- Shared responsibility model
- Security duties split between cloud provider and customer; the boundary shifts by service model, but data and access are always the customer's.
- Cloud computing (NIST definition)
- On-demand network access to a shared pool of configurable computing resources, rapidly provisioned and released with minimal management effort (NIST SP 800-145).
- Five essential characteristics of cloud
- On-demand self-service, broad network access, resource pooling, rapid elasticity, measured service.
- On-demand self-service
- A consumer can provision computing capabilities automatically, without human interaction with the provider.
- Broad network access
- Capabilities are available over the network and accessed through standard mechanisms across diverse client devices.
- Resource pooling
- Provider resources are pooled to serve multiple consumers in a multi-tenant model, dynamically assigned and reassigned.
- Rapid elasticity
- Capabilities scale out and in quickly, appearing unlimited to the consumer and matching demand.
- Measured service
- Resource usage is metered and reported, enabling pay-per-use billing and optimization.
- IaaS
- Infrastructure as a Service — provider supplies compute, storage, and networking; customer manages the OS, runtime, and applications.
- PaaS
- Platform as a Service — provider supplies a managed platform/runtime; customer manages only the deployed application and its data.
- SaaS
- Software as a Service — provider delivers a fully managed application; customer manages only data and limited settings.
- Who secures most in IaaS vs SaaS?
- The customer secures the most in IaaS and the least in SaaS; the provider's share grows from IaaS to SaaS.
- Always the customer's responsibility
- Data classification and access management (IAM) — in every service model, regardless of provider.
- Always the provider's responsibility
- The physical infrastructure and the virtualization/hypervisor layer — in every service model.
- Public cloud
- Cloud infrastructure provisioned for open use by the general public.
- Private cloud
- Cloud infrastructure provisioned for the exclusive use of a single organization.
- Community cloud
- Cloud infrastructure shared by several organizations with common concerns (mission, security, compliance).
- Hybrid cloud
- A composition of two or more distinct clouds bound by technology enabling data and application portability.
- Multi-cloud
- Using cloud services from more than one provider, often to avoid lock-in or improve resilience.
- Cloud service provider (CSP)
- The entity that offers and operates cloud services.
- Cloud service customer (CSC)
- The entity that consumes cloud services.
- Cloud broker
- An intermediary that manages the use, performance, and delivery of cloud services and negotiates relationships.
- Cloud reference architecture
- A conceptual model describing cloud roles, activities, and functions (NIST SP 500-292).
- Virtualization
- Abstracting physical resources into virtual instances so one host can run many isolated workloads.
- Container
- OS-level virtualization packaging an app with its dependencies; shares the host kernel — lighter than a VM.
- Microservices
- An architecture that decomposes an application into small, independently deployable services.
- Serverless / FaaS
- An execution model where the provider fully manages infrastructure and code runs in response to events.
- Microsegmentation
- Fine-grained network isolation policies down to individual workloads; a building block of zero trust.
- Confidential computing
- Protecting data in use by processing it inside a hardware-based trusted execution environment (TEE).
- Edge computing
- Processing data near where it is generated to reduce latency and bandwidth use.
- Zero trust
- A model granting no implicit trust by network location; every request is authenticated, authorized, and continuously validated.
- Cloud secure design principles
- Build on the data lifecycle, BCDR planning, cost-benefit analysis, functional security requirements, and zero trust.
- Common Criteria (ISO/IEC 15408)
- An international standard for evaluating the security assurance of a product or system.
- FIPS 140-3
- The current U.S. federal standard for validating cryptographic modules (succeeding FIPS 140-2).
- CSA STAR
- CSA's Security, Trust, Assurance and Risk registry — provider self-assessment (CAIQ) and third-party certification.
- CSA CCM
- Cloud Controls Matrix — a vendor-neutral cloud security control framework mapped to major standards.
- CAIQ
- Consensus Assessments Initiative Questionnaire — a CSP self-assessment aligned to the CSA CCM.
- Evaluating a cloud provider
- Verify against criteria such as ISO/IEC 27017, Common Criteria, and FIPS 140-3, plus SOC 2 and CSA STAR.
- Tenancy isolation
- Keeping one tenant's data and workloads separated from others in a multi-tenant cloud — a core security goal.
- Vendor (cloud) interoperability
- The ability of cloud systems to work together and exchange data, reducing lock-in.
- Portability (cloud)
- The ability to move data and applications between providers without major rework.
- Reversibility (cloud)
- A customer's ability to retrieve data and terminate a service so the provider can no longer access it.
- Cloud secure data lifecycle
- Six phases: Create, Store, Use, Share, Archive, Destroy.
