CCSP Terms and Definitions

Authorization

A method of determining whether a user should receive access to sensitive data or resources.

Authentication

The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station or originator.

Business Continuity and Disaster Recovery

The capability of an organization to continue delivery of products and services within acceptable time frames at predefined capacity relating to a disruption, along with the ability of the information and communication technology (ICT) elements of an organization to support its critical business functions to an acceptable level within a predetermined period of time following a disruption.

Cloud app (cloud application)

A software application that is never installed on a local computer. Instead, it is accessed via the internet.

Cloud computing

A type of computing that relies on sharing computing resources in the delivery of computing services, rather than having local servers or personal devices to handle applications.

Cloud computing role

A set of activities that serves a common purpose. Common roles include cloud service customer, cloud service provider, and related sub-roles.

Cloud database

A database accessible to clients from the cloud and delivered to users on demand via the internet. They can use cloud computing to achieve optimized scaling, high availability, multitenancy and effective resource allocation.

Cloud management

Software and technologies designed for operating and monitoring the applications, data and services residing in the cloud. These tools help ensure a company’s cloud computing–based resources are working optimally and properly interacting with users and other services.

Cloud migration

The process of transitioning all or part of a company’s data, applications and services from on-site premises behind the firewall to the cloud, where the information can be provided over the internet on an on-demand basis.

Cloud operating system (OS)

A software application responsible for orchestrating cloud computing services across multiple geographically separated data centers.

Cloud service customer (CSC)

A party that is in a business relationship for the purpose of using cloud services.

Cloud service provider (CSP)

A service provider who offers customers storage or software solutions available via a public network, usually the internet.

Cloud storage

The storage of data online in the cloud, wherein a company’s data is stored in and accessible from multiple distributed and connected resources that make up a cloud.

Cloud workload

The resources demanded by an application, service or capability running within the cloud environment.

Confidential computing

A system that protects data in use by performing computation in a hardware-based Trusted Execution Environment.

Cryptographic key

The input that controls the operation of the cryptographic algorithm. It determines the behavior of the algorithm and permits the reliable encryption and decryption of the message.

Cryptography

The study or applications of methods to secure or protect the meaning and content of messages, files, or other information, usually by disguise, obscuration, or other transformations of that content and meaning. Used to secure information in the presence of adversaries.

Disaster Recovery as a Service (DRaaS)

Service provided to on-premises data centers to recover to/from the cloud.

Ephemeral computing

An approach with virtual systems or containerized applications where the system is designed not to require information or state to be maintained between operations. Also called nonpersistent computing.

Function as a Service (FaaS)

A type of serverless technology that allows customers to develop, run, and manage application functionalities without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app. Typically used when building microservices applications.

Geofencing / geoblocking

A technology that can relate a digital user to their actual physical location, or a close approximation thereof, and may be configured to take action based on a specific geographic boundary in the physical world.

Hybrid cloud

A combination of public and private cloud storage where some critical data resides in the enterprise’s private cloud while other data is stored and accessible from a public cloud storage provider.

Identity and Access Management

Using multiple technologies and business processes to help the right people or machines to access the right assets at the right time for the right reasons, while preventing unauthorized access and fraud.

Infrastructure as a Service (IaaS)

Typically, delivery of computer, storage, and networking services by ongoing contract or subscription. One example is a data center where software and servers are purchased as a fully outsourced service and billed according to usage. Interoperability The ability of different information systems, devices, or applications to connect, in a coordinated manner, within and across organizational boundaries to access, exchange, and cooperatively use data.

Key management

All processes used to create, store, distribute, and provide expiration and revocation of encryption and decryption keys, for all users of a particular encryption system.

Multitenancy

Describes multiple customers using the same public cloud.

Network gateway

A device or node that connects disparate networks by translating communications from one protocol to another.

Open Virtualization Format (OVF)

A syntactic standard of sending and receiving data between different vendor virtualization systems.

Payment Card Industry Data Security Standard (PCI DSS)

A requirement for vendors accepting credit card payments to establish proper control of cardholder data and reduce potential fraud.

Peer cloud service provider

A cloud service provider who provides one or more cloud services for use by one or more other cloud service providers as part of their cloud services.

Platform as a Service (PaaS)

A cloud service through which the customer can deploy, manage and run customer-created or customer-acquired applications using one or more programming languages and one or more executing environments supported by the cloud service provider.

Portability

When applied to cloud services, it defines the ease with which applications or components are moved and reused elsewhere regardless of the provider, platform, OS, infrastructure, location, storage, format of data, or APIs.

