All-or-Nothing-Transform with Reed-Solomon (AONT-RS)
Integrates the AONT and erasure coding. This method first encrypts and transforms the information and the encryption key into blocks in a way that the information cannot be recovered without using all the blocks. Then it uses the information dispersal algorithm (IDA) to split the blocks into m shares that are distributed to different cloud storage services (the same as in Secret Sharing Made Short [SSMS]).
The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.
Anything as a Service (XaaS)
XaaS refers to the growing diversity of services available over the Internet via cloud computing as opposed to being provided locally, or on-premises.
An open source cloud computing and infrastructure as a service (IaaS) platform developed to help IaaS make creating, deploying, and managing cloud services easier by providing a complete stack of features and components for cloud environments.
Application Normative Framework (ANF)
A subset of the organizational normative framework (ONF) that contains only the information required for a specific business application to reach the targeted level of trust.
Application Programming Interfaces (APIs)
A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.
Software technology that encapsulates application software from the underlying operating system (OS) on which it is executed.
The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station, or originator.
The granting of right of access to a user, program, or process.
Usually involves splitting up and storing encrypted information across different cloud storage services.
Business Impact Analysis (BIA)
An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems.
Chain of Custody
It is the responsibility of each transferee to ensure that the items are accounted for during the time they are in his possession, that they are properly protected, and that there is a record of the names of the persons from whom he received the items and to whom he delivered those items, together with the time and date of such receipt and delivery.
This individual is typically responsible for the implementation, monitoring, and maintenance of the cloud within the organization or on behalf of an organization (acting as a third party).
Cloud App (Cloud Application)
Short for cloud application, cloud app is the phrase used to describe a software application that is never installed on a local computer. Instead, it is accessed via the Internet.
Cloud Application Architect
Typically responsible for adapting, porting, or deploying an application to a target cloud environment.
Cloud Application Management for Platforms (CAMP)
A specification designed to ease management of applications—including packaging and deployment—across public and private cloud computing platforms.
Someone who determines when and how a private cloud meets the policies and needs of an organization's strategic goals and contractual requirements from a technical perspective. Also responsible for designing the private cloud, being involved in hybrid cloud deployments and instances, and having a key role in understanding and evaluating technologies, vendors, services, and other skillsets needed to deploy the private cloud or to establish and function the hybrid cloud components.
Cloud Backup Service Provider
A third-party entity that manages and distributes remote, cloud-based data backup services and solutions to customers from a central data center.
Cloud Backup Solutions
Enable enterprises or individuals to store their data and computer files on the Internet using a storage service provider rather than storing the data locally on a physical disk, such as a hard drive or tape backup.
A type of computing, comparable to grid computing, that relies on sharing computing resources rather than having local servers or personal devices to handle applications.
Cloud Computing Accounting Software
Accounting software that is hosted on remote servers.
Cloud Computing Reseller
A company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells them to its own customers.
Cloud Data Architect
Ensures the various storage types and mechanisms utilized within the cloud environment meet and conform to the relevant service-level agreements (SLAs) and that the storage components are functioning according to their specified requirements.
A database accessible to clients from the cloud and delivered to users on demand via the Internet.
Focuses on development for the cloud infrastructure. This role can vary from client tools or solutions engagements through systems components. Although developers can operate independently or as part of a team, regular interactions with cloud administrators and security practitioners are required for debugging, code reviews, and relevant security assessment remediation requirements.
The process of making available one or more of the following services and infrastructures to create a public cloud computing environment: cloud provider, client, and application.
Software and technologies designed for operating and monitoring the applications, data, and services residing in the cloud. Cloud management tools help to ensure a company's cloud computing-based resources are working optimally and properly interacting with users and other services.
The process of transitioning all or part of a company's data, applications, and services from onsite premises behind the firewall to the cloud, where the information can be provided over the Internet on an on-demand basis.
Cloud Operating System (OS)
A phrase frequently used in place of platform as a service (PaaS) to denote an association to cloud computing.
The ability to move applications and their associated data between one cloud provider and another or between public and private cloud environments.
A service provider who offers customers storage or software solutions available via a public network, usually the Internet.
The deployment of a company's cloud computing strategy, which typically first involves selecting which applications and services will reside in the public cloud and which will remain onsite behind the firewall or in the private cloud.
Cloud Server Hosting
A type of hosting in which hosting services are made available to customers on demand via the Internet. Rather than being provided by a single server or virtual server, cloud server hosting services are provided by multiple connected servers that comprise a cloud.