- Create phase
- Data is generated or modified; classify and label it as early as possible.
- Store phase
- Data committed to storage; apply encryption at rest and access controls.
- Use phase
- Data viewed or processed; enforce least privilege and information rights management.
- Share phase
- Data made available to others; control egress with DLP and protect transit with TLS.
- Archive phase
- Data moved to long-term retention; apply retention policy, encryption, and integrity checks.
- Destroy phase (cloud)
- Permanent removal; in the cloud this means crypto-shredding (destroying the keys).
- Volume storage
- Block storage attached to a VM like a virtual hard disk (IaaS).
- Object storage
- Storage of data as objects with metadata, accessed via API (e.g., buckets).
- Ephemeral storage
- Temporary storage tied to a running instance; lost when the instance stops.
- Structured vs unstructured data
- Structured fits a defined schema (databases); unstructured does not (documents, media).
- Encryption
- Transforming plaintext into ciphertext with an algorithm and key; reversible only with the key.
- Encryption at rest
- Protecting stored data so it is unreadable without the key.
- Encryption in transit
- Protecting data moving across networks, typically with TLS.
- Encryption in use
- Protecting data while processed, via confidential computing / trusted execution environments.
- Key management system (KMS)
- A system that generates, stores, rotates, and retires cryptographic keys.
- BYOK
- Bring Your Own Key — the customer generates or imports keys into the provider's KMS.
- HYOK
- Hold Your Own Key — the customer keeps and controls keys entirely outside the provider's environment.
- Key escrow
- Storing a copy of keys with a trusted third party for recovery or lawful access.
- Tokenization
- Replacing sensitive data with a non-sensitive token mapped to the real value in a separate secure vault.
- Tokenization vs encryption
- Tokenization swaps data for a vault-mapped token (no key on the data); encryption transforms data with a key.
- Data masking
- Substituting or scrambling data while preserving its format, typically for test/dev use.
- Anonymization
- Irreversibly removing identifiers so data can never be re-linked to an individual.
- Pseudonymization
- Replacing identifiers with pseudonyms that can be re-linked only with separate, protected information.
- Data obfuscation
- Umbrella term for hiding sensitive data (masking, anonymization, tokenization).
- Data dispersion
- Splitting data into fragments stored across locations (cloud RAID-like) for resilience.
- Bit splitting
- Dividing encrypted data into segments distributed across storage so no node holds usable data.
- Crypto-shredding
- Cryptographic erasure — making data unrecoverable by destroying its encryption keys.
- Data remanence (cloud problem)
- Residual data that may persist on shared media you cannot physically wipe — solved by crypto-shredding.
- DLP
- Data Loss Prevention — discover, monitor, and block unauthorized exfiltration of sensitive data.
- DLP three stages
- Discovery, monitoring, and enforcement.
- Data discovery
- Finding and locating sensitive data across structured, unstructured, and semi-structured stores.
- Data classification
- Categorizing data by sensitivity so the right protection, retention, and destruction rules apply.
- Data labeling
- Tagging data with classification and handling metadata.
- IRM
- Information Rights Management — persistent access and usage controls bound to a data object wherever it travels.
- Data retention policy
- Rules for how long data must be kept before deletion or archiving.
- Legal hold
- Suspending normal deletion to preserve data relevant to litigation or investigation.
- Auditability of data events
- Logging data events to provide traceability, accountability, and nonrepudiation.
- Chain of custody
- Documented handling of evidence that preserves its integrity and legal admissibility.
- Nonrepudiation
- Assurance that an actor cannot deny having performed an action.
- Hashing
- A one-way function producing a fixed-length digest used to verify integrity.
- Data sovereignty
- The principle that data is subject to the laws of the country where it is stored.
- Data residency
- The physical or geographic location where data is stored.
- Symmetric encryption
- Uses one shared secret key for both encryption and decryption (e.g., AES); fast.
- Asymmetric encryption
- Uses a public/private key pair (e.g., RSA, ECC); solves key exchange and enables signatures.
- Cloud infrastructure components
- Physical environment, network and communications, compute, virtualization, storage, and the management plane.
- Management plane
- The centralized console/API to provision and control cloud resources — the highest-value target.
- Why protect the management plane
- Compromising it can give an attacker control of the entire cloud environment at once.
- Hypervisor
- Software that creates and runs virtual machines, allocating host resources to guests.
- Type 1 hypervisor
- Bare-metal — runs directly on hardware, no host OS; smaller attack surface; used in production cloud.
- Type 2 hypervisor
- Hosted — runs atop a host OS; larger attack surface; used for desktop labs.