Private cloud

The phrase used to describe a cloud computing platform that is implemented within the corporate firewall, under the control of the IT department.

Privileged Account Management (PAM)

Refers to mechanisms that provide automated dynamic provisioning and deprovisioning of access on systems or services only when those permissions are required.

Privileged user management

The process and ongoing requirements to manage the life cycle of user accounts with the highest privileges in a system.

Product catalog

A listing of all the cloud service products that cloud service providers make available to cloud service customers.

Provisioning

When applied to cloud services, the processes associated with delivering and orchestrating cloud computing services. It also includes facilities for interfacing with the cloud’s applications and services as well as auditing and monitoring who accesses and utilizes the resources.

Routing tables

A set of rules, often viewed in table format, that is used to determine where data packets traveling over an Internet Protocol (IP) network will be directed. Used by all IP-enabled devices, including routers and switches.

Software as a Service (SaaS)

A software delivery method that provides access to software and its functions remotely as a web-based service. This allows organizations to access business functionality at a cost typically less than paying for licensed applications, since pricing is based on a monthly fee.

STAR Registry (Cloud Security Alliance’s Security, Trust Assurance and Risk registry)

A mechanism to assist consumers in comparing and evaluating cloud service providers.

Sub-role

A subset of the activities of a given role.

Virtual machine

A system that allows multiple virtual systems to share a common physical implementation.

Virtual private cloud

A logically isolated section of a cloud where resources can be launched in a virtual network that is customer defined. The customer has complete control over their virtual networking environment, including selection of private IP address range, creation of subnets, and configuration of route tables and network gateways.

Anonymization

Removing the linkage between an individual and any direct or indirect identifiers to prevent data analysis tools or other intelligent mechanisms from collating or pulling data from multiple sources to identify an individual or sensitive information.

Asymmetric algorithm (asymmetric encryption)

An encryption system based on the concept of a key pair consisting of a public and private key. If you encrypt with one key in the key pair, you can only decrypt using the other key.

Authenticity

Assurance that a message does indeed come from the person who claims to have sent it.

Bit splitting

Splitting up and storing encrypted information across different cloud storage services. This results in distributed data requiring multiple keys held by different entities to decrypt the data.

Certificate authority (CA)

A trusted third party that attests that a specific certificate owner owns a particular public key.

Certificate Revocation List (CRL)

A list that is downloaded from a certificate authority (CA) and is used to check if a certificate is valid and can be trusted.

Compute

Cloud service that provides CPU and ephemeral storage with a specified operating system.

Cryptography

The study or applications of methods to secure or protect the meaning and content of messages, files, or other information, usually by disguise, obscuration, or other transformations of that content and meaning. Used to secure information in the presence of adversaries.

Data discovery tools

Tools that provide visibility into an organization’s information assets by scanning for unprotected information.

Data dispersion

A general term that refers to any technology, algorithm or architecture that stores data in multiple locations.

Data flow

Any case where data moves from one location to another (whether a physical or logical location).

Data masking or data obfuscation

The process of hiding, replacing or omitting sensitive information from a specific data set.

Data rights management (DRM)

A technology that is also commonly referred to as information rights management (IRM).

Data sink

The location where the data will be received.

Digital certificates

Issued by a certificate authority (CA) to certify that the certificate content accurately represents the certificate owner, including their public key.

Digital signature

An electronic, encrypted stamp of authentication on digital information that confirms message authenticity, integrity and non-repudiation of the sender.

Dual control (or separation of duties)

Requiring two or more individuals to perform a task to reduce the possibility of wrongdoing.

Encryption

The process of converting information or data into a code to prevent unauthorized access.

Governance

The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.

Hardware security module (HSM)

A physical computing device that provides cryptographic processing and manages cryptographic keys. This can be used in servers, data transmission, protecting log files, etc.

Hashing

One-way encryption that uses a mathematical function to create a fixed length binary output from a variable length binary input.

In-band distribution

A system in which the key is distributed across the same channel or communication media that the data it protects will be sent across.

Key escrow

The process of ensuring a third party maintains a copy of a private key or the symmetric key needed to decrypt information.

Key management

Control over the creation, issuance, revocation, recovery, distribution and destruction of cryptographic keys.

Key Management Interoperability Protocol

An open-source communication protocol from OASIS (Organization for the Advancement of Structured Information Standards) that defines message formats for the manipulation of cryptographic keys on a key management server and operations involving key management.

