CCSP Vocabulary Flashcards
ALE : Annualized Loss Expectancy
ALE = SLE * ARO
Formula for estimation of the cost of an accepted risk in a given year – i.e. if the accepted vulnerability is exploited by an attacker, ALE is the dollar cost estimate for the loss.
The ALE equals the single loss expectancy (SLE) multiplied by the annualized rate of occurrence (ARO).
The SLE = asset value * exposure factor
Exposure factor describes the loss that will happen to the asset as a result of the attack (expressed as percentage value lost) – e.g. if an assets will be wholly lost in an attack, the exposure factor is 100%… if 30% will be lost, the exposure factor is 30%, etc.
API : Application Programming Interface
A set of functions, routines, tools, or protocols for building applications.
APIs are leveraged by developers to save time and increase availability as the API offers a set of working programatic methods to build connectivity without bespoke coding.
At issue for the Cloud Security Professional is that APIs are functional only and cannot be assumed to represent good security practices.
ARO : Annualized Rate of Occurrence
An estimated number of times a threat will be successfully exploited within a year – e.g. if two laptops are stolen each month then the ARO is 2 * 12 = 24 times per year.
ARO is an element of the ALE calculation:
ALE = SLE * ARO
auditability
The ability to properly capture, analyze, and report on any and all events that happen within a system or application, such as data access and modification, user actions and processes, controls and compliance, and regulatory and contractual compliance.
authentication
The process of comparing credentials presented by a user, application, or service to a set of known stored values that have been previously issued or verified by the authentication system.
e.g. A user is given an email address and password when provisioned to the system; later the user provides that verified and valid email address and password to the system for matching – if these credentials match and are still valid, the user is granted access to the system.
authorization
The process of granting or denying privileges to a system, network, or application after successful authentication has been preformed; these privileges (such as read, write, execute) are based on an approved set of constrained features enforced by a policy / rule set.
backdoor
Backdoors can be created by developers or hackers: A backdoor is a method of accessing a system that bypasses the normal (“official”) authentication and authorization processes.
Backdoors can be unauthorized methods that are discovered by malicious actors to get into a system, or they can be methods that are purposefully employed by developers or support staff to access systems for maintenance or other support activities.
baseline
A baseline is a constrained configuration standard or a state in time “snap shot” for a known good system state.
Baselines are often employed in change management to establish a “gold image” as in the baseline configuration of a workstation, or, as a fall back option as in “we will patch the system and fail-back to the baseline if patching causes availability issues.”
big data
Refers to the collection, processing, and analysis of data sets that are so large that traditional data processing and analysis tools are inadequate to properly handle them.
The concept of ‘big data’ is often applied outside of this formal definition to reference predictive analysis and user analytics of data sets.
BYOD : Bring Your Own Device
The practice of allowing employees of an organization to use their personally owned computers, phones, tablets, or other electronic resources to access the computing resources of the firm, rather than using IT provided and supported devices.
business continuity
The capability of an organization to continue the operation of systems or applications at a predetermined level after an incident or disruption of service.
Business continuity encompasses the full range of possible service disruptions and how a company can minimize, mitigate, and respond to them and keep business operations running, available, and secure.
i.e. BC is a daily, operational, discipline.
BIA : Business Impact Analysis
A structured methodology to identify and evaluate the possible risks and threats that operations or services could be impacted by, as well as the possible or likely extent of impact and disruption.
chain of custody
The formal documentation showing the chronological control and disposition of physical or electronic evidence.
This documentation includes creation, all changes of possession, and final disposition.
Note that any evidence with probative value may be offered to the court – i.e. chain of custody is not required for evidence to be admissible.
CAB : Change Advisory Board
A group that assists the change team and change management process by evaluating, prioritizing, and approving change requests.
change manager
An individual who ensures that the change management process is properly executed; this person also directly handles low-level tasks related to the change process.
cloud application
An application that is never installed on a local server or desktop but is instead accessed via a network or the Internet. A cloud application merges the functionality of a local application with the accessibility of a web-based application.
CAMP : Cloud Application Management for Platforms
Within PaaS implementation, CAMP serves as the framework and specification for managing platform services, encompassing a RESTful protocol for managing services, the model for describing and documenting the components that comprise that platform, and the language describing the overall platform, and its components and services, as well as metadata about it.
cloud auditor
An auditor that is specifically responsible for conducting audits of cloud systems and cloud applications.
The cloud auditor is responsible for assessing the effectiveness of the cloud service and identifying control deficiencies between the cloud customer and the cloud provider, as well as the cloud broker if one is used.
cloud backup
The process of using a cloud-based backup system, with files and data being sent over the network to a public or private cloud provider for backup, rather than running traditional backup systems within a data center.
cloud backup service provider
A public or private cloud service’s organization that offers backup services to either the public or organizational clients either on a free basis or using various costing models based on either the amount of data or the number of systems.
cloud backup solutions
Services that run within a public or private cloud offering backup solutions – either through client-based software that does automatic or scheduled backups or through manual backups initiated by a user or system.
cloud computing
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model is composed of five essential characteristics, three service models, and four deployment models.