Cloud Services Brokerage (CSB)
Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple cloud service providers (CSPs). It acts as a liaison between cloud services customers and CSPs, selecting the best provider for each customer and monitoring the services.
The storage of data online in the cloud, wherein a company's data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.
Load and performance testing conducted on the applications and services provided via cloud computing—particularly the capability to access these services — to ensure optimal performance and scalability under a variety of conditions.
The compute parameters of a cloud server are the number of central processing units (CPUs) and the amount of random access memory (RAM).
Content Delivery Network (CDN)
A service where data is replicated across the global Internet.
Acts as a mechanism to restrict a list of possible actions down to allowed or permitted actions.
The relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.
The process of deliberately destroying the encryption keys that were used to encrypt the data originally.
Database Activity Monitoring (DAM)
A database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs.
Database as a Service (DBaaS)
In essence, a managed database service.
Data Loss Prevention (DLP)
Auditing and preventing unauthorized data exfiltration.
A method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training.
Using strong magnets for scrambling data on magnetic media such as hard drive and tapes.
Demilitarized Zone (DMZ)
Isolates network elements such as email servers that, because they can be accessed from trustless networks, are exposed to external attacks.
Desktop as a Service (DaaS)
A form of virtual desktop infrastructure (VDI) that a third party outsources and handles.
Digital Rights Management (DRM)
Focuses on security and encryption to prevent unauthorized copying, thus limiting distribution to only those who pay.
Dynamic Application Security Testing (DAST)
The process of testing an application or software product in an operating state.
e-Discovery refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence.
An overt secret writing technique that uses a bidirectional algorithm in which humanly readable information (referred to as plaintext) is converted into humanly unintelligible information (referred to as ciphertext).
A special mathematical code that allows encryption hardware and software to encode and then decipher an encrypted message.
Software that a business uses to assist in solving problems.
Enterprise Risk Management
The set of processes and structures to systematically manage all risks to the enterprise.
An open source cloud computing and infrastructure as a service (IaaS) platform for enabling AWS-compatible private and hybrid clouds.
Federal Information Processing Standard (FIPS) 140-2
A National Institute of Standards and Technology (NIST) publication written to accredit and distinguish secure and well-architected cryptographic modules produced by private-sector vendors who seek to or are in the process of having their solutions and services certified for use in U.S. government departments and regulated industries that collect, store, transfer, or share data that is deemed to be sensitive but not classified as top secret.
Federated Identity Management (FIM)
An arrangement that can be made among multiple enterprises allowing subscribers to use the same identification data to obtain access to the networks of all enterprises in the group.
Federated Single Sign-On (SSO)
A system that allows a single user authentication process across multiple information technology (IT) systems or even organizations. SSO is a subset of federated identity management (FIM), as it relates only to authentication and technical interoperability.
Hardware Security Module (HSM)
A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protection of log files, and more.
Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider (CSP) for processing without the requirement to decipher the data first.
Hybrid Cloud Storage
A combination of public cloud storage and private cloud storage in which some critical data resides in the enterprise's private cloud whereas other data is stored and accessible from a public cloud storage provider.
Identity and Access Management (IAM)
The security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
Responsible for (a) providing identifiers for users looking to interact with a system, (b) asserting to such a system that such an identifier presented by a user is known to the provider, and (c) possibly providing other information about the user that is known to the provider. This can be achieved via an authentication module that verifies a security token that can be accepted as an alternative to repeatedly and explicitly authenticating a user within a security realm.
Infrastructure as a Service (IaaS)
A model that provides a complete infrastructure (servers and internetworking devices) and allows companies to install software on provisioned servers and control the configurations of all devices.
Represents an overview of application security. It introduces definitions, concepts, principles, and processes involved in application security.
The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.
The plane that controls the entire infrastructure. Because parts of it are exposed to customers independent of the network location, it is a prime resource to protect.
A weak form of confidentiality assurance that replaces the original information with asterisks or Xs.
Mean time between failure (MTBF)
The measure of the average time between failures of a specific component or part of a system.
Mean time to repair (MTTR)
The measure of the average time it should take to repair a failed component or part of a system.
Mobile Cloud Storage
A form of cloud storage that applies to storing an individual's mobile device data in the cloud and providing the individual with access to the data from anywhere.
