Cloud Security Guidance by JCK

	      

	

#            Computing Acronyms / Cloud Computing Alphabit

#     I also recommend that you have two monitors available if possible. One is for the exam itself and the other is for the Guidance and ENISA documents, as well as the latest copy of the Cloud Controls Matrix.

# Cloud Model / Deployment Models  	/ Hybrid / Cloud Bursting	= an application deployment model in which an application runs in a private cloud or data center and bursts into a public cloud using a load balancer when the demand for computing capacity spikes.

#	 	 	 MDM	- Mobile Device Management

#	 	 	CAMP	- Cloud Application Management for Platforms

##

## Cloud Model /  


## Cloud Model /  Essential Characteristics  {5} / Broad Network Access / Rapid Elasticity / Measured Service / On-Demand Self-Service / Resource Pooling

## Cloud Model /  Essential Characteristics / Multitenanacy (listed separately only in ISO/IEC 17788)

## Cloud Model / 3 Service Models  	/ SaaS   / PaaS    / Iaas / (aka SPI stack OR tiers) http://www.bigcommerce.com/blog/saas-vs-paas-vs-iaas/#the-three-types-of-cloud-computing-service-models-explained 

## Cloud Model / 4 Deployment Models  	/ Public / Private / Hybrid / Community

#buz

#buz    4 cloud customer considerations	 = Cross-border or multi-jurisdiction / Assignment of compliance responsibilities including the CSP's providers / CSP capability to show compliance / Relationship between all parties including customer, CSP, auditors and CSP's providers

#buz  	 	 	=

#buz  	 	 	= Companies are expected to develop and operate their products and services in accordance with "privacy by design" and "privacy by default" principles.

#buz Big Data	    The 3 Vs of Big Data	= Volume, Variety and Velocity

#buz Big Data	 	     exabytes	= 1,024 petabytes

#buz Big Data	 	     petabytes	= 1,024 terabytes

#buz Big Data	 	     zettabytes = 1,024 exabytes	 http://en.wikipedia.org/wiki/Zettabyte

#buz Big Data	 	 	= Big data is a data set of large volume of data, which includes structured and unstructured data. 

#buz Big Data	 	 	=	http://www.gartner.com/en/glossary?glossarykeyword=Big%20Data  	 Gartner defines it as such: "Big data is high volume, high velocity, and/or high variety information assets that require new forms of processing to enable enhanced decision making, insight discovery and process optimization."

#buz CSA	 	Cloud Jump Kit  = These are the tools needed to investigate in a remote location.

#buz IoT	 	     IoT	- Internet of Things

#buz IoT	 	 	= This could be anything from fitness trackers, connected lightbulbs to medical devices and beyond. IoT will connect to the cloud for the back-end processing and storage of all the data collected.

#buz IoT	 	 	=	http://www.gartner.com/en/information-technology/glossary/internet-of-things  	Gartner defines IoT as: "The Internet of Things {IoT} is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment."

#buz roles  Multi-Factor Authentication	- (MFA): use of multiple factors in authentication

#buz roles CSA	  Access Control	 = restricting access to a resource. Access management is the process of managing access to the resources.

#buz roles CSA	  Attributes	 	= facets of an identity. Attributes can be relatively static (like an organizational unit) or highly dynamic (IP address, device being used, if the user authenticated with MFA, location, etc.).

#buz roles CSA	  Authentication	 = the process of confirming an identity. When you log in to a system you present a username (the identifier) and password (an attribute we refer to as an authentication factor). Also known as Authn.

#buz roles CSA	  Authoritative Source	 = the "root" source of an identity, such as the directory server that manages employee identities.

#buz roles CSA	  Authorization	 	= allowing an identity access to something (e.g. data or a function). Also known as Authz.

#buz roles CSA	  Entitlement	 	= mapping an identity (including roles, personas, and attributes) to an authorization. The entitlement is what they are allowed to do, and for documentation purposes we keep these in an entitlement matrix.

#buz roles CSA	  Entity	 	= the person or "thing" that will have an identity. It could be an individual, a system, a device, or application code.

#buz roles CSA	  Federated Identity Management = the process of asserting an identity across different systems or organizations. This is the key enabler of Single Sign On and also core to managing IAM in Security Guidance.

#buz roles CSA	  Identifier	 	= the means by which an identity can be asserted. For digital identities this is often a cryptological token. In the real world it might be your passport.

#buz roles CSA	  Identity Provider	 = the source of the identity in federation. The identity provider isn't always the authoritative source, but can sometimes rely on the authoritative source, especially if it is a broker for the process.

#buz roles CSA	  Identity	 	= the unique expression of an entity within a given namespace. An entity can have multiple digital identities, such as a single individual having a work identity (or even multiple identities, depending on the systems), a social media identity, and a personal identity. For example, if you are a single entry in a single directory server then that is your identity.

#buz roles CSA	  Multi-Factor Authentication	= use of multiple factors in authentication. Common options include one-time passwords generated by a physical or virtual device/token (OTP), out-of-band validation through an OTP sent via text message, or confirmation from a mobile device, biometrics, or plug-in tokens.

#buz roles CSA	  Persona	 	= the expression of an identity with attributes that indicates context. For example, a developer who logs into work and then connects to a cloud environment as a developer on a particular project. The identity is still the individual, and the persona is the individual in the context of that project.

#buz roles CSA	  Relying Party	 	= the system that relies on an identity assertion from an identity provider.

#buz roles CSA	  Role	 	 = identities can have multiple roles which indicate context. "Role" is a confusing and abused term used in many different ways. For our purposes we will think of it as similar to a persona, or as a subset of a persona. For example, a given developer on a given project may have different roles, such as "super-admin" and "dev", which are then used to make access decisions.

#buz roles	   Attributes	 	= for each identity, there are attributes that represent the facets of it.

#buz roles	   Authentication	 = the process of confirming an identity

#buz roles	   Authoritative source	 = the "root" source of an identity

#buz roles	   Entity	 	= can be a user, a device or a piece of code that has an identity

#buz roles	   Identifier	 	= the means by which an identity is asserted.

#buz roles	   Identity Federation	 = Identity Federation is the relationship between identities and attributes stored across multiple distinct identity management systems.

#buz roles	   Identity Provider	 = the source of the identity in federation

#buz roles	   Identity	 	= this is used by an entity to consistently and comprehensively be identified as unique.

#buz roles	   Persona	 	= is the expression for an identity with attributes that indicate context.

#buz roles	   Role	 	 = is similar to persona, or can be a subset of a persona. Identities can have multiple roles, which indicate context

#buz roles	 	     Federation	= The connection of one Identity repository to another. It is the interconnection of disparate Directories Services. Federation, with the use of

#buz roles	 	  Relying Party	= the system that relies on an identity assertion from an identity provider.

#buz roles	 	    SAML	= offers portability to disparate and independent security domains with some organizations extending their DS environment via a gateway product that will handle SAML assertions.

#buz sec	    4 D's of perimeter security	= Deter, Detect, Delay, Deny

#buz sec	 	     EDR	- Endpoint Detection and Response

#buz soft	 	Sanity Checking = The act of checking that something does not contain elementary mistakes or impossibilities, or is not based on invalid assumptions.

#buz std authentication	  OASIS \  SAML	- Security Assertion Markup Language / an XML-based open standard for exchanging authentication and authorization data between security domains.

#buz std authentication	  OASIS	 - Organization for the Advancement of Structured Information Standards

#buz std authentication	 	 OAuth  - Open Authentication / reference architecture for authentication / Is an open authorization, an open standard for authorization that allows users to share their private resources with tokens instead of credentials.

#buz std authentication	 	 OIDC  	- OpenID Connect / authentication layer built on top of OAuth 2.0

#buz std authentication	 	 OpenID	- OpenID protocol / an open standard that allows users to be authenticated in a decentralized manner. / OpenID is an open standard and decentralized authentication protocol.

#buz std web	 	     URL	- Uniform Resource Locator  / pronounced 'Earl'

#buz std web	 	    HTML	- HyperText Markup Language / pronounced 'Hit-Mel'

#buz std web	 	   XACML	- (eXtensible Access Control Markup Language): is a standard for defining attribute-based access controls/authorizations. It is a policy language for defining access controls

#buz storage	 	       Nearline	= not immediately available, but can be made online quickly without human intervention. Nearline storage dates back to the IBM 3850 Mass Storage System tape library, which was announced in 1974.

#buz storage	 	       Offline  = not immediately available, and requires some human intervention to become online.

#buz storage	 	       Online  	= immediately available for I/O.

#buz	 	      BIG-IP APM	- Access Policy Manager

#buz	 	      BIG-IP APM	- Visual Policy Editor

#buz	 	 	    GRC	- Governance, Risk, and Compliance

#buz	 	 	    P2V	- Physical to Virtual / is a term that refers to the migration of physical machines to virtual machines.

#buz	 	 	  Agent	= also called softbot 'software robot', a computer program that performs various actions continuously and autonomously on behalf of an individual.

#buz	 	 Future-proofing - the process of anticipating the future and developing methods of minimizing the effects of shocks and stresses of future events.

