A

• abuse case testing, 164–165
• access control, 34–36, 115, 188–189, 201–202
• access control list (ACL), 24, 88
• accountability, 96, 128
• Active Directory (AD), 127, 174, 175–176, 202
• administrative access control, 34, 35
• Adobe, 157
• Advanced Encryption Standard (AES), 55, 68
• advocate training and awareness, 140–144
• agent-based DLP, 76
• Agile Manifesto, 147
• Agile methodology/software development, 147, 221, 222
• AICPA service organization control (SOC) reports, 285
• AICPA SOC 2, 217
• Akamai, 171
• algorithm, 68
• Amazon API Gateway, 171
• Amazon Web Services (AWS)
  • Cloud Formation, 14
  • cloud orchestration with, 13
  • CloudShark, 130
  • CloudTrail, 124
  • CloudWatch, 124
  • as defining regions, 44
  • Identity and Access Management (IAM), 127, 175
  • Inspector, 124
  • Lambda, 47, 187
  • Management Console, 113, 190
  • in multi-cloud deployment, 21
  • as offering ability to use their infrastructure in an isolated VPC, 105
  • as offering GDPR-compliant services, 11
  • as providing quantum computing service, 31
  • Relational Database (RDS), 64
  • as running data centers all over the world, 113
  • Service Health Dashboard, 243
  • shared responsibility model for, 7
  • shared responsibility model of, 237
  • Simple Storage Service (S3), 65, 91
  • VPC Traffic Monitoring, 130
  • Well-Architected Framework of, 50
  • Xen hypervisor, 108

• American Institute of CPAs (AICPA), 217, 285
• analysis, 45, 81, 99–100, 120–122, 163–164, 245–247, 289
• Apache, 167
• API gateway, 169, 171
• Apple FileVault, 94
• application capability types, 16
• application programming interfaces (APIs), 21, 47, 62, 65, 165–166
• Application Security Verification Standard (ASVS) (OWASP), 157
• application testing, 161–162
• application virtualization and orchestration, 173
• application-level encryption, 69
• Architecture, Threats, Attack surfaces, Mitigations (ATASM), 155–156
• archive phase controls, 60
• artificial intelligence (AI), 28, 29, 79
• Asia-Pacific Economic Cooperation Privacy Framework (APEC), 260, 264
• assessment, 119–120, 131, 135, 211, 214–215, 280–281, 307–308, 309
• assurance, of cloud software, 158–165
• at-rest data monitoring, 76
• attributed-based access control (ABAC), 112
• AU-3, 129
• audit controls, internal and external, 282–283
• audit mechanisms, 128–130
• audit planning, 290–291
• audit process, 281–299
• audit reports, 285
• audit requirements, 283–284
• audit scope restrictions, 288
• audit scope statements, 288–289
• auditability, 26, 96
• Australian Privacy Act, 273
• authentication, 127, 177
• authorization, in cloud environments, 127
• authorization to operate (ATO), 290
• autoscaling, 187
• availability management, 226–227
• availability zones, 44
• AWS (Amazon Web Services). See Amazon Web Services (AWS)
• Azure. See Microsoft Azure

B

• backup and restoration functions, 207–208
• bare-metal hypervisor, 108
• baselines/baselining, 42, 195–196
• binary large object (blob) storage, 65
• black-box testing, 161
• blockchain, 29–30
• blocks, 29
• breach notification, 302
• bring-your-own-device (BYOD) environment, 174, 178
• building block technologies, 11–14
• Bundesdatenschutzgesetz, 263
• business continuity and disaster recovery (BCDR), 215
• business continuity (BC), 9, 131–138
• business continuity plan (BCP), 44, 131–132, 134–138
• business impact analysis (BIA), 45
• business impact assessment (BIA), 131, 135, 214–215, 280
• Business Operation Support Services (BOSS), 51

C

• cache poisoning, 193
• California Consumer Protection Act (CCPA), 274, 277
• capacity management, 227–228
• capital expenditures (CapEx), 3, 11
• CAPTCH authentication, 28
• cardholder data environment (CDE), 84
• Carnegie Mellon University Software Engineering Institute (SEI), Incident Management Capability Assessment, 253
• categorization, 83
• Center for Internet Security (CIS), 26, 185–186, 196, 264
• certificates, 77
• chain of custody, 100, 230
• change advisory board (CAB), 213
• change control board (CCB), 213
• change management, 213–214
• cheat sheets (OWASP), 97–98, 129, 157
• Cisco, 113
• CISO Mind Map, 240
• Citrix XenServer, 39
• Clarifying Lawful Overseas Use of Data Act (U.S. CLOUD Act), 233, 258, 274
• cloud access security broker (CASB), 31, 127, 175, 178–179
• cloud application architecture, 168–174
• cloud application security, 140–144
• cloud attacks, 122–123
• cloud auditor, 15
• cloud broker, 15
• cloud carrier, 15
• cloud computer, roles and responsibilities, 3–7
• cloud computing
  • activities of, 14–15
  • CSA's top threats to, 142
  • defined, 2–3
  • key characteristics of, 7–11
  • other threats to, 41
  • security concepts relevant to, 33–36
  • service and deployment models in, 3