- More secure hypervisor type
- Type 1 (bare-metal), because there is no host OS to compromise.
- VM escape
- An attack where a guest VM breaks isolation to reach the hypervisor or host, threatening other tenants.
- VM sprawl
- Uncontrolled growth of virtual machines, increasing attack surface and management burden.
- Container security risk
- Containers share the host kernel, so a kernel compromise can affect all containers on the host.
- Compute security
- Securing the processing resources (CPU/memory) allocated to workloads.
- Storage security (infrastructure)
- Protecting the storage layer with encryption, access control, and isolation.
- Network security (cloud)
- Securing communications with segmentation, firewalls, and encryption in transit.
- Data center tiers
- Uptime Institute Tiers I–IV rate data-center redundancy and availability (IV = highest).
- HVAC in data center design
- Heating, ventilation, and air conditioning maintain environmental conditions for reliability.
- Logical vs physical design
- Logical design defines structure/relationships; physical design defines actual hardware and layout.
- Risk assessment (infrastructure)
- Identify, analyze, and mitigate cloud-specific threats, vulnerabilities, and attacks.
- Security controls (cloud platform)
- Physical/environmental, system/communication, virtualization protection, IAM, and audit mechanisms.
- Audit mechanisms (infrastructure)
- Log collection, log correlation, and packet capture for monitoring and investigation.
- BCDR
- Business Continuity and Disaster Recovery — plans to maintain and restore operations after a disruption.
- RTO
- Recovery Time Objective — the maximum acceptable time to restore a process after a disruption.
- RPO
- Recovery Point Objective — the maximum acceptable data loss measured backward in time; drives backup frequency.
- RSL
- Recovery Service Level — the percentage of full compute capacity a process needs during a disaster.
- RTO vs RPO
- RTO = time to recover; RPO = how much data you can afford to lose.
- BCDR strategy steps
- Define business requirements, create the strategy, implement it, and test it.
- High availability (HA)
- Designing systems to remain operational despite component failures.
- Clustering
- Linking servers so they act as one system for availability and load distribution.
- Redundancy
- Duplicating components so a failure does not cause an outage.
- Failover
- Automatically switching to a standby system when the primary fails.
- Cloud bursting
- Using public cloud capacity to handle demand spikes beyond a private cloud's capacity.
- Secure SDLC
- Building security into every phase of software development rather than testing for it at the end.
- Secure SDLC phases
- Requirements/training, design, develop, test, deploy, operate/maintain.
- Threat modeling
- Systematically identifying and prioritizing threats to a system during design.
- STRIDE
- Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
- DREAD
- A risk-rating model: Damage, Reproducibility, Exploitability, Affected users, Discoverability.
- PASTA
- Process for Attack Simulation and Threat Analysis — a risk-centric threat-modeling methodology.
- SAST
- Static Application Security Testing — analyzing source or binary code without executing it.
- DAST
- Dynamic Application Security Testing — testing a running application from the outside.
- IAST
- Interactive AST — instrumenting a running app to combine static and dynamic analysis.
- SCA
- Software Composition Analysis — identifying open-source components and their known vulnerabilities.
- SAST vs DAST
- SAST inspects code early; DAST tests the running app for runtime/config flaws.
- OWASP Top 10
- A community list of the most critical web application security risks.
- SANS Top 25
- A list of the most dangerous software errors (CWE).
- Input validation
- Checking and sanitizing all input to prevent injection and other attacks — never trust user input.
- SQL injection
- Inserting malicious SQL via unvalidated input to read or alter a database.
- OWASP ASVS
- Application Security Verification Standard — a framework of security requirements for testing apps.
- Software supply-chain security
- Securing third-party, open-source, and vendor components and their provenance.
- Verified secure software
- Using approved, validated APIs and components from trusted sources.
- Sandboxing
- Isolating execution so untrusted code cannot affect the wider system.
- Application virtualization
- Running an application in an isolated environment abstracted from the OS.
- Orchestration
- Automating the deployment, scaling, and management of containers/workloads (e.g., Kubernetes).
- WAF
- Web Application Firewall — filters and monitors HTTP traffic to protect web applications.
- API gateway
- A managed entry point enforcing authentication, rate limiting, and routing for APIs.
- DAM
- Database Activity Monitoring — real-time monitoring of database transactions.
- XML firewall
- A device/service that inspects and filters XML traffic to protect web services.
- IAM
- Identity and Access Management — the framework for managing digital identities and access rights.
- Federated identity
- Linking a user's identity across multiple systems or organizations.
- Identity provider (IdP)
- A service that authenticates users and issues identity assertions to relying parties.