#def	        Black Swan vulnerability	= theory of black swan events is a metaphor that describes an event that comes as a surprise, has a major effect, and is often inappropriately rationalised after the fact with the benefit of hindsight

#def	 	    Scaling Out	 = adding more servers (for example, adding servers to a web farm to service requests)

#def	 	    Scaling Up	 	= using more powerful servers (such as a four-CPU configuration as opposed to two)

#def	 	       adherents	= someone who supports a particular party, person, or set of ideas.

#def	 	       canonical = conforming to well-established patterns or rules.

#def	 	       collude	= cooperate in a secret or unlawful way in order to deceive or gain an advantage over others.

#def	 	       collusion	= secret or illegal cooperation or conspiracy, especially in order to cheat or deceive others.

#def	 	       ephemeral	= lasting for a very short time

#def	 	       immutable	= unchanging over time or unable to be changed

#def	 	       RPC / RMI - Remote Method Invocation

#def	 	       RPC	- Remote Procedure Call  	http://en.wikipedia.org/wiki/Remote_procedure_call

#def	 	      Governance	= The ability of an organization to govern and measure enterprise risk introduced by cloud computing.

#def	 	     repudiation = denial of the truth or validity of something.

#def	 	  grid computing	- use of widely distributed computer resources to reach a common goal

#def	 	 	    CIO	- Chief Information Officer

#def	 	 	    CTO	- Chief Technology Officer

#def	 	 	    DSP	- Digital Service Providers  

#def	 	 	    FAM	- File Activity monitoring	 (DAB	- DB Activity monitoring)

#def	 	 	    HDI	- Human Development Index

#def	 	 	    OES	- Operators of Essential Services

#def	 	 	    SME	- Small and Mid-size Enterprises

#def	 	 	   CDIO	- chief digital information officer or information technology (IT) director

#def	 	 	   CISO	- Chief Information Security Officer

#def	 	 	   PACS	- Physical Access Control Systems

#lnk  	http://cloudsecurityalliance.org/research/working-groups/software-defined-perimeter/#_overview

#lnk d/l:  Security Guidance for Critical Areas of Focus in Cloud Computing

@	 	         CDN	- Content Delivery Network (or Content Distribution Network)

@	 	 	    HPC	- High-Performance Computing

aaS  IaaS /	       Bare Metal Cloud	 = a public cloud service in which the customer rents hardware resources from a remote service http://searchstorage.techtarget.com/definition/bare-metal-cloud

aaS  IaaS /	       Bare Metal	 = http://phoenixnap.com/blog/bare-metal-cloud-vs-iaas

aaS  IaaS	 	 	- Infrastructure As A Service	- facilities (physical data center), hardware (proprietary or standard), abstraction (virtualization), and orchestration (APIs).

aaS  IaaS	 	 	= accessed via multiple methods-web, CLI, or API for customers to manage their virtual environment, hence the term cloud management plane (and is part of the metastructure logical model).

aaS  IaaS	 	 	= More mature cloud implementations by consumers are programmatically driven through accessing APIs. In fact, this programmatic-driven virtual infrastructure (referred to as a software defined infrastructure) is something that every cloud consumer should strive for.

aaS  IaaS	 	 	= Software-Defined Infrastructure / allows you to create an infrastructure template to configure all or some aspects of a cloud deployment. These templates are then translated natively by the cloud platform or into API calls that orchestrate the configuration.

aaS / buz / SaaS /	 	   MaaS	- Monitoring As A Service

aaS / buz / SaaS /	 	 = BackBlaze	- data storage provider (pilot light OT hot standby)

aaS / buz / XaaS / BaaS /  	   BaaS	- Backend As A Service - developers outsource all the behind-the-scenes aspects of a web or mobile application

aaS / buz / XaaS / CaaS /  	   CaaS	- Communication As A Service - VoIP or Internet telephony

aaS / buz / XaaS / DBaaS /  	  DBaaS - DataBase As A Service

aaS / buz / XaaS / DRaaS /  	  DRaaS	- Disaster Recovery As A Service

aaS / buz / XaaS /	 	   XaaS	- Anything As A Service

AAS / buz	 	    BYOC	- Bring Your Own Cloud / http://www.elastichosts.com/blog/ultimate-list-of-cloud-computing-acronyms/

AAS / buz	 	    BYOD	- Bring Your Own Device / http://www.cloudswitched.com/blog/10-cloud-application-acronyms-explained

AAS / buz	 	    BYOK	- Bring Your Own Key (customers can use their own key management server)

aaS / buz	 	    DaaS	- Desktop As A Service

aaS / buz	 	    FaaS	- Function As A Service  

aaS	            SecaaS          	- SECurity software As A Service

aaS	            SecaaS /     MSS	- Managed Security Services (offered by large cloud providers)

aaS	            SecaaS /    EaaS	- Encryption As A Service

aaS	            SecaaS / SIEMaaS	- Security Information and Event Management As A Service

aaS	 	      Examples /   SaaS	= Examples include online word processing and spreadsheet tools, CRM services and web content delivery services (Salesforce CRM, Google Docs, etc).

aaS	 	      Examples /  PaaS	= Examples are Microsoft Azure, Force (Salesforce) and Google App engine.

aaS	 	      Examples / IaaS	= Examples include Amazon EC2 and S3, Terremark Enterprise Cloud, Windows Live Skydrive and Rackspace Cloud. 

aaS	 	    Shadow Cloud Gaming	= service that gives you virtual access to a beefy PC rig for gaming (PaaS/SaaS)

aaS	 	   	      CSP	- Cloud Service Provider	- Infrastructure, Metastructure (Virtual environment with the cloud management plane), Infostructure (Data), Applistructure (Application and OS)   http://www.rationalsurvivability.com/blog/2009/06/incomplete-thought-cloudanatomy-infrastructure-metastructure-infostructure/  


aaS	 	        SaaS	- Software As A Service	- SaaS delivers software and its associated data hosted centrally typically in the cloud and are usually accessed by users via a web browser over the Internet.

aaS	 	       CSP / SPI	- Software as a service, Platform as a service and Infrastructure as a service.  



aaS	 	     PaaS	- Platforms As A Service / http://www.cloudswitched.com/blog/10-cloud-application-acronyms-explained

aaS	 	     PaaS	=    adds a layer of integration with application development frameworks; middle-ware capabilities; and functions such as databases, messaging, and queuing.

aaS	 	     PaaS	=   In the PaaS service model, the provider builds the infrastructure (or leverages IaaS from another provider).

aaS	 	     PaaS	=  Customers in turn leverage this multitenant platform that is fully managed by the provider.

aaS	 	     PaaS	=  example: Database as a Service

aaS	 	 	  iPaas	- Integration Platform As A Service  

AAS	 	 UCC	 - Unified Communications & Collaboration / the integration of various communications methods with collaboration tools such as virtual white boards, real-time audio and video conferencing, and enhanced call control capabilities.

aaS	 	 UCCaaS	 - Unified Communications & Collaboration As A Service

aC IaC   CM /	 	      SaltStack	= manages infrastructure as code, open source

aC IaC   CM /	 	   	   Chef	= manages infrastructure as code, open source	- is a company and the name of a configuration management tool	 	 	 	 	 http://en.wikipedia.org/wiki/Chef_(software)

aC IaC   CM /	 	 CloudFormation	= manages infrastructure as code, open source http://blog.gruntwork.io/why-we-use-terraform-and-not-chef-puppet-ansible-saltstack-or-cloudformation-7989dad2865c?gi=2af3ec6a3c59

aC IaC   CM /	 	  Puppet	= manages infrastructure as code, open source

aC IaC   CM /	 	 Ansible	= manages infrastructure as code, open source

aC IaC   CM	 	 	- Configuration Management

aC IaC	 	         IaC	- Infrastructure as Code	 	 	 	 	 	 	 	 	 	 http://en.wikipedia.org/wiki/Infrastructure_as_code

aC	 	         SDI	- Software-Defined Infrastructure

arc Data Security /  	   gap network	= Data Security Architecture using cloud storage or a queue service that communicates on the provider's network, not within your virtual network.	http://en.wikipedia.org/wiki/Air_gap_(networking)

arc Data Security /	  Dynamic masking	= Dynamic masking rewrites data on the fly, typically using a proxy mechanism, to mask all or part of data delivered to a user.

arc Data Security /	  Test data generation	= This is the creation of a database with non-sensitive test data based on a "real" database.

arc Data Security /	 	   An example would be using object storage for data transfers and batch processing, rather than SFTP-ing, to static instances. 

arc Data Security /	 	   Another is message queue gapping-run application components on different virtual networks that are only bridged by passing data through the cloud provider's message queue service.  This eliminates network attacks from one portion of the application to the other.

arc	      CSA / compute abstraction type 1	= Virtual machines / the most-well known form of compute abstraction, and are offered by all IaaS providers. They are commonly called instances in cloud computing since they are created (or cloned) off a base image.

arc	      CSA / compute abstraction type 2	= Containers / code execution environments that run within an operating system (for now), sharing and leveraging resources of that operating system.