A method of computer access control that a user can pass by successfully presenting authentication factors from two or more independent credentials: what the user knows (password), what the user has (security token), and what the user is (biometric verification).
Multiple customers using the same public cloud.
National Institute of Standards and Technology (NIST) SP 800-53
A NIST publication written to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.
The assurance that a specific author actually did create and send a specific item to a specific recipient and that it was successfully received. With assurance of nonrepudiation, the sender of the message cannot later credibly deny having sent the message, nor can the recipient credibly claim not to have received it.
The convoluting of code to such a degree that even if the source code is obtained, it is not easily decipherable.
Additional metadata, such as content type, redundancy required, and creation date, that is stored for a file. These objects are accessible through application programming interfaces (APIs) and potentially through a web user interface (UI).
Leverages the Internet and cloud computing to create an attractive offsite storage solution with little hardware requirements for any business of any size.
Organizational Normative Framework (ONF)
A framework of so-called containers for all components of application security best practices catalogued and leveraged by the organization.
Personal Cloud Storage
A form of cloud storage that applies to storing an individual's data in the cloud and providing the individual with access to the data from anywhere.
Any information relating to an identified or identifiable data subject. an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
Personally Identifiable Information (PII)
Information that can be traced back to an individual user, such as name, postal address, or email address. Personal user preferences tracked by a website via a cookie are also considered personally identifiable when linked to other PII you provide online.
Platform as a Service (PaaS)
A category of cloud computing services that provides a computing platform and a solution stack as a service. It provides a way for customers to rent hardware, operating systems (OSs), storage, and network capacity over the Internet from a cloud service provider (CSP).
Private Cloud Project
Used by organizations to enable their information technology (IT) infrastructures to become more capable of quickly adapting to continually evolving business needs and requirements.
Private Cloud Storage
A form of cloud storage in which the enterprise data and cloud storage resources reside within the enterprise's data center and behind the firewall.
Public Cloud Storage
A form of cloud storage in which the enterprise and storage service provider are separate and the data is stored outside the enterprise's data center.
Quality of Service (QoS)
The capability of a network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, synchronous optical networking (SONET), and Internet protocol (IP)– routed networks that may use any or all of these underlying technologies.
A data structure or collection of information that must be retained by an organization for legal, regulatory, or business reasons.
Redundant Array of Independent Disks (RAID)
An approach to using many low-cost drives as a group to improve performance. Also provides a degree of redundancy that makes the chance of data loss remote.
Request for Proposal
A solicitation, often made through a bidding process by a company, looking to secure goods or services from an external vendor.
A testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development, including web development and revision control.
Security Alliance's Cloud Controls Matrix
A framework to enable cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.
Security Assertion Markup Language (SAML)
A version of the SAML standard for exchanging authentication and authorization data between security domains.
Security Information and Event Management (SIEM)
A method for analyzing risk in software systems.
Service-Level Agreement (SLA)
A formal agreement between two or more organizations: one that provides a service and the other that is the recipient of the service. It may be a legal contract with incentives and penalties.
Software as a Service (SaaS)
A distributed model in which software applications are hosted remotely by a vendor or cloud service provider (CSP) and made available to customers over network resources.
Software-Defined Networking (SDN)
A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components.
Static Application Security Testing (SAST)
A set of technologies designed to analyze application source code, byte code, and binaries for coding and design conditions that are indicative of security vulnerabilities.
The collection of multiple distributed and connected resources responsible for storing and managing data online in the cloud.
STRIDE Threat Model
Derived from an acronym for the following six threat categories: spoofing identity, tampering with data, repudiation, information disclosure, denial of service (DoS), and elevation of privilege.
TCI Reference Architecture
A methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities. Allows them to plan a roadmap to meet the security needs of their business.
The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
Highlights where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or nontechnical constraints.
Vertical Cloud Computing
The optimization of cloud computing and cloud services for a particular vertical (such as a specific industry) or specific-use application.
Virtual Machine Introspection (VMI)
A VMI helps to mitigate risk and ensure that a virtual machine's (VM's) security baseline is not modified over time. It provides an agentless method to examine all aspects of a VM from its physical location and its network settings to the installed operating systems (OSs), patches, applications, and services being used.
Enable cloud computing to become a real and scalable service offering due to the savings, sharing, and allocation of resources across multiple tenants and environments.
Web Application Firewall (WAF)
An appliance, server plug-in, or filter that applies a set of rules to a hypertext transfer protocol (HTTP) conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injections