unique to a specific type of product, such as operating systems, firewalls, antivirus, and so on
public cloud:: the cloud deployment model where cloud resources are controlled by the cloud service provider, and cloud services are made available to any cloud service customer
public key:: the key in public-key encryption that is made publicly available for anyone to encrypt messages
quality assurance (QA):: the process of ensuring software quality through validation and verification activities
rapid elasticity:: the cloud characteristic that allows a cloud customer to quickly obtain additional cloud resources as the user’s needs require
rate limiting:: the process of controlling the amount of traffic into or out of the cloud network
raw-disk storage:: storage that allows data to be accessed directly at the byte level, rather than through a filesystem
recovery point objective (RPO):: the maximum amount of data loss that’s tolerable to your organization
recovery service level (RSL):: the percentage of total computing power, performance, or functionality needed during business continuity
recovery time objective (RTO):: the amount of time within which business processes must be restored in order to avoid significant consequences associated with the disaster
regulatory compliance:: the requirement for an organization to meet or satisfy regulations, guidelines, policies, and laws relevant to its business
release and deployment management:: planning, scheduling, and managing software releases through different phases, including testing in development environments and deployment to a production environment, while maintaining the integrity and security of the production environment
remote KMS:: a key management service that is owned, operated, and maintained on premises by the customer
repudiation:: the ability of a party to deny that they are responsible for performing some action
requesting party:: the person, group, or organization who does not own the digital evidence and initiates the request for such evidence from the responding party in an e-Discovery request
reservation:: a feature that guarantees a cloud customer to have access to a minimum amount of cloud compute resources, either CPU or RAM
resiliency:: a metric that measures the ability of a cloud provider to continue providing fully functioning services in the event of disruption
resource contention:: an occurrence insomuch that there are too many requests and not enough resources available to supply all of those requests
resource pooling:: aggregation of a cloud service provider’s resources to provide cloud service to one or more cloud service customers
responding party:: the person, group, or organization who has received an e-Discovery order, and is responsible for providing the digital evidence to the requesting party
reversibility:: the capability for a cloud service customer to retrieve their cloud service customer data and for the cloud service provider to delete this data after a specified period or upon request
risk:: the intersection of threat and vulnerability that defines the likelihood of a vulnerability being exploited and the impact should that exploit occur
risk acceptance:: accepting a particular risk if it is completely within an organization’s risk tolerance
risk appetite (risk tolerance):: the level of risk that an organization is willing to accept in its course of business
risk avoidance:: elimination of an identified risk by removing the activity or technology that causes the risk in the first place
risk management:: the field that deals with identifying threats and vulnerabilities, and quantifying and addressing the risk associated with them
risk mitigation (risk reduction or modification):: a strategy that involves lessening the potential impact that a threat can have on the organization
risk profile:: an analysis of the existing threats posed to an organization and its assets (including its data)
risk transfer (risk sharing):: involves shifting or sharing the entire responsibility for risk to another organization
sampling:: the process of randomly selecting and auditing a subset of all systems
sandboxing:: the process of isolating an application from other applications and resources by placing it in a separate environment (the sandbox)
scheduling:: the process of taking customer resource requests and prioritizing those requests (or tasks) in such a way that available resources are assigned and utilized most efficiently
scrambling:: an obfuscation technique that mimics the look of real data, but simply jumbles the characters into a random order
Secure Sockets Layer (SSL):: a deprecated network traffic encryption protocol that was replaced by TLS
security and information event management (SIEM):: a software product or service that collects, aggregates, and indexes logs from multiple sources, and makes those logs easily searched and analyzed
Security Assertion Markup Language (SAML):: an XML-based open standard used to share authentication and authorization information between identity providers and service providers
security event management (SEM):: refers to real-time monitoring and correlation of events
security group:: a network ACL that operates that the VM level rather than the network level
security information management (SIM):: products and services that provide long-term storage, analysis, and reporting of log information
security operations center (SOC):: a centralized location where designated information security personnel continuously monitor and analyze an organization’s security posture
security risk assessment:: a set of activities that seek to understand the information system and its environment, and identify security risks by collecting and analyzing information, such as security policies, system configurations, and network policies
serialization:: the process of breaking down an object (like a file) into a stream of bytes (0s and 1s) for storage or transmission
service-level agreement (SLA):: an agreement between a cloud service provider and cloud customer that identifies the minimum level of service that must be maintained
service-level management:: the process of negotiating, developing, and managing all CSP SLAs
share:: a technical feature that is used to mediate resource allocation contentions
simulation exercise:: an enhanced version of a tabletop exercise that leverages a predefined incident scenario
single sign-on (SSO):: an access control property that allows a single user authentication to be used to sign on to multiple separate, but related, applications