• cloud consumer, activities related to role of, 15
• Cloud Controls Matrix (CCM) (CSA), 54, 143, 264, 281, 287, 293, 308
• cloud data concepts, 58–63
• cloud data lifecycle phases, 58–61
• cloud data storage architectures, 63–67
• cloud design patterns, 49–51
• cloud development, basics of, 140–141
• cloud gateways, 37
• cloud infrastructure, 104–113, 119–124
• cloud orchestration, 13, 173
• cloud platforms, analyzing risks associated with, 119–124
• cloud reference architecture, 14–18
• cloud secure data lifecycle, 43–44, 59–61
• Cloud Security Alliance (CSA), 14, 26, 41, 49, 54, 123, 140, 142, 149, 229, 264, 266, 267, 281, 287, 293. See also Cloud Controls Matrix (CCM) (CSA); CSA Enterprise Architecture (CSA EA); CSA Security, Trust, Assurance, and Risk (STAR) registry; CSA Top Threats Working Group; Egregious 11 (CSA)
• cloud security, common pitfalls of, 141–142
• cloud security operations
  • building and implementing physical and logical infrastructure for cloud environment, 182–188
  • digital forensics, 228–234
  • implementation of operational controls and standards, 212–228
  • management of, 239–253
  • management of communication with relevant parties, 234–239
  • management of physical and logical infrastructure for cloud environment, 200–212
  • operation of physical and logical infrastructure for cloud environment, 188–200

• cloud service broker, 4–5
• cloud service categories, 17–18
• cloud service customer (CSC), 4
• cloud service partner, 4
• cloud service provider (CSP), 4, 15, 51–56
• cloud shared responsibilities, 21–27
• cloud software, assurance and validation of, 158–165
• cloud threats, 122–123
• cloud vulnerabilities, 122–123, 142–144
• Cloudflare, 171
• cloud-native organizations, 14
• cloud-specific incident management, 252
• cluster management agent, 197
• clustered hosts, 197
• code peer reviews, 162
• code review, 162
• collision, use of term, 70
• command-line interface (CLI), 188, 190
• Common Criteria (CC), 54–55, 308
• Common Vulnerabilities and Exposures (CVEs), 218
• communications, 106–107, 125–126, 234–239
• community cloud, 3, 20, 105
• compliance, 122, 297–298
• computer-based training (CBT), 142
• confidential computing, 32
• Confidential Computing Consortium, 32
• confidentiality, integrity, and availability (CIA), 66, 143, 149, 216
• configuration item (CI), 224
• configuration management (CM), 224–225
• configuration management database (CMDB), 158, 202, 224
• conformance assessment body (CAB), 309
• Consensus Assessments Initiative Questionnaire (CAIQ), 54
• consumer-grade IRM (DRM), 87
• container orchestration, 173
• container security, 39–40
• containerized application, 12
• containers, 173, 223
• containers/containerization, 30–31, 39, 223
• content analysis, 81
• content and file storage, 65
• content delivery network (CDN), 65
• continual service improvement management, 217–218
• continuity management, 214–216
• continuity of operations plan (COOP), 131
• continuous audit trail, 88
• continuous deployment (CD), 222
• continuous integration/continuous deployment (CI/CD), 213, 222
• continuous monitoring, 244
• contract clauses, 312–313
• contract design, 309–316
• contract management, 312–313
• contracts, components of, 271–272
• contractual private data, 268–271
• contractual requirements, 264
• control frameworks, 292–293
• controls, use of term, 303
• correlation, 99, 129–130, 246
• cost-benefit analysis, 45
• countermeasures, 303
• create phase controls, 59
• Critical Security Controls (CSC), 264
• cross-site scripting (XSS), 143, 169, 170
• cryptographic coprocessor, 183
• cryptographic erase/cryptographic erasure, 37, 94
• cryptographic key establishment and management, 126
• cryptography, 33–34, 171–172
• cryptoshredding, 12, 37, 61, 94
• CSA Enterprise Architecture (CSA EA), 50–51
• CSA Security, Trust, Assurance, and Risk (STAR) registry, 54, 113, 287, 300, 308
• CSA Top Threats Working Group, 142
• cyber hygiene, 41
• cyber risk insurance, 313–314
• cyber-physical systems (CPS), 145
• Cybersecurity Framework (CSF) (NIST), 217, 289, 293