- SSO
- Single Sign-On — one authentication grants access to multiple systems.
- MFA
- Multi-Factor Authentication — verifying identity with two or more independent factors.
- SAML
- An XML-based standard for federated authentication and web single sign-on.
- OAuth 2.0
- An authorization framework granting an app delegated access to resources without sharing credentials.
- OpenID Connect (OIDC)
- An authentication layer built on OAuth 2.0 that adds identity (who the user is).
- SAML vs OAuth vs OIDC
- SAML and OIDC handle authentication; OAuth 2.0 alone handles authorization (delegated access).
- CASB
- Cloud Access Security Broker — a policy enforcement point giving visibility, compliance, data security, and threat protection.
- CASB four pillars
- Visibility, compliance, data security, and threat protection.
- Secrets management
- Securely storing and controlling access to credentials, keys, and tokens used by applications.
- Cryptographic agility
- Designing systems so cryptographic algorithms can be swapped without major rework.
- BIOS/UEFI hardening
- Securing firmware settings to reduce the attack surface of a host before the OS loads.
- TPM
- Trusted Platform Module — a hardware chip that stores keys and supports host attestation.
- Host attestation
- Verifying the integrity and trust state of a host before extending trust to it.
- OS hardening (baselines)
- Configuring an OS to a secure baseline by removing unneeded services and applying secure settings.
- Patch management
- Identifying, testing, and applying updates to fix vulnerabilities promptly.
- Infrastructure as code (IaC)
- Defining and provisioning infrastructure through machine-readable config files for consistency.
- Jumpbox (bastion host)
- A hardened intermediary host used to access systems in a protected network.
- Secure shell (SSH)
- An encrypted protocol for secure remote administration.
- RDP
- Remote Desktop Protocol — remote GUI access that must be secured (MFA, restricted exposure).
- Scalability (operations)
- The ability to grow or shrink capacity to meet demand while remaining available.
- ITIL
- A framework of IT service management best practices used to run cloud operations.
- ISO/IEC 20000-1
- The international standard for an IT service management system.
- Change management
- Evaluating, approving, and documenting changes — prevents most cloud incidents.
- Configuration management
- Tracking the state and relationships of assets across the environment.
- Release & deployment management
- Controlling repeatable, low-risk rollouts of changes.
- Problem management
- Identifying and eliminating the root causes of recurring incidents.
- Incident management
- Detecting, responding to, and recovering from security/operational events.
- Service-level management
- Defining, meeting, and reporting on service-level agreements (SLAs).
- Availability management
- Ensuring services meet agreed availability targets.
- Capacity management
- Ensuring sufficient resources to meet current and future demand.
- SOC (Security Operations Center)
- The team and function that monitors and responds to security events.
- SIEM
- Security Information and Event Management — aggregates and correlates logs for detection and investigation.
- Log management
- Collecting, retaining, and protecting logs to support detection and forensics.
- Digital forensics (cloud)
- Collecting and analyzing evidence in the cloud, where you don't control the physical media.
- ISO/IEC 27037
- Guidelines for identification, collection, acquisition, and preservation of digital evidence.
- ISO/IEC 27050
- Standard for electronic discovery (eDiscovery).
- Evidence management
- Handling evidence to preserve integrity and an unbroken chain of custody.
- Vulnerability assessment
- Scanning systems to identify and prioritize known weaknesses.
- Communication with relevant parties
- Coordinating with vendors, customers, partners, regulators, and stakeholders during operations and incidents.
- Cloud forensics challenge
- Multi-tenancy, data location, and provider dependence make evidence collection complex.
- Baseline (security)
- A documented minimum secure configuration applied consistently across systems.
- Conflicting international legislation
- Different countries' laws can impose contradictory obligations on cloud data — a key legal risk.
- GDPR
- The EU General Data Protection Regulation governing the processing of personal data.
- Data controller
- Under GDPR, the entity that decides why and how personal data is processed.
- Data processor
- Under GDPR, a party that processes personal data on the controller's instructions (often the CSP).
- PII
- Personally Identifiable Information — data that can identify an individual.
- Regulated PII
- Personal data protected by law (e.g., HIPAA, GDPR) with statutory penalties for breach.
- Contractual PII
- Personal data protected because a contract requires it (e.g., PCI DSS), with contractual consequences.
- Regulated vs contractual PII
- Regulated PII is mandated by law; contractual PII is mandated by agreement.
- ISO/IEC 27018
- A code of practice for protecting PII in public clouds acting as PII processors.
- GAPP
- Generally Accepted Privacy Principles — a privacy management framework.