snapshot:: a copy of a Virtual Machine, its virtual disks, and any settings and configurations associated with the VM; saved to disk as a simple file
software as a service (SaaS):: the cloud service category that provides software/application capabilities to the cloud service customer
software development lifecycle (SDLC):: the series of steps that is followed to build, modify, and maintain computing software
software-defined networking (SDN):: an approach to network management that enables a network to be centrally controlled (or programmed), providing consistent and holistic management across various applications and technologies
spoofing:: an attack during which a malicious actor assumes the identity of another user (or system) by falsifying information
static application security testing (SAST):: a security testing technique that involves assessing the security of application code without executing it; SAST is a white box test that involves examining source code or application binaries to detect structural vulnerabilities within the application
static masking:: the process of duplicating the original data with sensitive components masked in the new copy
Statements on Standards for Attestation Engagements (SSAE):: a standard published by the AICPA in 2017 that is focused on audit methods
storage clusters:: the logical or physical connection of multiple storage systems in a way that allows them to operate as a single storage unit
storage controller (disk array controller):: a device that manages and controls storage arrays
structured data:: information that is highly organized, categorized, and normalized
substitution:: an obfuscation technique that mimics the look of real data, but replaces (or appends) it with some unrelated value
supply chain:: the list of hardware and software dependencies that a system or application is built with
symmetric-key (secrect key) encryption:: a form of encryption that uses the same key (called a secret key) for both encryption and decryption
tabletop exercise:: a formal walkthrough of the BCDR Plan by representatives of each business unit involved in BCDR activities
tenant:: one or more cloud service users sharing access to a set of cloud resources
threat:: anything capable of intentionally or accidentally compromising an asset’s security
threat actor:: the entity that poses a threat to a system, application, or data
threat modeling:: a technique by which you can identify potential threats to your application, and identify suitable countermeasures for defense
token:: a reference to sensitive data that has no meaning or sensitivity on its own
tokenization:: the process of substituting a sensitive piece of data with a non-sensitive replacement, called a token
Transport Layer Security (TLS):: the standard technology used to encrypt traffic over a network, and it creates an encrypted link ensuring all traffic between two points remains private
trust zone:: a network segment that includes systems and assets that share the same level of trust
trusted platform module:: a microcontroller (computer chip) that is designed to provide hardware-based security functions to a system
Unified Extensible Firmware Interface (UEFI):: a backwards-compatible specification that improves upon legacy BIOS functionality and security
unstructured data:: information that cannot be easily organized and formatted for use in a rigid data structure, such as a database
vendor lock-in:: occurs when something prevents a customer from moving from one cloud provider to another
vendor management:: the process by which an organization manages risks related to vendors and ensures effective service delivery by that vendor
versioning:: the process of creating and managing multiple releases of an application, each with the same general function but incrementally improved or otherwise updated
virtual local area network (VLAN):: a set of servers and other devices within a LAN that are logically segmented to communicate with each other as if they were physically isolated on a separate LAN
virtual machine (VM):: technology that emulates the functionality of physical hardware, and allow cloud customers to run operating systems (OS) in a virtualized environment
virtual private network (VPN):: technology that allows a private network to be securely extended over a public network (like the Internet) by creating a point-to-point connection between the private network and a device that sits outside that network
virtual TPM (vTPM):: provided by the hypervisor and brings the security goodness of physical TPMs to virtual machines and guest operating systems
virtualization:: the act of creating virtual (for example, not actual) resources like servers, desktops, operating systems, and so on
virtualization management tools:: interface with virtualized components as well as the underlying physical hardware to oversee and manage the operations of the virtualized environment
vm sprawl:: the uncontrolled growth of VMs to the point where the Cloud Administrator can no longer effectively manage and secure them
volume:: a virtual hard drive that can be attached to a virtual machine (VM) and utilized similar to a physical hard drive
vulnerability:: a weakness or gap existing within a system
vulnerability management:: the process of identifying, classifying, and fixing vulnerabilities that exist within your system
vulnerability scanning:: the process of assessing an application or system for known weaknesses
waterfall:: an SDLC methodology in which you complete each phase in sequential order, flowing through each step of the cycle from beginning to end
web application firewall (WAF):: a security appliance or application that monitors and filters HTTP traffic to and from a web application
white box testing:: the opposite method of black box testing, and involves granting the tester complete knowledge of the tested component’s inner workings
XML external entity (XXE) attack:: an attack that occurs when XML input containing a reference to an external entity is processed by an application without thorough parsing
zero trust architecture (ZTA):: a security model that’s built on the idea that no entity inside or outside of an organization’s security perimeter should be trusted
zero day vulnerability:: a security flaw that is so new that the software developer has yet to create a patch to fix it

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Appendix A: Glossary

Create new playlist

Sign In

Sign Up

Glossary

Table of Contents for
Appendix A: Glossary