D

• data anonymization, 73
• data archiving, 89, 94–95
• data center, 113–119
• data classification, 82–87
• data controller, 261, 301
• data corruption, 67
• data custodian/processor, 301–302
• data de-identification, 73
• data deletion, 89, 93–94
• data destruction, 67
• data discovery, 78–82
• data dispersion, 61–62
• data disposal, 90
• data events, 96–101
• data flow diagram (DFD), 62
• data flows, 62–63
• data formats, 92–93
• data labels, 80–81, 86
• data lake, 78
• data leakage prevention (DLP), 74
• data location, 82
• data loss prevention (DLP), 60, 74–76
• data mapping, 85–86
• data mart, 79
• data masking, 72
• data mining, 79
• data model, 80
• data obfuscation, 71–72
• data owner/controller, 301–302
• data privacy, jurisdictional differences in, 277
• data processor, 261, 301
• data retention, 89–93, 95–96
• data sanitization, 36–37
• data science, 27–28
• data security, as distinct from privacy, 261
• Data Security Standard (PCI Council), 53
• data security strategy, 293–294
• data security technologies and strategies, 67–78
• data subject, 261, 301
• data type, 83
• data warehouse, 78
• data-at-rest encryption, 171
• database activity monitoring (DAM), 170
• database as a service (DBaaS), 17
• database management system (DBMS), 70
• database-level encryption, 69–70
• databases, 13, 64
• data-in-motion encryption, 171, 172
• Defense Information Systems Agency (DISA), 186
• defensible destruction, 93
• deletion, as obfuscation method, 71
• denial of service, 66
• denial-of-service protection, 126
• dependencies, 163
• deployment management, 222–223
• deployment models, 3, 18–21
• design principles (of secure cloud computing), 43–51
• destroy phase controls, 61
• DevOps, DevSecOps as evolution of, 32
• DevOps security, 51
• DevSecOps, 32–33
• Diffie-Hellman, 194
• digital evidence, collection, acquisition, and preservation of, 231–232
• digital forensics, 228–234, 267
• digital rights management (DRM), 87
• direct identifiers, 73
• disaster recovery (DR), 9, 131–138
• disaster recovery plan (DRP), 44–45, 132, 134–138
• discretionary access control (DAC), 89
• disk storage, 64
• disposal, improper, 67
• distributed information technology model, 298–299
• Distributed Resource Scheduling (DRS), 198–199
• DNS attacks, 193
• DNS security extensions (DNSSEC), 193
• DNS spoofing, 193
• Docker, 12, 39, 168
• domain name system (DNS), and DNS security extensions, 193
• downtime, 122
• DREAD mnemonic, 154
• Dropbox, 3, 9, 17, 75, 127, 295
• Dynamic Application Security Testing (DAST), 161–162
• Dynamic Host Configuration Protocol (DHCP), 192
• dynamic policy control, 88

E

• EA Working Group, 51
• edge computing, 31–32
• eDiscovery, 265–266
• Egregious 11 (CSA), 41, 123, 142, 149, 150, 156
• egress monitoring, 38–39
• elasticity, rapid, 9–10
• Electronic Communication Privacy Act, Title II, 276
• emojis, 163
• encryption, 55, 67–70, 72, 171, 172
• encryption-based transmission, 8
• endpoint, 76
• enterprise risk management, 299–309
• enterprise-grade IRM, 87
• environmental design (of data center), 117–118
• ephemeral computing, 40
• ephemeral storage, 63–64
• Equifax data breach (2017), 205
• erasure coding, 61
• EUCS, 309
• European Convention on Human Rights (ECHR), 273
• European Economic Area (EEA), 275
• European Network and Information Security Agency (ENISA), 305–306, 309
• European Union General Data Protection Regulation (EU GDRP). See General Data Protection Regulation (GDPR) (EU)
• event attribution, 97–98
• event sources, 97–98
• events, as distinct from incidents, 218
• everything as a service (XaaS), 17
• evidence collection, 232, 233
• evidence management, 230–234
• evidence preservation, 233–234
• extensible markup language firewalls, 170–171
• Extensible Markup Language (XML), 170
• Extensible Stylesheet Language Transformation (XSLT), 170
• extract, transform, load (ETL), 78

F

• Family Education Rights and Privacy Act (FERPA) (US), 263
• Federal Information Processing Standards (FIPS), 52, 55–56, 68, 71
• Federal Information Security Modernization Act (FISMA) (US), 264
• Federal Risk and Authorization Management Program (FedRAMP), 52, 54, 264, 290, 300
• Federal Trade Commission (FTC) (US), 274
• federated identity, 175
• federated identity management (FIM), 175
• Fibre Channel/Fibre Channel over Ethernet (FCoE), 184
• file integrity monitoring, 70
• File Transfer Protocol (FTP), 8
• file-level encryption, 69
• Financial Private Rule (US), 276
• firewalls, 209–210
• forensic data collection methodologies, 228–230
• forensic requirements, 267
• fully qualified domain name (FQDN), 193
• functional security requirements, 46–48
• functional testing, 159–160