arc	      CSA / compute abstraction type 3	= Platform-based workloads / logic/procedures running on a shared database platform.

arc	      CSA / compute abstraction type 4	= Serverless computing broad category that refers to any situation where the cloud user doesn't manage any of the underlying hardware or virtual machines, and just accesses exposed functions.

arc	 	       Jericho Cloud Cube Model	= dimension 1: Internal/External	 	 	(Physical Location)  	http://ccskguide.org/jericho-cloud-cube-model

arc	 	       Jericho Cloud Cube Model	= dimension 4: Insourced/Outsourced	 	 (Who provides the cloud service)

arc	        Jericho Cloud Cube Model	= dimension 2: Proprietary/Open	 	 	(State of Ownership)

arc	        Jericho Cloud Cube Model	= dimension 3: Perimeterised/De-perimeterized Architectures	(Architectural mindset)

arc	 	 	MSA	- MicroService Architecture  	

arc	 	 	SOA	- Service-Oriented Architecture

arc	 1/2 infrastructure macro layers = The raw, physical and logical compute (processors, memory, etc.), networks, and storage used to build the cloud's resource pools.

arc	 2/2 infrastructure macro layers = The virtual/abstracted infrastructure managed by a cloud user. That's the compute, network, and storage assets that they use from the resource pools.

buz	   	    Discovery by Design	= eDiscovery  	 	http://techcrunch.com/2011/11/06/discovery-by-design/

buz	 	   	     Blue-Green	= deployment application release model that gradually transfers user traffic from a previous version of an app or microservice to a nearly identical new release

buz	 	   Encryption Componets	= 1. where is the data, 2. where is the Encryption engine, 3. where are the keys

buz	 	 Upgrade /  Forklifting	= A forklift upgrade is the complete overhaul of an IT infrastructure

buz	 	 Upgrade / Lift & Shift	= The lift and shift migration approach is about migrating your application and associated data to the cloud with minimal or no changes

buz	 	  object storage	= Dropbox

buz	 	 	  Cloud	= impacts app design & architecture 4 ways: 1. segregation by default, 2. immutable infrastructure, 3. increase use of microservices, 4. PaaS/serverless

buz	 	 	   Access Controls/Encryption

cert	 	       CNAP	- Cybersecurity National Action Plan

cert	 	 	  CISSP	- Certified Information Systems Security Professional

cert	 	 	  CNCI  - Comprehensive National Cybersecurity Initiative

cont	 	     Docker    	 = set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers  	http://www.docker.com/products/kubernetes  


cont	 	     Docker Swarm	= a group of either physical or virtual machines that are running the Docker application.

cont	 	     Kubernetes	 = Kubernetes is an open source orchestration system for automating the management, placement, scaling and routing of containers   	http://labs.play-with-k8s.com

cont	 	     Kubernetes	\ CNI	- Container Network Interface  	http://dzone.com/articles/understanding-kubernetes-interfaces-cri-cni-amp-cs

cont	 	     Kubernetes	\ CRI	- Container Runtime Interface

cont	 	     Kubernetes	\ CSI	- Container Storage Interface

cont	 	       LXC	- LinuX Container  	 	 	 	

cont	 component / Container	 = this is the execution environment itself.

cont	 component / Engine	 = aka container runtime / this is the environment on top of which a container is run. A very popular example of a container runtime is Docker Engine.

cont	 component / Image Repository	= where all of the images and code that can be deployed as containers are stored. Docker Hub is a popular example.

cont	 component / Orchestration	= orchestration & scheduling controller deals with managing the lifecycle of containers. / Orchestration deals with items such as provisioning and deployment of containers, scaling, movement of containers, and container health monitoring. Example: Kubernetes, Docker Swarm

cp net	 	      ULA	- Unique Local Address

cp	 	      DRS	- Distributed Resource Scheduling

cp	 	      QOS	- Quality Of Service

cp	 	      SLA	- Service Level Agreement

cp	 	      ToS	- Term of Service

cp	 	      ULA	- User Licensing Agreement  
  

csp	 	 MS / Azure

csp	 	 MS / Azure / BLOB	- Binary Large OBject

csp	 	AWS / Boto3	 = Boto is the Amazon Web Services (AWS) SDK for Python.

csp	 	AWS / EC2	 - Elastic Compute Cloud IaaS

csp	 	AWS / Elastic Beanstalk = http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html

csp	 	AWS / KMS	 - Key Management Service

csp	 	AWS / Lambda	 = lets you run code without provisioning or managing servers (NOT serverless)	 	 	 http://docs.aws.amazon.com/general/latest/gr/glos-chap.html

csp	 	AWS / S3	 - Simple Storage Service

csp	 	AWS / VPC	 - Virtual Private Cloud  	 	http://en.wikipedia.org/wiki/Amazon_Virtual_Private_Cloud

csp	 	GCP / GCE	 = Google Cloud Platform / Google Compute Engine - Infrastructure as a Service component of Google Cloud Platform which is built on the global infrastructure that runs Google's search engine

csp	 	GCP	 	= Google Cloud Platform

csp	Data Dispersion	 	 = This process takes data (say, an object), breaks it up into smaller fragments, makes multiple copies of these fragments, and stores them across multiple servers and multiple drives to provide high durability (resiliency)

csp	Data Fragmentation of Bit Splitting	= This process takes data (say, an object), breaks it up into smaller fragments, makes multiple copies of these fragments, and stores them across multiple servers and multiple drives to provide high durability (resiliency)

csp	OPEX vs CAPEX	 	 = OPerating Expense vs CAPital Expense

data   Data Security Lifecycle 6 phases	 = Create / Store / Use / Share / Archive / Destroy   http://www.securosis.com/blog/data-security-lifecycle-2.0    



data expample	 	     Pharmacist	= The Data Controller

data expample	 	    Accountants	= The Data Processor

data expample	 	     DBA	= The Data Custodian

data	Crypto-shredding	 	= the practice of 'deleting' data by deliberately deleting or overwriting the encryption keys. This requires that the data have been encrypted. Data comes in these three states: data at rest, data in transit and data in use. In the CIA triad of confidentiality, integrity, and availability all three states must be adequately protected.

database     \ The Data C**************  = In the majority of data protection laws, when the data is transferred to a third party custodian, responsible for the security of the data.

database     \ The Data Controller (UK)  = The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria

database     \ The Data Custodian  (US)	 = The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria

database     \ The Data Processor	 = A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

database     \ The Data Subject	 	= Identified or identifiable natural person (see EU Directive 95/46/EC) from whom data is collected and/or about whom that data is processed

database     \	   Data Sovereignty	 = the idea that data are subject to the laws and governance structures within the nation it is collected  http://en.wikipedia.org/wiki/Data_sovereignty

database	       HDFS / MapReduce  = Mapping input data is divided into input splits for analysis. Reducer processes the data that comes from the mapper. 

database	       HDFS / YARN	 - Yet Another Resource Negotiator

database	       HDFS	 	- Hadoop Distributed File System (Apache Hadoop) http://www.tutorialspoint.com/hadoop/hadoop_mapreduce.htm

database	 	   	 DAB	- DB Activity monitoring	 (FAM	- File Activity monitoring)

database	 	   	 DAM	- Database Activity Monitoring / captures and records all Structured Query	(duplicate acronym: Digital Asset Management)

database	 	   	 TDE	- Transparent Sata Encryption	 http://en.wikipedia.org/wiki/Transparent_data_encryption

database	 Homomorphic Encryption	= form of encryption allowing one to perform calculations on encrypted data without decrypting it first / http://en.wikipedia.org/wiki/Homomorphic_encryption

date	Data-centric security	 	= an approach to security that emphasizes the security of the data itself rather than the security of networks, servers, or applications.  http://en.wikipedia.org/wiki/Data-centric_security

db	 	      SQL	- Structured Query Language

dr	 	      BCP	- Business Continuity Planning

dr	 	      BP	- Business Process

dr	 	      BPM	- Business Process Management

dr	 	    BIA \ RPO	- Recovery Point Objective	 (disaster recovery)

dr	 	    BIA \ RTO	- Recovery Time Objective	 (disaster recovery)

dr	 	    BIA	 - Business Impact Analysis  	 

hard	 	      HDD	- Hard Disk Drive

hard	 	      UPS	- Uninterruptable power supply

hard	 	 	 SSD	- Solid-State Drive

HDD	 	 	   RAID	- Redundant Array of Independent Disks  (originally Redundant Array of Inexpensive Disks)

legal  court terminology /    integrity	 = Integrity can be defined as assurance of the accuracy and reliability of information and systems from its original state (called a "reference version").

legal  court terminology / authenticity	 = Authenticity is defined as assurance that the "reference version" data has not been altered from what it was when another party was in control of it.

legal International Safe Harbor Privacy  = This treaty basically allowed companies to commit voluntarily to protecting EU citizens' data stored in the United States the same way that it would protect the data if it were held in the European Union. 

legal International Safe Harbor Privacy	 = otherwise known as the Safe Harbor agreement, between the United States and the European Union.