Five (5) essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service
Three (3) service models: IaaS, PaaS, and SaaS
Four (4) deployment models: community cloud, hybrid cloud, private cloud, and public cloud
cloud computing reseller
An organization that sells and offers cloud services, and possibly cloud support services, to various organizations and works as a middleman between the cloud customer and cloud provider.
CCM : Cloud Control Matrix
A formally published guide by the Cloud Security Alliance (CSA) that enables cloud customers to evaluate a prospective cloud provider in regard to its security posture. The CCM can also be used by cloud providers to structure its security program and services.
cloud customer
An organization or individual that utilizes and consumes resources and services from a cloud provider. This can be in the form of free public services and systems or private and fee-based applications or solutions.
cloud data portability
The ability to move data between cloud providers.
cloud database
A database that is installed in a cloud environment and accessed via the network or the Internet by a user or application.
Because the database is being installed in a cloud environment instead of a typical server environment, elasticity, scalability, and high availability can be achieved and maximized.
cloud deployment model
The cloud deployment models are public, private, hybrid, and community; these describe how the cloud service is delivered through a set of particular configurations and virtual resources.
cloud enablement
The creation of a public cloud environment through the offering of services or infrastructure.
cloud management
The oversight and operations management of a cloud environment by the cloud service provider, whether it is a public or private cloud environment.
cloud migration
The process of moving services, systems, applications, or data from a traditional data-center hosting model into a cloud environment.
cloud OS
Typically used to denote an operating system (OS) in a Platform as a Service (PaaS) implementation and to signify that the implementation is within a cloud environment.
cloud provider
A service provider that makes storage or software applications available via the Internet or private networks to customers. Since they are offered as a service, the platform and underlying software, as well as operations and security systems, are maintained by the provider and abstracted from the customer.
cloud provisioning
The process of allocating cloud resources from the cloud provider to the cloud customers based on specific requests and requirements of the customers as far as the number of virtual machines and their specific computing resources.
CSA : Cloud Security Alliance
The most prominent and well-known organization to raise awareness of best practices for security within a cloud environment.
cloud server hosting
The hosting and location of servers within a virtualized cloud environment, rather than the virtual or physical hosting that’s done in a traditional data center.
cloud service
Capabilities offered via a cloud provider and accessible via a client.
cloud service broker
A partner that serves an an intermediary between a cloud service customer and cloud service provider.
cloud service category
A group of cloud services that have a common set of features or qualities.
cloud service partner
One that holds a relationship with either a cloud service provider or a cloud service customer to assist with cloud services and their delivery.
cloud service user
One that interacts with and consumes services offered by a cloud service provider.
cloud testing
The testing of systems, services, or applications by leveraging cloud platforms and resources to simulate the size and scale of real-world traffic and users.
Common Criteria
A set of international guidelines and specifications for the evaluation of IT security resources to ensure those resources meet an agreed-upon set of security standards. The Common Criteria for Information Technology Security Evaluation is formalized as an international standard in ISO/IEC 15408.
community cloud
A cloud infrastructure provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (for example, mission, security requirements, policy, or compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of these, and it may exist on or off premises.
configuration management
Establishing a controlled means of consistency throughout a system’s lifecycle, based on its requirements and technical specifications to properly ensure configuration controls, performance standards, and design requirements.
container
A software package that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside a single unit.
XSS : cross-site scripting
A web application vulnerability that allows an attacker to inject client-side scripts into web pages that are then viewed and executed by other users. The goal of XSS from an attacker’s perspective is to bypass the security controls of an application, such as an access control with a same-origin policy.
DAR : Data at Rest
Data that resides on a system in persistent storage, such as disks, tapes, databases, or any other type of storage device.
data dispersion
The feature of cloud storage where data is spread across data centers or wide geographic areas for redundancy and speed.
The degree of dispersion is typically based on the needs of the application and the level of service procured by the cloud customer.
DIT : Data in Transit
Data that flows over a networked connection – either through public unsecured networks or internal protected corporate networks.
DIU : Data in Use
Data within a system or application that is currently being processed or is in use – either through the computing resources or residing in memory.
DLP : Data Loss Prevention
An overall strategy and process for ensuring that users cannot send sensitive or protected information outside of networks or systems that are secured and protected.
This can be related to the intentional attempt by users to transfer such information, but it also applies to preventing the accidental sending or leaking of data.
data portability
The ability to easily move data from one system to another without having to re-enter it.
DoS : Denial-of-Service attack
An attempt to make computing resources or a network unavailable to its intended users by denying legitimate traffic access totally or by degrading performance to unacceptable levels.
direct identifiers
Information that specifically applies to a unique individual, such as name, address, phone number, e-mail address, or unique identifying numbers or codes.
DRS : Distributed Resource Scheduler
A utility from VMware that balances computing demands and available resources within the virtualized environment.
DAST : Dynamic Application Security Testing
The testing of an application while it is in an operational state with currently running systems, applications, and networks.
DO : Dynamic Optimization
The process of moving and reallocating virtual machines and resources within a cluster environment to maintain optimal performance with balanced and distributed resource utilization.
eDiscovery
The process of discovering and securing electronic data for use in criminal or civil legal cases.
encryption
The process of encoding and securing data so that only authorized parties in possession of the correct information, credentials, or keys can access it.
enterprise application
An application that runs on a large and distributed scale and is deemed mission critical to a company or an organization.