G

• gap analysis, 289
• Gartner, 115
• gateway-to-gateway VPNs, 194
• G-Cloud (UK), 54
• General Data Protection Regulation (GDPR) (EU), 11, 23, 26, 28, 52, 61–62, 73, 92, 170, 238, 256–257, 258, 261–262, 263, 264, 268, 272–273, 279–280, 302, 303
• Generally Accepted Privacy Principles (GAPP), 264, 278–279
• GitHub, 13
• global user ID (GUID), 80
• Google Cloud Cloud Console, 190
• Google Cloud Identity and Access Management, 175
• Google Cloud Platform, 7, 11, 13, 105, 171
• Google Cloud Status Dashboard, 243
• Google Docs, 17
• Google Drive, 75
• Google Workspace, 13, 88, 115, 127
• governance, as cloud shared consideration, 24
• governance, risk management, and compliance (GRC), 47
• government cloud standards, 53–54
• Gramm-Leach-Bliley Act (GLBA), 5, 26, 274, 276, 302
• gray-box testing, 161
• guest operating systems (OSs), 188, 199–200
• Guidance for Organisations Engaging Cloud Service Providers (Irish Data Protection Commission), 6
• Guidance on HIPAA & Cloud Computer (U.S. Department of Health and Human Services), 6
• Guidance on the use of cloud computer (UK Information Commissioner's Office), 5
• Guidelines for Media Sanitization (NIST), 61

H

• handling, use of term, 43, 60
• hardening, 182, 195–196
• hardware monitoring, 206–207
• hardware security modules (HSMs), 34, 68, 69, 183–184
• hardware-specific security configuration requirements, 182–185
• hash functions, 70
• hashing, 70–71, 81
• Health Information Technology for Economic and Clinical Health (HITECH) Act, 298, 302
• Health Insurance Portability and Accountability Act (HIPAA), 23–24, 26, 73, 92, 122, 170, 216, 262, 263, 264, 269, 274, 276, 298, 302
• heating, ventilation, and air conditioning (HVAC), 117
• high availability (HA), 198
• high-availability (HA), 9
• homomorphic encryption, 72
• honeynets/honeypots, 211
• host-based intrusion detection system/intrusion prevention system (HIDS/HIPS), 211
• hosted hypervisor, 108
• HTTP Secure (HTTPS), 8
• hybrid cloud, 3, 20
• Hypertext Transfer Protocol (HTTP), 8
• Hyper-V, 39, 108
• hypervisor, 12, 30, 108–109, 186
• hypervisor security, 39

I

• IBM
  • as providing quantum cloud computing, 31
  • as running data centers all over the world, 113

• IBM Cloud, 50
• IBM Cloud Computing Reference Architecture (CCRA), 14
• IBM Cloud Orchestrator, 14
• IBM Lotus Notes, 47
• identification, authentication, authorization, and accountability (IAAA), 127
• identification, in cloud environments, 127
• identity, 34
• identity and access management (IAM) system, 35, 114, 115, 121, 127, 128, 174–179
• identity as a service (IDaaS), 115, 127, 201–202
• identity provider (IdP), 175–176
• IEEE802.1Q, 191
• immutable architecture, 42, 223–224
• improper disposal, as threat to storage type, 67
• incident, 248, 249
• incident management, 218–219, 248–249, 252
• incident management plan, 248
• incident management standards, 252–253
• incident response phases, 249–251
• incident response plan (IRP), 248
• incident response team (IRT), 219, 248–249
• incidents, events as distinct from, 218
• indirect identifiers, 73
• industrial control system (ICS), 32, 145, 248
• information rights management (IRM), 60, 69, 87–89
• information security management, 216–217
• information security management system (ISMS), 52, 216, 291–292
• information storage and management, 65
• infrastructure, as code, 225
• infrastructure as a service (IaaS), 3, 15, 17, 18, 49, 63–65, 107, 108
• infrastructure as code (IAC), 42, 187
• infrastructure capability types, 16–17
• ingress monitoring, 38–39
• in-motion data monitoring, 75–76
• instant-message tools, 75
• instructor-led training (ILT), 142
• integration testing, 159
• Interactive Application Security Testing (IAST), 162, 168
• internal information security controls system, 292–293
• International Auditing and Assurance Standards Board, 287
• International Electrotechnical Commission (IEC), 52
• international legislation, as conflicting, 256–257, 258
• International Organization for Standardization (ISO)
  • ISO 15408-1:2009, 308
  • ISO 18788, 240
  • ISO 20000-1, 213
  • ISO 22301:2019, 216
  • ISO 27000, 215, 315
  • ISO 27000:2022, 300
  • ISO 27001, 26, 52, 54, 121, 166, 216, 278, 287, 288, 291, 293, 300, 304
  • ISO 27002, 52, 215, 289, 293
  • ISO 27017, 52, 122, 216
  • ISO 27018, 52–53, 122, 217, 278
  • ISO 27035, 219, 253
  • ISO 27036, 316
  • ISO 27036:2021, 315
  • ISO 27050, 228–229, 266
  • ISO 27701, 217
  • ISO 31000:2018, 300, 305, 306
  • as standards body, 26