legal	       APEC / Privacy Framework  = Asia Pacific Economic Cooperation / Privacy Framework

legal	            Data Sovereignty	= the idea that data are subject to the laws and governance structures within the nation it is collected  http://en.wikipedia.org/wiki/Data_sovereignty

legal	        EU-US Privacy Shield	= operates in much the same way as the old Safe Harbor under the EU GDPR

legal	 	   	       sectoral	= covers specific categories of personal data

legal	 	  right-to-audit clause = (aka 'first-party audit') should be obtained whenever possible. This clause should state requirements for third-party audits and/or certifications and that any reports related to such certification processes or other vulnerability assessments or penetration tests be provided to your institution.

legal	 	     adjudicated	= a legal term for making an official decision

legal	 	     E-Discovery	= Electronic Discovery

legal	 	         NDA	- Non-Disclosure Agreement

legal	 	      SLA	- Service Level Agreement

legal	 	      ToU	- Terms of Use

legal	 	 	    BCR	- Binding Corporate Rules

legal	 	 	    SCC	- Standard Contractual Clauses

legal	 	 	omnibus	= covers all categories of personal data

legal	 	FISMA /	 FIPS 199	- Federal Information Processing Standards / FIPS 199 and FIPS 200 are mandatory security standards as required by FISMA.	http://en.wikipedia.org/wiki/FIPS_199

legal	 	FISMA	 	- Federal Information Security Management Act of 2002	 	 	 	 	 http://en.wikipedia.org/wiki/FISMA

legal	 AUS /	 	    ACL	- Australian Consumer Law 

legal	 CAN /	 	 PIPEDA	- Personal Information Protection and Electronic Documents Act (Canada)

legal	 click-wrap agreement	 = A non-negotiated contract

legal	 EU /  	     CSIRT	= Computer Security Incident Response Team	- Each member state must create a CSIRT. These CSIRTs will work in cooperation with CSIRTs across all EU/EEA members as part of a cohesive EU-wide network.

legal	 EU / EEA / GER	 	= Germany also requires that a Data Protection Officer be appointed if the company has more than nine employees.

legal	 EU / EEA	     NIS	- Network Information Security Directive

legal	 EU / EEA	    GDPR	= Breaches of security	- The GDPR requires that data controllers report security breaches within 72 hours of detection.

legal	 EU / EEA	 	- European Economic Area	- The EEA consists of the EU countries plus Iceland, Lichtenstein, and Norway.

legal	 EU / EEA	 	= the 1995 European Union (EU) Data Protective Directive and the 2002 ePrivacy Directive as amended in 2009.

legal	 EU /	        GDPR	- General Data Protection Regulation	 (EU GDPR)

legal	 INT /	     OECD	- Organization for Economic Cooperation and Development / Privacy and Security Guidelines

legal	 JAP /	 	   APPI	- Act on the Protection of Personal Information

legal	 RUS /	 	 = Russian Data Protection regulator

legal	 US /              CLOUD Act	- Clarifying Lawful Overseas Use of Data Act	- introduced in the United States in 2018

legal	 US / AICPA	 SOC / CUEC	- Complementary User Entity Controls	/	all controls within a service organization's systematic processes that rely on the user entity for implementation and function. In other words, user entities are accountable for the performance of CUECs. And if a user entity does not consistently perform CUECs as stipulated, its affiliated service organizations may ultimately be unable to deliver contracted control objectives.

legal	 US / AICPA	 SOC 1	 = reports are traditionally used to prove controls over financial reporting.

legal	 US / AICPA	 SOC 2 / Type 1 = A point-in-time look at the design of the controls.

legal	 US / AICPA	 SOC 2 / Type 2 = An inspection of the operating effectiveness of the controls over a period of time.

legal	 US / AICPA	 SOC 2	 = incorporates Trust Services Criteria (TSC) for general IT controls.

legal	 US / AICPA	 SOC	 	- System and Organizational Controls

legal	 US / AICPA	 	- American Institute of Certified Public Accountants

legal	 US / Gov	    ATO  - Authority to Operate	- to offer their services to the US government.

legal	 US / Gov	FedRAMP  - Federal Risk and Authorization Management Program	/	Providers must be FedRAMP authorized

legal	 US / Law / FRCP Rule 26  = Duty to Disclose; General Provisions Governing Discovery.  http://www.law.cornell.edu/rules/frcp/rule_26

legal	 US / Law / FRCP Rule 26  = Duty to Disclose; The rule requires that a party make disclosures based on information reasonably available and must also disclose any witnesses who will present evidence at trial.

legal	 US / Law / FRCP	     ESI	- Electronically Stored Information  	http://thesedonaconference.org

legal	 US / Law / FRCP	 	- Federal Rules of Civil Procedure	- govern civil procedure in United States district courts.

legal	 US / Law	     SOX	- Sarbanes-Oxley	- An auditing law passed by the US Congress that is used for publicly traded companies in the United States.

legal	 US /	       FTC	- Federal Trade Commission (over cloud companies)

legal	 US /	       GSA	- General Services Administration

legal	 US /	       PHI	- Patient Health Information

legal	 US /	       PII / SPI	- Sensitive Personal Information

legal	 US /	       PII	- Personally Identifiable Information (GSA	- General Services Administration) / Name, email, home address and phone number, last four of SSN

legal	 US /	     NYS DFS 500 - New York State Department of Financial Services  	http://www.mdsny.com/how-to-meet-dfs-23nycrr-500-in-five-steps/

legal	 US /	   	   GLBA	- Gramm-Leach-Bliley Act	- financial regulations

legal	 US /	  HIPAA / PHI    - Protected Health Information

legal	 US /	  HIPAA	 - Health Insurance Portability and Accountability Act  	 	 	 http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act

legal	 US /	 	  COPPA	- Children's Online Privacy Protection Act

net-	     SAN / FCoE	 	- Fibre Channel over Ethernet  http://en.wikipedia.org/wiki/Fibre_Channel_over_Ethernet

net-	     SAN / Fibre Channel / CNA	- Converged Network Adapter

net-	     SAN / Fibre Channel / HBA	- Host Bus Adapter

net-	     SAN / iSCSI	 	- Internet Small Computer Systems Interface

net-	     SAN / LUN	 	- Logical Unit Number (from SCSI)

net-	     SAN	 	 - Storage Area Network  	

net-	 	      RDP	- Remote Desktop Protocol	- Microsoft proprietary protocol

net-	 	     HTTP	- HyperText Transfer Protocol

net-	 	   Microsoft IIS	- MS Internet Information Services

net-	 	 	  IP	- Internet Protocol

net arc	 	       Microsegmentation = a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually. It's aimed at making network security more granular. The purpose behind implementing microsegmentation is to limit the blast radius if an attacker compromises a resource. 

net arc	 	      Flat Metwork	= a computer network design approach that aims to reduce cost, maintenance and administration. Flat networks are designed to reduce the number of routers and switches on a computer network by connecting the devices to a single switch instead of separate switches. http://en.wikipedia.org/wiki/Flat_network

net arc	 	      Zero Trust	= a security model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter.  http://www.cloudflare.com/learning/security/glossary/what-is-zero-trust

net attack	 	  ARP Poisoning	= (ARP spoofing, ARP cache poisoning, or ARP poison routing) a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.  http://en.wikipedia.org/wiki/ARP_spoofing

net attack	 	  MAC Spoofing	= a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device.  http://en.wikipedia.org/wiki/MAC_spoofing

net buz	 	        inbound  = ingress

net buz	 	        outbound = egress

net cp	 	 	ONF / OpenFlow	= communications protocol that gives access to the forwarding plane of a network switch or router over the network.

net cp	 	 	ONF / SDN / NFV	- Network Function Virtualization  	 	 	 	http://en.wikipedia.org/wiki/Network_function_virtualization

net cp	 	 	ONF / SDN	- Software-Defined Networking (architecture that offers isolation) / ex: VMware NSX, OpenFlow / SDN is centralized by taking the "brains" out of the underlying networking appliance and placing this functionality in the SDN controller.  http://en.wikipedia.org/wiki/Software-defined_networking

net cp	 	 	ONF	 - Open Networking Foundation  /  standard bearer for Software Defined Networking (SDN)  	


net sec	 	      TLS	- Transport Layer Security	- protocol that provides authentication, privacy, and data integrity between two communicating computer applications.

net	        Bastion (Transit)	= a special-purpose computer on a network specifically designed and configured to withstand attacks.  


net	     Cloud load balancing	= a type of load balancing that is performed in cloud computing.	 	http://en.wikipedia.org/wiki/Cloud_load_balancing

net	 	        CSA / SDP model - Software Defined Perimeter / aka 'Black Cloud'  http://en.wikipedia.org/wiki/Software_Defined_Perimeter  


net	 	        DOD / DISA	- Defense Information Systems Agency  	 http://en.wikipedia.org/wiki/Defense_Information_Systems_Agency

net	 	        DOD / GIG	- Global Information Grid - an all-encompassing communications project of the United States Department of Defense. http://en.wikipedia.org/wiki/Global_Information_Grid

net	 	       Overlay Network  = formed on top of the underlay in direction to construct a virtualized network.