Key pair

Consists of a public key and a private key; one key can be used to encrypt a message that can only be decrypted using the other key.

Legal hold

Instructions not to delete electronically stored information or discard paper documents that may be pertinent to a new or existing case.

Message digest

The output of a hashing algorithm.

Non-repudiation

The assurance that a person sending a message or conducting an action cannot later claim that they did not do it.

Object storage

Objects (files) are stored with additional metadata (content type, redundancy required, creation date, etc.). These objects are accessible through APIs and potentially through a web user interface.

Online Certificate Status Protocol (OCSP)

A protocol used for checking revocation of a single certificate interactively rather than having to download and parse an entire list.

Out-of-band distribution

A system in which the key is distributed using a different form of transmission channel or media than the one that the data it protects will be sent across.

Private key

A secret key that is used with an algorithm to encrypt and decrypt data.

Public key

A cryptographic key that can be used by anyone to encrypt data.

Public-key infrastructure (PKI)

A set of system, software and communication protocols required to use, manage and control public-key cryptography.

Redundant Array of Independent Disks (RAID)

A method that is used to provide data redundancy.

Role-based access control (RBAC)

An access control policy that restricts information system access to authorized users.

Session key

A shared symmetric key that is used to encrypt communications traffic only for a single communication session.

Split knowledge

Dividing information required to perform an operation into multiple pieces such that all pieces must be brought back together to perform a function.

Symmetric algorithm (symmetric encryption)

An encryption system that operates with a single cryptographic key that is used for both encryption and decryption of the data.

Tokenization

The process of replacing a sensitive data element with a nonsensitive equivalent. This may be constructed to look like the data it is replacing in format, or simply look like a random set of characters.

Trusted Platform Module (TPM)

A special case of an HSM that is designed to be integrated into other products and follows a particular standard from the Trusted Computing Group.

XML Key Management Specification

A specification that allows systems to be designed with a degree of cryptographic interoperability, essentially to understand the “language” of cryptographic exchanges.

Availability class

Protection specified in the ISO/IEC 22237 series that specifies redundant and resilient designs to prevent or mitigate outages in a data center.

Business continuity and disaster recovery (BCDR)

The capability of an organization to continue delivery of products and services within acceptable time frames at predefined capacity relating to a disruption along with ability of the information and communication technology (ICT) elements of an organization to support its critical business functions to an acceptable level within a predetermined time following a disruption.

Business continuity management system (BCMS)

The combination of activities, roles and processes involving leadership, recovery teams, legal and regulatory requirements, risk analysis and other elements that programmatically support BCDR.

Control plane

The control of network functionality and programmability is directly made to devices at this layer. OpenFlow was the original framework/protocol specified to interface with devices through southbound interfaces.

Data plane

The network switches and routers located at this plane are associated with the infrastructure. The process of forwarding data is accomplished at this plane, so it can also be referred to as a forwarding plane.

Deep packet inspection

DPI, also known as information extraction, IX or complete packet inspection, is a type of network packet filtering that evaluates the data part and the header of a packet that is transmitted through an inspection point, weeding out any non-compliance to protocol, spam, viruses, intrusions, and any other defined criteria to block the packet from passing through the inspection point.

Disaster recovery as a service (DRaaS)

A service provided to on-premises data centers to recover to/from the cloud.

East-west traffic

Network traffic that traverses systems within a data center.

Hyperconverged infrastructure

The cross-sectional control of major services consumed in a data center that includes compute, storage and network systems.

Hypervisor (Type 1)

Commonly known as a bare metal, embedded, or native hypervisor. It works directly on the hardware of the host and can monitor operating systems that run above the hypervisor. The hypervisor is small, as its main task is sharing and managing hardware resources between different guest operating systems.

Hypervisor (Type 2)

Installed after a traditional operating system and supports other guest operating systems running above it as VMs. Completely dependent on the host operating system for its operations. Unlikely to be seen in a cloud context.

IP Flow Information Export (IPFIX) protocol

Standard protocol RFC 7011 that is used to determine the nature of network traffic. Traffic on a data network can be seen as consisting of flows passing through network elements. For administrative or other purposes, it is often interesting, useful or even necessary to have access to information about these flows that pass through the network elements.

Limit

A maximum resource allocation per VM. This ceiling may be fixed or expandable, allowing for the acquisition of more compute resources through a borrowing scheme from the CSP.

Management plane

Controls the entire infrastructure; parts of it will be exposed to customers independent of network location. It is a prime resource to protect.