• International Standard on Assurance Engagement (ISAE), 287
• Internet Key Exchange v2, 194
• Internet of Things (IoT), 30, 145
• Internet service provider (ISP), role of cloud carrier as often performed by, 15
• interoperability, 21, 47, 88
• interruption, use of term, 251
• intrusion detection system (IDS), 210, 244
• intrusion detection system/intrusion prevention system (IDS/IPS), 244
• intrusion prevention system (IPS), 210
• in-use data monitoring, 76
• IP security (IPSec), 123–124, 194
• Irish Data Protection Commission, 6
• iSCSI, 184
• ISO/IEC 11889, 183
• ISO/IEC 27001:2013, 292
• ISO/IEC 27036-1:3032, 315
• ISO/IEC 27036-2:2014, 315
• ISO/IEC 27036-3:2013, 315
• ISO/IEC 27036-4:2016, 315
• ISO/IEC 27037:2012, 267
• ISO/IEC 27041:2015, 267
• ISO/IEC 27042:2015, 267
• ISO/IEC 27043:2015, 267
• ISO/IEC 31000:2018, 120
• IT Operations & Support (ITOSS), as CSA EA domain, 51
• IT service management (ITSM), 212, 225, 227
• ITIL (formerly Information Technology Infrastructure Library), 213, 219, 221

J

• Java Virtual Machine, 31
• Jira ticket, 17

K

• Kayboard Video Mouse (KVM), 189–190
• Kerckhoffs, Auguste (cryptographer), 68
• Kerckhoffs' principle, 68
• key management, 33–34
• key management encryption, 171
• key management service (KMS), 34, 171
• key performance indicators (KPIs), 218
• Kubernetes (K8s), 14, 21, 168, 173

L

• laws and regulations, compliance requirements of, 263–265
• legal, risk, and compliance, 256–316
• legal constraints, 83
• legal frameworks and guidelines, 258–263
• legal hold, 95–96, 229
• legal requirements, 256–267
• lexical analysis, 81
• Lightweight Directory Access Protocol (LDAP), 174
• live migration, 197
• log capture and analysis, 245–247
• log centralizations, 130
• log collection, 129
• log management, 247–248
• logging, 97–100, 129
• logical design (of data center), 114–115
• logical unit number (LUN), 64
• long-term storage, 64
• loosely coupled storage, 199
• LXC, 39

M

• machine learning (ML), 27, 28, 79
• malware, 67
• management console, 212
• management plane, 111–113, 212
• management plane protection (MPP), 113
• mandatory access control (MAC), 89
• manual testing, 163
• masking, 72
• master services agreement (MSA), 25, 309, 310
• maximum tolerable downtime (MTD), 133
• mean time to contain (MTTC), 307
• mean time to detect (MTTD), 307
• media sanitization, 36–37
• metadata, 80
• microsegmentation, 210
• Microsoft
  • as running data centers all over the world, 113
  • as SAFECode partner, 157

• Microsoft Azure
  • Active Directory (Azure AD), 127, 175–176, 202
  • API management, 171
  • Blob Storage, 65, 91
  • as CSP, 4, 13
  • Databases, 64
  • as defining regions, 44
  • Functions, 47, 187
  • Hyper-V hypervisor, 108
  • in multi-cloud deployment, 21
  • Network Watcher, 130
  • as offering ability to use their infrastructure in an isolated VPC, 105
  • as offering GDPR-compliant services, 11
  • Portal, 190
  • as providing quantum computing service, 31
  • as publishing security reference architectures, 113
  • Sentinel, 241
  • shared responsibility model for, 7, 237
  • status, 243
  • Well-Architected Framework of, 50

• Microsoft BitLocker, 94
• Microsoft Corp. v. United States, 233
• Microsoft Exchange, 47
• Microsoft Hyper-V, 284
• Microsoft Office, 88
• Microsoft Operations Management Suite (OMS), 14
• Microsoft SQL Server, 64
• Microsoft Virtual Machine Manager (VMM), 199
• ML/AI training data, 79
• mobile device management (MDM), 174
• monitoring, 75–76, 205–206, 206–207
• multi-cloud deployment strategy, 3, 20–21
• multifactor authentication (MFA), 9, 15, 36, 127, 135, 176–177, 201
• multiregion plans, 44
• multitenancy, 9
• multivendor pathway connective, 118–119
• Mundie, Craig, 257