net	 	       Underlay Network	= physical infrastructure above which overlay network is built. It is the underlying network responsible for delivery of packets across networks.

net	 	   	   NFV / VNF	- Virtual Network Functions

net	 	   	   NFV	 - Network Functions Virtualization

net	 	   	   OSI model	- Open Systems Interconnection model	- People Don't Need Those Stupid Packets Anyway / Physical, Data link, Network, Transport, Session, Presentation, Application  

net	 	   	  IETF / RFC	- Request for Comments

net	 	   	  IETF	 - Internet Engineering Task Force	 	 	 	 	 	 	 	 	 http://www.ietf.org/

net	 	   	     IDS = Intrusion Detection System / a device, or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system.

net	 	   	Edge Network	= The network edge, also known as the WAN edge, is where an enterprise network connects to third-party network services

net	 	   	VLAN / PVLAN	- Private VLAN	 	 	 	 	 	 	 	 	 	 

net	 	   	VLAN	 - Virtual Local Area Network / 4096 addresses / Most cloud computing today uses SDN for virtualizing networks. (VLANs are often not suitable for cloud deployments since they lack important isolation capabilities for multitenancy.)  http://en.wikipedia.org/wiki/Virtual_LAN

net	 	   IGP / OSPF	- Open Shortest Patch First

net	 	   IGP / RIP	- Routing Information Protocol

net	 	   IGP	 - Interior Gateway Protocol

net	 	 	    ARP	- Address Resolution Protocol

net	 	 	    DNS	- Domain Name Server

net	 	 	    FTP	- File Transfer Protocol

net	 	 	    MAC	- Media Access Control

net	 	 	    SSL	- Secure Sockets Layer

net	 	 	    SSL	- Secure Sockets Layer (used for encrypting traffic between web servers and browsers)

net	 	 	    TCP	- Transmission Control Protocol

net	 	 	    TLS	- Transport Layer Security (used for encrypting traffic between web servers and browsers)

net	 	 	    XML	- eXtensible Mark-up Language

net	 	 	   CIDR	- Classless Inter-Domain Routing {10.0.0.0/16}	 http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

net	 	 	IP	- Internet Protocol

net	 	 	VLAN	= Virtual Local Area Network  	 	

net	 	 VXLAN /	 - Virtual eXtensive Local Area Network / 16.7 million addresses

net	 	 VXLAN /	VNI	- VXLAN Network Identifier 

net	 	 VXLAN /	VTEP	- VXLAN Tunnel End Point

net	 	Router /   Fair Queuing = a family of scheduling algorithms used in some process and network schedulers.

net	 	Router /	    CBQ - Class-Based Queuing / queuing discipline for the network scheduler that allows traffic to share bandwidth equally, after being grouped by classes.

net	 	Router /	    HTB - Hierarchical Token Bucket / a faster replacement for the class-based queuing discipline in Linux. It is useful to limit a client's download/upload rate so that the limited client cannot saturate the total bandwidth.

sec  Identity-as-a-service /   PAP-as-a-service	- Policy Access Points

sec  Identity-as-a-service /   PDP-as-a-service	- Policy Decision Points

sec  Identity-as-a-service /   PEP-as-a-service	- Policy Enforcement Points

sec  Identity-as-a-service	 	- a generic term that covers one or many of the services that may comprise an identity ecosystem.

sec  	   	 AAA Vulnerabilities	= Authentication, Authorization, and Accounting

sec  	   	 AAA	 	- Authenticate, Authorize, and Audit

sec  	 	     CVE - Common Vulnerabilities and Exposures  	http://cve.mitre.org

sec  	 	     DLP	- Data Loss Prevention	 	 	

sec  	 	     HSM	- Hardware Security Module	- is a physical computing device that safeguards and manages digital keys

sec  	 	Threat Modeling = a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized.

sec aaS	 	 	  IDaaS	- IDentity As A Service  	 	 	 	 	 	 	 http://www.webopedia.com/TERM/I/iam-identity-and-access-management.html

sec keys    	     Virtual appliance/software	= Deploy a virtual appliance or software-based key manager in the cloud.

sec keys	  Cloud provider service	= This is a key management service offered by the cloud provider.

sec keys	 	   	 HSM	- Hardware Security Module (appliance-based key manager) / typically need to be on-premises, and deliver the keys to the cloud over a dedicated connection.

sec keys	 	 	=   Standards exist to help establish good security and the proper use of encryption and key management techniques and processes.

sec keys	 	 	=  Specifically, NIST SP-800-57 and ANSI X9.69 and X9.73.

sec keys	 	 Hybrid  = HSM as the root of trust for keys but then delivering application-specific keys to a virtual appliance that's located in the cloud.

sec login	     Federated Identity  - the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.	 	



sec login	     Federated Identity /   SSO	- Single Sign-On (Federation) / a user's single authentication ticket, or token, is trusted across multiple IT systems or even organizations.

sec login	     Federated Identity /  FIdM	- Federated identity management amounts to having a common set of policies, practices and protocols in place to manage the identity and trust into IT users and devices across organizations.

sec login	     Federated Identity /  SOA	- Service-Oriented Architecture

sec login	       FIDO / U2F	- Universal 2nd Factor (uses specialized USB or near-field communication [NFC])	 	 	 	 	http://en.wikipedia.org/wiki/Universal_2nd_Factor

sec login	       FIDO	 - Fast IDentity Online  	http://en.wikipedia.org/wiki/FIDO_Alliance

sec login	       OTP / TOTP	- Time-based One-Time Password  	 	 	 	 	 	 	 http://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm

sec login	       OTP	 - One-Time Password

sec login	       RP/SP / IdP	- Identity Provider

sec login	       RP/SP / IP	- Identity Provider

sec login	       RP/SP	 - Relying Party / Service Provider

sec login	   OpenID / OIDC	 - OpenID Connect

sec login	   OpenID	 - Open standard and decentralized authentication protocol for Federated Authentication  	 	 	 	 	 http://en.wikipedia.org/wiki/OpenID

sec login	 	  IETF /   SCIM	- System for Cross-domain Identity Management aka 'Simple Cloud Identity Management' / is a standard for automating the exchange of user identity information between identity domains, or IT systems.

sec login	 	      AD	- Active Directory

sec login	 	     PII	- Personally Identifiable Information  	 	 	 	 	 	 	http://www.vcsolutions.com/blog/what-is-pii/

sec login	 	    ADFS	- Active Directory Federation Service

sec login	 	    IAM  - Identity and Access Management	(aka IdM	- Identity Management)

sec login	 	    IdEA	- Identity, Entitlement, and Access	(aka IAM)

sec login	 	    LDAP	- Lightweight Directory Access Protocol

sec login	 	    SAML	- Security Assertion Markup Language (Federation)	 	 	 	 	 	 http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

sec login	MFA	 	 - Multi-Factor Authentication

sec login	MFA	/ Biometrics	 - For cloud services, the biometric is a local protection that doesn't send biometric information to the cloud provider and is instead an attribute that can be sent to the provider. As such the security and ownership of the local device needs to be considered.

sec login	MFA	/ Hard tokens	 - are physical devices that generate one time passwords for human entry or need to be plugged into a reader. These are the best option when the highest level of security is required.

sec login	MFA	/ Out-of-band Passwords - are text or other messages sent to a user's phone (usually) and are then entered like any other one time password generated by a token. Although also a good option, any threat model must consider message interception, especially with SMS.

sec login	MFA	/ Soft tokens	 - work similarly to hard tokens but are software applications that run on a phone or computer. Soft tokens are also an excellent option but could be compromised if the user's device is compromised, and this risk needs to be considered in any threat model.

sec saas	 	     WAF	- Web Application Firewall	 	 	(layer 7, does NOT offer DDoS, can be cloud or on premise)

sec saas	 	     WSG	- Web Security Gateway

sec saas	 	    CASB	- Cloud Access Security Brokers	 (aka Cloud Security Gateways)	 	 	 	 	 http://en.wikipedia.org/wiki/Cloud_access_security_broker

sec saas	 	DDoS / EDOS	- Economic Denial of Service	- The destruction of economic resources; the worst case scenario would be bankruptcy of the customer or a serious economic impact .

sec saas	 	DDoS	 - Distributed Denial of Service protection service

sec test	 	    DAST	- Dynamic Application Security Testing	(aka "black box" testing)

sec test	 	    IAST	- Interactive Application Security Testing	 	 (designed to address the shortcomings of SAST and DAST)

sec test	 	    RASP	- Run-time Application Security Protection	 	 	 	 	 	 	http://www.softwaresecured.com/what-do-sast-dast-iast-and-rasp-mean-to-developers

sec test	 	    SAST	- Static Application Security Testing

sec vm	 	   	  hypervisor	- 'guest-hopping attacks', SQL injection attacks exposing multiple customers' data stored in the same table, and side channel attacks.