- Privacy Impact Assessment (PIA)
- A structured assessment of the privacy risks of a system or process.
- eDiscovery
- Identification, collection, and production of electronically stored information for legal matters.
- SOC 1
- An attestation report on controls relevant to financial reporting.
- SOC 2
- A report on controls for security, availability, processing integrity, confidentiality, and privacy.
- SOC 3
- A public, summary version of a SOC 2 report with no sensitive detail.
- SOC 2 Type I vs Type II
- Type I tests control design at a point in time; Type II tests operating effectiveness over a period.
- Which SOC report for a CSP?
- SOC 2 — customers request it to assess a provider's security and privacy controls.
- SSAE 18 / ISAE 3402
- Attestation standards under which SOC 1 reports are produced.
- Gap analysis
- Comparing current controls against a required standard to find shortfalls.
- Internal vs external audit
- Internal audit is performed by the organization; external audit by an independent third party.
- ISMS
- Information Security Management System — a governed framework of policies and controls (ISO/IEC 27001).
- ISO/IEC 27001
- The international standard for an Information Security Management System.
- Right to audit
- A contract clause letting the customer assess a provider's controls (often satisfied by SOC 2 / ISO certs).
- SLA
- Service Level Agreement — a contractual commitment on service performance and availability metrics.
- Vendor lock-in
- Difficulty migrating away from a provider due to proprietary dependencies.
- Cloud contract key clauses
- Right to audit, SLAs/metrics, data access/location, termination, litigation, insurance, and assurance.
- Risk treatment options
- Avoid, mitigate, transfer/share, or accept the risk.
- Risk appetite
- The amount of risk an organization is willing to accept in pursuit of its objectives.
- Risk profile
- An organization's overall exposure to risk across its assets and activities.
- ISO 31000
- An international standard providing principles and guidelines for risk management.
- NIST RMF
- The NIST Risk Management Framework for selecting, implementing, and monitoring controls.
- ENISA
- The European Union Agency for Cybersecurity, which publishes cloud risk guidance.
- Distributed IT model impact
- Spreading control across a provider changes accountability and complicates risk management.
- Supply-chain management (ISO/IEC 27036)
- Managing information security risk in supplier and outsourcing relationships.
- Cyber risk insurance
- Insurance that transfers some financial impact of a cyber incident to an insurer.
- Customer remains accountable
- Even when a provider holds the data, the customer stays accountable for protecting it.
- Provider risk-program assessment
- Evaluating a provider's controls, methodologies, policies, risk profile, and risk appetite.
- FedRAMP
- A U.S. government program standardizing the security assessment and authorization of cloud services.
- Forensic requirements (legal)
- Contractual and legal obligations for collecting and preserving cloud evidence.
- AES
- Advanced Encryption Standard — the dominant symmetric block cipher used for cloud data at rest.
- TLS
- Transport Layer Security — the protocol that protects data in transit (HTTPS).
- PKI
- Public Key Infrastructure — the framework of certificate authorities and certificates that manages public keys.
- Digital signature
- A hash encrypted with the signer's private key, providing integrity, authenticity, and nonrepudiation.
- Least privilege
- Granting only the minimum access needed to perform a task, and nothing more.
- Separation of duties
- Splitting a sensitive task so no single person can complete it alone.
- Defense in depth
- Layering multiple, overlapping controls so one failure doesn't expose the asset.
- Multi-tenancy
- Many customers sharing the same physical resources with logical isolation between them.
- Data flow mapping
- Documenting how data moves through systems to find where to apply controls.
- Honeypot
- A decoy system used to detect, deflect, or study attackers.
- Logging time synchronization
- Synchronizing clocks (e.g., NTP) so correlated logs have consistent, comparable timestamps.
- Tenant isolation failure
- A breakdown in separation that lets one tenant access another's data or workloads.
- Continuous monitoring
- Ongoing assessment of security controls and posture to detect drift and threats.
- Cloud audit scope restriction
- Providers often limit what a customer audit can cover, hence reliance on third-party reports.
- Termination clause (contract)
- Defines how a relationship ends and how data is returned or destroyed, reducing lock-in.
- Service model and responsibility
- More control (IaaS) means more security responsibility; more convenience (SaaS) means less.
- Tokenization use case
- Common for payment card (PAN) data because the token carries no exploitable value if stolen.
- Encryption key rotation
- Periodically replacing keys to limit exposure if a key is compromised.
- Geofencing data
- Restricting where data may be stored or accessed to meet residency/sovereignty rules.
- Abuse-case testing
- Testing how an application behaves under intentional misuse, not just normal use.