N

• National Institute of Standards and Technology (NIST)
  • configuration checklists, 196
  • Cybersecurity Framework (CSF), 217, 289, 293
  • incident response lifecycle phases, 220
  • NISTIR 8006, 266
  • Risk Management Framework (RMF), 215, 217, 244, 306
  • Secure Software Development Framework (SSDF), 144, 145
  • SP 500-292, 14, 50
  • SP 500-299, 50
  • SP 800-37, 120, 217, 244, 305, 306
  • SP 800-53, 125–126, 129, 217, 293
  • SP 800-61, 219, 253
  • SP 800-88, 61, 93, 94
  • SP 800-92, 245, 247
  • SP 800-122, 268
  • SP 800-125A Rev 1, 39
  • SP 800-145, 2, 7, 17, 18
  • SP 800-146, 305, 306
  • SP 800-207, 38
  • as standards body, 26

• national vulnerability database (NVD), 144
• network, in cloud infrastructure, 106–107
• network configuration, 184–185
• network interface card (NIC), 37–38, 184
• network security, 37–39
• network security controls, 208–211
• network security groups (NSGs), 37–38, 209–210
• network-attached storage (NAS), 12
• network-based intrusion detection system/intrusion prevention system (NIDS/NIPS), 210–211
• networking, as building block technology, 13
• New York Department of Financial Services (NY DFS), 264
• next-generation firewalls (NGFW), 210
• nondisclosure agreement (NDA), 26, 117–118
• non-functional testing, 160
• nonrepudiation, 100–101
• normalization, 78
• North American Electric Reliability Corporation Critical Infrastructure Protection (NERC/CIP), 298
• nullification, 71

O

• OAuth2, 174
• object storage, 64
• object-level encryption, 69
• Okta, 127
• OMB Cloud Working Group, 312
• OneDrive, 9
• one-way encryption, 70
• online analytic processing (OLAP), 79
• Open Systems Interconnection (OSI), 14
• Open Web Application Security Project® (OWASP), 97, 129, 142, 144, 145, 153, 156, 157. See also OWASP Top 10
• open-source software (OSS), 163, 167–168, 315
• OpenSSL, 167
• operating expenditures (OpEx), 3, 11
• operating system baseline compliance monitoring and remediation, 202–203
• operational controls and standards, implementation of, 212–218
• operations and maintenance (O&M), 144
• Oracle databases, 64
• Oracle VM, 108
• Oracle VM VirtualBox, 108
• orchestration, as building block technology, 13
• Organisation for Economic Co-operation and Development (OECD), 259
• outsourcing, 27, 309–316
• overwriting, 37
• OWASP Top 10, 143, 150, 156, 163, 170
• ownership, as way to drive data classification levels and schemes, 83

P

• P score, 221
• packet capture (pcap), 130
• Parallels Desktop, 108
• PASTA (Process for Attack Simulation and Threat Analysis), 154–155
• patch management, 203–205
• patching, 42, 186
• pattern matching, as method of content analysis, 81
• Payment Card Industry Data Security Standard (PCI DSS), 23–24, 26, 52, 53, 74, 84, 170, 216, 262–263, 269, 298
• penetration testing as a service (PTaaS), 17
• penetration tests, 26
• performance, as cloud shared consideration, 24
• performance and capacity monitoring, 205–206
• persistence, as ideal attribute of IRM system, 88
• Personal Information Protection Act (PIPA) (British Columbia), 263
• Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), 5, 52, 263, 302
• personally identifiable information (PII), 52, 84, 217, 268–269, 272, 274
• physical access control, 34, 35
• physical and logical infrastructure for cloud environment, 182–212
• physical design (of data center), 116–117
• physical environment, 104–105
• platform as a service (PaaS), 3, 15, 16, 17–18, 49, 64–65, 107, 108
• platform capability types, 16
• platform components, 104–113
• point of presence (POP), 184
• policies, 125, 293–296
• portability, 22, 46–47
• precedent, defined, 258
• primary account number (PAN), 73–74
• privacy, 23, 261, 268
• privacy impact assessment (PIA), 280–281
• privacy information management system (PIMS), 217
• privacy issues, 267–281
• privacy laws, 5, 23, 34, 83, 94, 219, 242, 250, 256, 257, 259, 263, 268, 269, 272, 273, 274, 275, 277, 280, 302. See also Australian Privacy Act; Clarifying Lawful Overseas Use of Data Act (U.S. CLOUD Act); General Data Protection Regulation (GDPR) (EU); Gramm-Leach-Bliley Act (GLBA); Privacy Shield; Stop Hacks and Improve Electronic Data Security (SHIELD) Act (New York); Stored Communication Act (SCA) of 1986
• privacy requirements, 278
• Privacy Shield, 263, 275
• private cloud, 3, 19, 105
• private data, 269–276
• privilege access control, 35–36
• privileged access management (PAM), 35, 179
• problem management, 221
• product certifications, system/subsystem, 54–56
• protected health information (PHI), 84, 269, 274, 276, 277
• Protection Profiles (PP), 308
• proxies, 37
• pseudo-anonymization/pseudonymization, 73
• public cloud, 3, 18–19, 105
• public key infrastructure (PKI), 77