sec vm	 	   	  hypervisor	- 'guest to host escape', an example of which is 'Cloudburst', a VMware vulnerability recently discovered

sec	    Incident Response Lifecycle  	

sec	 	       Defense in Depth = a concept used in Information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. 

sec	 	   	   CIA Triad	- Confidentiality, Integrity, and Availability of information security (infosec)

sec	 	   	   EPP	 - EndPoint Protection / Examines files as they enter the network. ex: VMware Carbon Black Cloud	 http://en.wikipedia.org/wiki/Endpoint_security

sec	 	   	   IDS / IPS	- Intrusion Detection System / Intrusion Prevention System

sec	 	   	   WAF	 - Web Application Firewall

sec	 	   	  RND /  RNG	- Random Number Generator

sec	 	   	  RND / HRNG	- Hardware Random Number Generator

sec	 	   	  RND / tRNG	- True Random Number Generator

sec	 	   	  SIEM / SEM	- Security Event Management

sec	 	   	  SIEM / SIM	- Security Information Management	 	 	 	 	 	 	 http://en.wikipedia.org/wiki/Security_information_and_event_management

sec	 	   	  SIEM \    IDS = Intrusion Detection System / a device, or software application that monitors a network or systems for malicious activity (Anomaly Detection) or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system.

sec	 	   	  SIEM	 - Security Information and Event Management  /  I also don't think it's a secret to say that SIEM experts are very expensive, and there is a very limited pool of talent available.

sec	 	  Vulnerability	 = Any circumstance or event with the potential to adversely impact an asset through unauthorized access, destruction, disclosure, modification of data, and/or denial of service

sec	 	       VA	- Vulnerability Assessment

sec	 	      ACL	- Access Control List

sec	 	      CIA	- Confidentiality, Integrity, and Availability (guide policies)

sec	 	      DAM	- Digital Asset Management system	 	 (duplicate acronym: Database Activity Monitoring)

sec	 	      DLP	- Data Loss Prevention

sec	 	      ERM	- Enterprise Risk Management

sec	 	      FPE	- Format Preserving Encryption

sec	 	      IRM	- Integrated Risk Management

sec	 	      PDP	- Policy Decision Point  	 	 	 	 	 	 	 http://www.identropy.com/blog/iam-blog/bid/77844/commonly-used-acronyms-in-identity-and-access-management

sec	 	      PEP	- Policy Enforcement Point

sec	 	     ABAC	- Attribute-Based Access Control	 (better in cloud than RBAC)

sec	 	     CASB	- Cloud Access Security Broker	- software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure

sec	 	     CBAC	- Microsoft's standard, the idea is still Attributes informing the Access	 	 	 	 	http://dzone.com/articles/acl-rbac-abac-pbac-radac-and-a-dash-of-cbac

sec	 	     RBAC	- Role-Based Access Control	 (ABAC is better in cloud)

sec	 	     SCIM	- System for Cross-domain Identity Management

sec	 	   RAdAC	 - Risk Adaptive-Based Access Control

sec	 	  STRIDE	 - Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege

sec	 	IETF /	  OAuth	 - OAuth is a service that is complementary to and distinct from OpenID  	 	 	 	 	http://en.wikipedia.org/wiki/OAuth

sec	 	XACML /     PAP	 - Policy Administration Point	- Point which manages access authorization policies

sec	 	XACML /     PDP	 - Policy Decision Point  Point which evaluates access requests against authorization policies before issuing access decisions

sec	 	XACML /     PEP	 - Policy Enforcement Point  Point which intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision

sec	 	XACML /     PIP	 - Policy Information Point  The system entity that acts as a source of attribute values (i.e. a resource, subject, environment)

sec	 	XACML /     PRP	 - Policy Retrieval Point  Point where the XACML access authorization policies are stored, typically a database or the filesystem. 

sec	 	XACML	 	- eXtensible Access Control Markup Language	 (rarely provided by CSP)  	 http://en.wikipedia.org/wiki/XACML

sec	 SANS Institute /      ISC - Internet Storm Center / monitors the level of malicious activity on the Internet, particularly with regard to large-scale infrastructure events.  http://isc.sans.edu

sec	 SANS Institute / SANS Checklist = security checklist

sec	 SANS Institute	 	= (officially the Escal Institute of Advanced Technologies) a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates.

soft  	   	 SafeCODE	= Software Assurance Forum for Excellence in Code / std

soft  	   	 SANS Checklist = security checklist

soft management	 	   	 IRP	- Incidence Response Plan / should be performed annually or when significant changes are made.

soft management	 	   TOGAF	- The Open Group Architecture Framework  (Enterprise Architecture)	 	 	 	   http://www.opengroup.org/togaf

soft management	 	  DevOps	- Development and Operations / Remember that DevOps is a culture, not a tool or technology (although a continuous integration service is a key component of the CI/CD pipeline that will be leveraged by DevOps).

soft management	 	  DevOps	= Rugged DevOps OR SecDevOps (also known as DevSecOps and DevOpsSec) is the process of integrating secure development best practices and methodologies into development and deployment processes which DevOps makes possible

soft management	 	  DevOps	= Rugged DevOps	= an approach to software development that places a priority on ensuring that code is secure at all stages of the software development lifecycle.  	http://whatis.techtarget.com/definition/rugged-DevOps

soft management	 	ITIL / CI	- Configuration Item

soft management	 	ITIL / Event	= a "change of state" that has significance for the management of an IT service or other configuration item (CI)

soft management	 	ITIL / Incident	= an unplanned interruption to an IT service, or a reduction in the quality of service.

soft management	 	ITIL	 - Information Technology Infrastructure Library	(Service Management)

soft management	 Aplication Stack Map	= can be implemented to understand where data is going to reside.

soft management	 CSIRTs	 	- Computer Security Incident Response Teams

soft management	 IR / lifecycle 4 phases	= preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. 

soft management	 IR	 	- Incidence Response / SLAs and setting expectations around what the customer does versus what the provider does are the most important aspects of incident response for cloud-based resources.

soft	 	      Chaos Engineering = Chaos engineering is a technique to make software resilient.  	http://en.wikipedia.org/wiki/Chaos_engineering

soft	 	    API / REST / GET   = gets the file.

soft	 	    API / REST / PATCH = update, but not replace, a file.

soft	 	    API / REST / POST  = similar to PATCH, but a POST will update and delete the file.

soft	 	    API / REST / PUT   = new file.

soft	 	    API / REST	 - REpresentational State Transfer	 (stateless, architectural pattern, JSON)  	 	 	 http://www.guru99.com/comparison-between-web-services.html

soft	 	    API	 	- Application Programming Interface	- specification of interface published by software supplier

soft	 	   	  API / SOAP	- Simple Object Access Protocol	 (protocol)

soft	 	      IDE	- Integrated Development Environment

soft	 	      SDK	- Software Sevelopment Kit / a collection of software development tools in one installable package. They ease creation of applications by having compiler, debugger and perhaps a software framework.

soft	 	     CMCA	- Continuous Monitoring, Continuous Auditing

soft	 	     COTS	- Commercial Off-The Shelf

soft	 	     FOSS	- Free Open Source Software

soft	 	  BSIMM	 - Building Security In Maturity Model  	 	 	 	 	 	 	 http://www.bsimm.com/about/faq.html

soft	 	  CI/CD	 - Continuous Integration (Jenkins server) and Continuous Delivery (or Continuous Deployment)	 	

soft	 	  OWASP	 - Open Web Application Security Project  	 

soft	 	  PDCA	 = Plan-Do-Check-Act / std	 	 	(or Plan-Do-Check-Adjust, OPDCA	- Observe PDCA) the Deming circle/cycle/wheel	http://en.wikipedia.org/wiki/PDCA

soft	 	  SDLC	 - Software Development LifeCycle	 	 

soft	 	  SSDLC	 - Secure Software Development LifeCycle / ex: Microsoft's Security Development Lifecycle

std ENISA \ Asset	 	 = The target of protection in a security analysis

std ENISA \ Availability	 	= The proportion of time for which a system can perform its function

std ENISA \ BS	 	 	- British Standard

std ENISA \ CA	 	 	- Certification Authority

std ENISA \ CC	 	 	- Common Criteria

std ENISA \ Co-residence	 	= Sharing of hardware or software resources by cloud customers

std ENISA \ Confidentiality	 	= Ensuring that information is accessible only to those authorized to have access (ISO 17799)

std ENISA \ CP	 	 	- Cloud Provider

std ENISA \ CRL	 	 	- Certificate Revocation List

std ENISA \ CRM	 	 	- Customer Relationship Management

std ENISA \ Data Controller	 	= The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria

std ENISA \ Data Processor	 	= A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

std ENISA \ Data Subject	 	= Identified or identifiable natural person (see EU Directive 95/46/EC) from whom data is collected and/or about whom that data is processed

std ENISA \ De-provision	 	= The process of enforcing the removal of a resource from use, or disallowing its use by a set of users

std ENISA \ Edge network	 	= In this context, a network of computers which is able to process and store data for delivery close to the final destination

std ENISA \ EDoS	 	 - Economic denial of service

std ENISA \ Escrow	 	 = The storage of a resource by a third party which has access to that resource when certain well-defined conditions are satisfied

std ENISA \ FIM	 	 	- Federated Identity Management

std ENISA \ Guest OS	 	 = An OS under the control of the cloud customer, running in a virtualised environment

std ENISA \ Host OS	 	 = The operating system of the cloud provider which runs multiple guest OSs

std ENISA \ http	 	 - Http connection using TLS or SSL

std ENISA \ Hypervisor	 	 = Computer software or hardware platform virtualization software that allows multiple operating systems to run on a host computer concurrently

std ENISA \ IDS	 	 	- Intrusion Detection System

std ENISA \ Integrity	 	 = The property that data has not been maliciously or accidentally altered during storage or transmission

std ENISA \ ISO	 	 	- International Organization for Standardization

std ENISA \ LDAP	 	 - Lightweight Directory Access Protocol

std ENISA \ MAC	 	 	- Media access control (address of a network node in IP protocol)

std ENISA \ MITM	 	 - Man In The Middle (a form of attack)

std ENISA \ MSS	 	 	- Managed Security Services

std ENISA \ NIS	 	 	- Network and Information Security

std ENISA \ NIST	 	 - National Institute of Standards and Technology (US)

std ENISA \ Non-repudiation	 	= The property whereby a party in a dispute cannot repudiate or refute the validity of a statement or contract

std ENISA \ OCSP	 	 - Online Certificate Status Protocol

std ENISA \ OS	 	 	- Operating system

std ENISA \ OTP	 	 	- One-Time Password (type of authentication token)

std ENISA \ OVF	 	 	- Open Virtualisation Format

std ENISA \ Perimeterisation	 	= The control of access to an asset or group of assets

std ENISA \ Port Scan	 	 = Probing a network host to determine which ports are open and what services they offer

std ENISA \ Protection Profile	 	= A document specifying security evaluation criteria to substantiate vendors' claims of a given family of information system products (a term used in Common Criteria)

std ENISA \ Provision	 	 = The issuing of a resource

std ENISA \ PV LAN	 	 - Private VLAN

std ENISA \ Resilience	 	 = The ability of a system to provide and maintain an acceptable level of service in the face of faults (unintentional, intentional, or naturally caused)

std ENISA \ ROI	 	 	- Return On Investment

std ENISA \ ROSI	 	 - Return On Security Investment

std ENISA \ RPO	 	 	- Recovery Point Objective

std ENISA \ RTO	 	 	- Recovery Time Objective

std ENISA \ RTSM	 	 - Real-Time Security Monitoring

std ENISA \ Security Target	 	= A document specifying security evaluation criteria to substantiate the vendor's claims for the product's security properties (a term used in Common Criteria)

std ENISA \ Service Engine	 	= The system responsible for delivering cloud services

std ENISA \ Side channel attack	 	= Any attack based on information gained from the physical implementation of a system; e.g., timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information which can be exploited to break the system.

std ENISA \ Subpoena	 	 = In this context, a legal authority to confiscate evidence

std ENISA	 	 	- European Union Agency for Cybersecurity

std ETSI	 	 	- European Telecommunications Standards Institute

std	 	   	    SafeCODE	- Software Assurance Forum for Excellence in Code

std	 	   	   CIS	 - Center for Internet Security

std	 	   	   ISO / IEC	- International Organization for Standardization / International Electrotechnical Commission

std	 	   	   PCI / DSS	- Payment Card Industry / Data Security Standard

std	 	   	   PCI	 - Payment Card Industry	 	 	 	 http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

std	 	   	  CSA /      - Cloud Security Alliance / inaugural Security Guidance for Critical Areas of Focus in Cloud Computing v4

std	 	   	  CSA /  CCM	- Cloud Controls Matrix	 	 	 (Cloud Entitlement Matrix	- who can access what resources)

std	 	   	  CSA /  SDP	- Software-Defined Perimeter

std	 	   	  CSA / CAIQ	- Consensus Assessment Initiative Questionnaire

std	 	   	  CSA / STAR	- Security Trust Assurance and Risk

std	 	   	 AICPA / SAS 70

std	 	   	 AICPA / SOC	- System and Organization Controls

std	 	   	 AICPA	 - American Institute of Certified Public Accountants  	 	 	 http://en.wikipedia.org/wiki/American_Institute_of_Certified_Public_Accountants

std	 	   	 NIST /  AES	- Advanced Encryption Standard (AES-256)

std	 	   	 NIST /  ITL	- Information Technology Laboratory

std	 	   	 NIST /  RMF	- Risk Management Framework

std	 	   	 NIST	 - National Institute of Standards and Technology

std	 	  ISMS	 	= Information Security Management System

std	 	  ISO/IEC 15408 /    CC - Common_Criteria / an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1 revision 5.   http://en.wikipedia.org/wiki/Common_Criteria

std	 	  ISO/IEC 27001	 = Part of the vendor management process under ISO 27001 is ensuring that you establish an appropriate service level agreement (SLA) protecting all data within your ecosystem.

std	 	  ISO/IEC 27001	 = requires the creation of an ISMS

std	 	  ISO/IEC 27001	/  PDCA - Plan-Do-Check-Act - cycle aligning it with quality standards such as ISO 9000.	

std	 	     DMTF	- Distributed Management Task Force	 	 	 	 	 	 	 	 http://en.wikipedia.org/wiki/Distributed_Management_Task_Force

std	 	   COBIT	 - Control OBjectives for Information and related Technology

std	 	   e-GIF	 - e-Government Interoperability Framework	 	 	http://en.wikipedia.org/wiki/E-GIF

std	 	 FedRAMP	 - FEDeral Risk and Authorization Management Program

std	 	 IETF / HSTS	- HTTP Strict-Transport-Security  	http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

std	 	 IETF / IAB	- Internet Architecture Board	 	 	 	http://en.wikipedia.org/wiki/Internet_Architecture_Board

std	 	 IETF	 - Internet Engineering Task Force  	 	 	http://en.wikipedia.org/wiki/Internet_Engineering_Task_Force

std	 	 OASIS /	OData	- Open Data Protocol / Simplifying data sharing across disparate applications in enterprise, Cloud, and mobile devices.

std	 	 OASIS	 - Organization for the Advancement of Structured Information Standards  	http://en.wikipedia.org/wiki/OASIS_(organization)

std	 	ISACA / Systrust

std	 	ISACA	 	- Information Systems Audit and Control Association	http://www.isaca.org

vm  	  hypervisor / Type 1	= installed directly onto the physical server (such as VMware ESXi, Xen, or KVM).

vm  	  hypervisor / Type 2	= installed on top of the operating system already running on a server (such as VMware Workstation, VMware Workstation Player, or Oracle VM VirtualBox).

vm  	  hypervisor	 = virtual machine	- an abstraction layer that decouples the physical hardware from the guest operating system.

vm  	 	 VM test = iofuzz, crashme

vm  	 	 VM	- Virtual Machine

vm  	 	 VMM	- Virtual Machine Monitor (hypervisor)	 	 	 	

vm cp	 	 	 XEN	= Open Source Hypervisor	 	 http://en.wikipedia.org/wiki/Xen

vm	 	 	 HPC	- Hosted Private Cloud

vm	 	 	 KVM	- Kernel-based Virtual Machine

vm	 	 	 OVA	- Open Virtual Appliance (tar)

vm	 	 	 OVF	- Open Virtualization Format (portability)	 	 	 	 	 	 	 	 	 http://en.wikipedia.org/wiki/Open_Virtualization_Format

vm	 	 	 VDI	- Virtual Desktop Infrastructure

vm	 	 	 VPC	- Virtual Private Cloud

vm	 	 	 VPD	- Virtual Private Desktop

vm	 	 	 VPN	- Virtual Private Network

vm	 	 	 VPS	- Virtual Private Server  



X	 	 	 LXC	- Linux Containers

X	 	 	 SSH	- Secure Shell

X	 	 	 	 	 	 http://solutionsreview.com/cloud-platforms/glossary/

X	 	 	 	 	 	 http://whatis.techtarget.com/

X	 	 	 	 	 	 http://www.allacronyms.com/SOC/computing

X	 	 	 	 	 	 http://www.cram.com/flashcards/ccsk-3657367  (CCSK v3)

X	 	 	 	 	 	 http://www.cram.com/search?query=CCSK&submit=Search (CCSK v4 was made available 2017/12/01)

X	 	 	 	 	 	 http://www.rationalsurvivability.com/blog/2009/06/incomplete-thought-cloudanatomy-infrastructure-metastructure-infostructure/

X	 	 	 	 	 	 http://www.rationalsurvivability.com/blog/2009/06/incomplete-thought-cloudanatomy-infrastructure-metastructure-infostructure/

X	 	 	 	 	 	 http://www.secureworldexpo.com/industry-news/67-top-cybersecurity-acronyms

X	 	 	 	 	 	 http://www.whizlabs.com/certificate-of-cloud-security-knowledge/

x	 	 	Jim Reavis Co-founder and Chief Executive Officer, CSA says in Grand Rapids CloudCom 2020-08 video that 10,000 people have the CCSK  http://cloudsecurityalliance.org/education/ccak/

X	 	 	LAMP	- Linux-Apache-MySQL-PHP

X	 	 	TLDR	- Too Long; Didn't Read

X	 	 	TMI	- Too Much Information

X	 Building Trust in a Cloudy Sky	 	 	 	http://www.mcafee.com/enterprise/en-us/assets/executive-summaries/es-building-trust-cloudy-sky.pdf

X	 CCSK flashcards torrent

Z_EXAM TIP: Anything that you will be tested on as part of your CCSK exam regarding CASB has been covered in this section, but there is much more to know about this technology, which is covered in the backgrounder.