Q

• quality assurance (QA), 164
• quantum computing, 31

R

• random access memory (RAM), 63–64
• ransomware, 67
• raw device mapping (RDM), 64
• real world scenarios, $16 USD: The Price of Cracking SMS MFA, 111–112
• records retention, 90
• recovery point objective (RPO), 133–134, 135
• recovery service level (RSL), 133, 134
• recovery time objective (RTO), 133, 135
• RedRAMP packages, 26
• redundant arrays of independent disks (RAIDs), 61
• reference architecture (RA), 14
• regression testing, 160
• regulated private data, 268–271
• regulators, 5–6, 238–239
• regulatory, as cloud shared consideration, 26
• regulatory noncompliance, 66
• regulatory requirements, 264, 302–303
• Rehman, Rafeeq (author), 240
• related technologies, impact of, 27–33
• release management, 221–222
• Remote Desktop Protocol (RDP), 189, 201
• REpresentational State Transfer (REST), 169
• reservations, use of term, 197
• resiliency, 23–24, 44
• resilient designs (of data center), 118–119
• resolving, 193
• resource pooling, 10
• return on investment (ROI), 46
• reversibility, 22
• RFC 7348, 191
• Rijndael, 68
• risk appetite, 301
• risk assessment, 119–120, 307–308
• risk frameworks, 304–305
• risk management, 300, 307
• risk management frameworks (RMFs), 215, 217, 244, 253, 304, 306
• risk mitigation strategies, 123–124
• risk profile, defined, 300–301
• risk treatment, 303–304
• risks, 120, 122, 149–153, 256–267, 258
• role-based access control (RBAC), 112
• Runtime Application Self-Protection (RASP), 162

S

• SaaS IAM/SaaS-provided IAM, 115, 121, 127
• Safe Harbor, 263
• SAFECode, 140, 157
• safeguards, 303
• Safeguards Rule (US), 276
• Salesforce, 13, 127
• sandboxing, 172–173
• SANS CWE Top 25, 143–144
• SANS Institute, 142
• SANS security principles, 50
• Sarbanes-Oxley Act (SOX), 26, 263, 274, 302–303
• schema, 80
• scoping, 293
• secrets, 77, 77–78
• secure by design principle, 43
• secure coding, 156–157
• Secure Coding Practices, 157
• Secure Control Framework (SCF), 281, 293
• secure data lifecycle, 59
• Secure FTP (SFTP), 8
• secure network configuration, 190–199
• secure SDLC (SSDLC), 144, 145–147, 149–158
• Secure Shell (SSH), 59, 188–189, 201
• Secure Sockets Layer (SSL), 191
• security, 23, 48–49
• Security and Risk Management, 51
• Security Assertion Markup Language (SAML), 174
• Security Associate (SA), 194
• security controls, 124–130, 244–245
• security development lifecycle (SDL), 144, 145–148
• security function isolation, 125
• security groups, 187
• security hygiene, 41–42
• security information and event management (SIEM), 80, 99, 130, 219–221, 245–246
• security operations, 239–253
• security operations center (SOC), 240–245
• Security Technical Implementation Guides (STIGs), 186, 196
• security testing, 160–161
• semantics, 80
• semi-structured data, 81–82
• sensitive data, 84–85
• serverless computing/ technology, 40–41, 187
• service access, 36
• service catalog, 213
• service level management, 225–226
• service level requirements (SLRs), 310
• service models, 3, 15
• Service Organization Controls (SOC), 264
• Service Organization Controls (SOC) 2 framework, 217
• Service Organization Controls (SOC) 2, Type II report, 166
• service-level agreement (SLA), 19, 22, 25, 26, 122, 226, 229, 310–311
• shadow IT, 9
• share, as step/phase of cloud secure data lifecycle, 43, 59, 60
• share phase controls, 60
• shared responsibility model, 6, 48, 49, 236–237
• shared security model, 126
• SharePoint, 9, 75, 295
• shuffling, 71
• single point of failure (SPOF), 31, 118, 185, 186
• single sign-on (SSO), 135, 175, 176, 202
• site-to-site VPNs, 194
• Slack, 75
• SMS MFA code, price of cracking, 111–112
• SOC 1, 285, 286
• SOC 2, 52, 278, 285, 286, 287, 288, 300
• SOC 2 Type I report/audit, 286
• SOC 2 Type II report/audit, 52, 113, 117, 121, 283, 286, 290
• SOC 3, 285, 286, 287
• SOC reports, 26
• software as a service (SaaS), 3, 15, 17, 48–49, 65, 107, 108
• Software Assurance Maturity Model (SAMM), 144, 145
• software bill of materials (SBOM), 164, 168
• Software Composition Analysis (SCA), 163–164
• software configuration management (SCM), 157–158
• software development lifecycle (SDLC), 144–148
• Software Engineering Institute (SEI) (Carnegie Mellon University), Incident Management Capability Assessment, 253
• software-defined network (SDN), 184
• software-defined perimeter (SDP), 194–195, 209
• Solar Winds, attack against (2020), 315
• solid-state drive (SSD), 59, 63
• Spanning Tree Protocol (STP), 191
• SSL VPN, 194
• stakeholders, 239, 296–297
• stand-alone hosts, 196
• statement of work (SOW), 310
• Statement on Standards for Attestation Engagements (SSAE), 287
• Static Application Security Testing (SAST), 161, 168
• statutory requirements, 263
• Stop Hacks and Improve Electronic Data Security (SHIELD) Act (New York), 263, 277
• storage, 12, 110–111
• storage area network (SAN), 12, 75, 184
• storage as a service (STaaS), 17
• storage clusters, 199
• storage controllers, 184
• storage types, 63–67
• storage-level encryption, 69
• store phase controls, 59–60
• Stored Communication Act (SCA) of 1986, 276
• STRIDE mnemonic, 153–154
• substitution, as obfuscation method, 71
• supplemental security components, 169–171
• supply chain management, 314–315
• supply chain risk management (SCRM), 121, 166, 300
• switched port analyzer (SPAN), 185
• system inventory tool, 47
• systems development lifecycle (SDLC), 58
• system/subsystem product certifications, 54–56