Z_EXAM TIP: Don't get lost in applistructure thoughts when you're considering the cloud bursting example How your web application handles things like state transfer and other application-level issues is out of scope for this discussion. For the exam, just recall the example of having a load balancer that will send incoming traffic to a web server that can be in your data center or a cloud-hosted system, depending on current load.

Z_EXAM TIP: Don't waste your time memorizing all of the controls checked by the CSA tools Download the most recent version of the CCM and the CAIQ, understand the format of each document and its purpose, and have it open when you take your CCSK exam. 

Z_EXAM TIP: Earning a CCSK is a great way for auditors to demonstrate their knowledge of cloud services. Remember that customers should work with auditors who have knowledge of the differences between traditional IT and the cloud.

Z_EXAM TIP: For image repository, I'm using the naming used in the CSA Guidance, but you should know about two related concepts-image registries and image repositories. An image registry is used to host and distribute images. An image repository is technically different, because it is defined as a collection of related images. Long story short, this means that an image registry can contain multiple repositories. You'll often see these terms used interchangeably. Your CCSK exam will use the term "image repository." 

Z_EXAM TIP: For the exam, remember that compute virtualization abstracts the running of code (including operating systems) from the underlying hardware.

Z_EXAM TIP: For the exam, remember that contracts define the relationship between providers and customers, and they are the primary tool for customers to extend governance to their suppliers.

Z_EXAM TIP: For the exam, remember that the CCM states the control and the responsible party, whereas the CAIQ provides questions you can ask in plain language.

Z_EXAM TIP: For the exam, remember that using an immutable approach enables you to perform the bulk of security tests on the images before they go into production.

Z_EXAM TIP: For your CCSK exam, remember that all components and workloads required of any technology must have secure AAA in place. This remains true when underlying cloud services are consumed to deliver big data analytics for your organization. An example of a cloud-based big data system could consist of processing nodes running in instances that collect data in volume storage.

Z_EXAM TIP: Here's a reminder about the essential characteristics, and it's a big one for your exam. The five characteristics are from NIST (SP800-145). ISO/IEC 17788 calls out multitenancy as an additional essential characteristic. NIST includes multitenancy as part of resource pooling, and CSA states that clouds are multitenant by nature. Just remember that all three organizations see the cloud as a multitenant environment, but only ISO/IEC lists multitenancy separately.

Z_EXAM TIP: Here's the good news for your CCSK exam-you won't be asked about how this is done at the applistructure layer. You will be asked only about the metastructure (or virtual infrastructure) implementation.

Z_EXAM TIP: If you're asked about the difference between software-defined security and event-driven security, remember that software-defined security is a concept, whereas event-driven security puts that concept into action.

Z_EXAM TIP: If you're presented with any questions on OVF on the CCSK exam, remember that portability is the most important element of OVF.

Z_EXAM TIP: If you are asked a question about governance in a private cloud, pay attention to who owns and manages the infrastructure. An outsourced private cloud can incur much more change than insourced.

Z_EXAM TIP: It's important to remember that an IaaS system can be summarized as consisting of facilities (physical data center), hardware (proprietary or standard), abstraction (virtualization), and orchestration (APIs).

Z_EXAM TIP: It's important to remember that whether you are procuring a dedicated "encryption as a service" provider or using customer-managed keys from an IaaS provider, you are procuring a SecaaS.

Z_EXAM TIP: Keep in mind that malicious insiders aren't limited to administrators. A similar risk is posed by auditors, because they may have intimate knowledge of the inside architecture, processes, and weaknesses of a provider.

Z_EXAM TIP: Of the three models, you should get your head around the role of the controller/custodian and remember that jurisdiction is very important to determine applicable laws.

Z_EXAM TIP: Remember for your exam that encryption will often dramatically increase the string of a text, while tokenization and data masking techniques can keep the same length and format of data while rendering it unusable to anyone who may access it.

Z_EXAM TIP: Remember that a major benefit of SecaaS is the ability to enforce your policy using someone else's infrastructure.

Z_EXAM TIP: Remember that audits are a key tool to prove or disprove compliance.

Z_EXAM TIP: Remember that encryption breaks SaaS. This may help you answer multiple questions in your CCSK exam.

Z_EXAM TIP: Remember that immutable deployments and IaC can greatly improve security. You will likely be tested on this.

Z_EXAM TIP: Remember that many states have laws and regulations that require organizations to ensure that service providers provide adequate privacy protections and security measures for personal data.

Z_EXAM TIP: Remember that the CCM is an excellent starting point to build a cloud assessment program based on your existing compliance requirements, but it will need to be tailored to meet your needs.

Z_EXAM TIP: Remember that the FTC has taken the charge from a federal perspective on consumer privacy rights. State attorneys general deal with consumer privacy rights at a state level.

Z_EXAM TIP: Remember that the management plane is part of the metastructure.

Z_EXAM TIP: Remember that the NIS Directive applies to companies outside of the EU/EEA whose services are available in the European Union and that an EU-based representative must be established to ensure NIS Directive compliance.

Z_EXAM TIP: Remember that the STAR Registry contains CAIQ entries that are filled out by vendors and uploaded to the Cloud Security Alliance without any third-party review or assessment.

Z_EXAM TIP: Remember that volatile memory contains all kinds of potentially sensitive information (think unencrypted data, credentials, and so on) and must be protected from unapproved access. Volatile memory must also have strong isolation implemented and maintained by the provider.

Z_EXAM TIP: Remember that you're procuring security software that meets the essential characteristics of the cloud, and you'll be fine.

Z_EXAM TIP: Remember the three components listed here: data gets collected, stored, and processed.

Z_EXAM TIP: Remember these terms for your exam. IAM STANDARDS There are numerous standards in the IAM world that you need to know about. For your CCSK exam, you may be tested on Security Assertion Markup Language (SAML)

Z_EXAM TIP: Seriously, implement least privileges. If you are asked about appropriate permissions, the answer will always be related to the principle of least privilege.

Z_EXAM TIP: The 2018 update to this law is not covered as part of the CSA Guidance and therefore not likely to be part of the CCSK exam. However, from a real-life perspective, if you operate outside of the Chinese market but want to do business in China, it is highly advisable that you discuss both localization and governmental access to data stored in China with your legal counsel.

Z_EXAM TIP: The CCSK exam will likely test you on the shared responsibility between providers and customers. Take note of the following high-level recommendations for providers and customers: First, providers should properly design and implement controls. They should clearly document internal security controls and customer security features so the cloud user can make an informed decision. Second, customers should build a responsibilities matrix to document who is implementing which controls and how. This should be done on a per-workload basis. Selected controls should align with any necessary compliance standards.

Z_EXAM TIP: The concept of periodic monitoring, testing, and evaluation of your requirements and the vendor relationship is applicable for basically every subject in the CSA Guidance. 

Z_EXAM TIP: The identity service offered by the provider may be referred to as the "internal" identity system on the exam.

Z_EXAM TIP: The main goal of the data security lifecycle as far as the CCSK exam goes is not to know every possible control to limit every possible action by any possible actor on every possible data set (or the validity of doing so). The goal for the exam is to understand that you have basic functions that map to phases of the data lifecycle. Based on the location of the data or the access device (that's the key for the exam), you may have different data security lifecycles.

Z_EXAM TIP: These additional services and how they can be leveraged are provider-specific, so you won't be tested on them as part of your CCSK exam.

Z_EXAM TIP: Understand these layers of the logical model These layers are key to understanding cloud security responsibility shifts and passing your CCSK exam.

Z_EXAM TIP: You'll be seeing quite a few references to standards by NIST and other organizations in this book. Don't jump away from this book and start studying these documents. The CCSK exam is about cloud security according to the CSA; it's not about NIST standards. 

Z_EXAM TIP: You don't need to do a deep dive into the various EU standards, the differences between them, and release dates for the CCSK exam. They're highlighted in this introduction because GDPR is a huge deal these days.

Z_EXAM TIP: You should be aware of a couple of things about the whole STAR program. The CAIQ entries are considered "self assessments." Each self assessment is referred to as a "Level 1" STAR entry. 

Z_EXAM TIP: You will likely be tested on your understanding that credentials and encryption in an application are the primary differences between applications that run in a cloud versus those that run a traditional data center.

Z_EXAM TIP: You won't see any general questions in the CCSK exam on either compliance or auditing basics, but do expect to see questions on cloud-specific changes to compliance and audits.