T

• tailoring, 293
• Target, attack against (2015), 314
• Target of Evaluation (ToE), 308
• technical access control, 34
• Technology Solution Services (TSS), 51
• tenant partitioning, 114–115
• tenants, use of term, 11
• theft, as threat to storage type, 67
• third-party software management, 166–167
• threat modeling, 153
• threats, 41, 66–67, 122–123, 142
• tightly coupled cluster, 199
• Title II of the Electronic Communication Private Act, 276
• tokenization, 73–74
• traceability (of data events), 96
• training, 79, 140–144, 215
• transformative technologies, 27–33
• transparency requirements, 302–303
• Transport Layer Security (TLS), 59, 114, 191–192
• Treacherous 12, 142
• Trust Service Criteria (TSC), 217
• Trusted Computing Group, 183
• trusted execution environment (TEE), 32, 36
• Trusted Platform Module (TPM), 182–183
• two-factor authentication (2FA), 176
• Type 1 (authentication factor), 177
• type 1 hypervisor, 39, 108
• Type 2 (authentication factor), 177
• type 2 hypervisor, 108
• Type 3 (authentication factor), 177

U

• UK Information Commissioner's Office, 5
• unit testing, 159
• United States, data privacy law in, 273–277. See also Clarifying Lawful Overseas Use of Data Act (U.S. Cloud Act); Gramm-Leach-Bliley Act (GLBA); Health Insurance Portability and Accountability Act (HIPAA)
• unstructured data, 80–81
• Uptime Institute, 198
• U.S. Defense Information Systems Agency (DISA), 196
• U.S. Department of Commerce, 239
• U.S. Department of Health and Human Services, 6
• U.S. Privacy Shield framework, 239
• usability testing, 159
• use phase controls, 60
• user access, 35
• user interface (UI), 190

V

• validated open-source software, 167–168
• validation, of cloud software, 158–165
• value variance, 71
• vendor lock-in, 47–48
• vendor management, 311–312
• vendor management office (VMO), 165–166
• Veracode, 157
• verification against criteria, 52–54
• verified secure software, 165–168
• versioning, 24–25
• virtual extensible LAN (VXLAN), 191
• virtual hardware-specific security configuration requirements, 186–187
• virtual local area network (VLAN), 110, 185, 191
• virtual machines (VMs), 11, 30, 39, 204
• virtual network computing (VNC), 189
• virtual private cloud (VPC), 105, 173, 182, 187
• virtual private networks (VPNs), 9, 37, 59, 193–194
• VirtualBox, 39
• virtualization, 11–12, 30, 64, 108–110, 284
• virtualization management tools, installation and configuration of, 185–186
• virtualization security, 39–41
• VM escape, 39, 109
• VMare, 157, 196, 284
• VMware ESXi, 39, 198
• VMware vSphere, 39, 108, 185
• VMware Workstation Pro/VMware Fusion, 108
• VMware's DRS, 199
• volume storage, 64
• volume-level encryption, 69
• vulnerability assessments, 211
• vulnerability scans, 26, 156

W

• waterfall methodology, 147
• web application firewall (WAP), 162, 169, 171, 209, 244
• Well-Architected Framework, 50
• white-box testing, 161
• Windows Server, 16
• Windows Server Update Services (WSUS), 203
• Windows Virtual PC, 108
• workaround, 221
• write once, read many (WORM) media, 95

X

• Xen hypervisor, 108

Y

• YAML, 21

Z

• zero trust architecture (ZTA), 37
• zero trust network, 38
• zero trust network architecture (ZTNA), 112
• zone transfers, 193
• Zoom, 277