CCSP

From Leo's Notes
Last edited on 18 May 2023, at 23:26.

Cloud Governance: Legal, risk, and compliance

Term Notes
Agent of the government A private citizen becomes an agent of the government when they perform an act that the government would need a warrant for, such as a search and seizure. Under those circumstances, the citizen must follow the same rules as the government.
Baseline Minimum requirements, especially regarding security as a minimum level.

To capture a baseline for a system, you should install a clean OS, disable and remove all non-essential services and software, apply all patches, configure the system as needed.

Cloud Controls Matrix (CCM) Lists and categorizes the domains and controls, along with which elements and components are relevant per the controls. This framework enables cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.

https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/

Architectural relevance group components are: Physical, Network, Compute, Storage, Application, Data

Organizational relevance components are: Cybersecurity, Internal Audit, Architecture Team, Software Development, Operations, Legal, GRC team, Supply Chain Management, and HR

Conflict of law The field of law that resolves the jurisdiction of states or nations with laws that are not in agreement with other states or nations, either domestically or internationally.
Criminal law The body of law that relates to crime. It proscribes conduct perceived as threatening, harmful or otherwise endangering to the property, health, safety and moral welfare of people. Most criminal law is established by statute, which is to say that the laws are enacted by a legislature.
Cross-border data transfers Multiple laws and regulations restrict or do not allow for information to be transferred across borders or to locations where the level of privacy or data protection is deemed to be weaker than their current requirements.
CSA Security, Trust Assurance and Risk (STAR) Registry The provider will have assessments and certifications that provide differing levels of assurance about the cloud controls they maintain. For instance, some providers have only completed a self-assessment, while others have completed a third-party certification based upon Information Security Management System ISO 27001. Still other organizations have completed a third-party attestation of their cloud controls based upon Service Organization’s System in a SOC 2 Report.

https://cloudsecurityalliance.org/star/registry/acquia/services/digital-experience-platform/

Data sovereignty Implied or explicit right to decide what treatment, care or disposition (embargo or movement) a nation or state can determine on data by means of its laws.
Doctrine of plain view In some U.S. states, a law enforcement officer may seize evidence without a search warrant if they can see it without making entry to where the evidence resides. This applies in digital forensic searches because it is necessary to perform various kinds of searches on digital evidence that may reveal evidence of a crime not noted in the warrant.
Due care “Due care” is a standard of behavior grounded in the concept of “reasonableness.” Did the actor exhibit a standard of behavior that is deemed by the law to be “reasonable,” i.e., would other individuals in the actor’s position act in a similar manner exhibiting an expected standard of due care?
Due diligence “Due diligence” is not a standard, but a code of conduct. Did the actor do what is appropriate, reasonable and expected in engaging in a certain activity?
E-discovery Electronic discovery (also called e-discovery) refers to any process in which electronic data is sought, located, secured and searched with the intent of using it as evidence in a civil or criminal legal case.
European Economic Area (EEA) The EEA includes EU countries and Iceland, Liechtenstein and Norway. It allows them to be part of the EU’s single market. Switzerland is neither an EU nor EEA member but is part of the single market – this means Swiss nationals have the same rights to live and work in the UK as other EEA nationals.
European Union (EU) An economic and political union of 28 countries. It operates an internal (or single) market that allows free movement of goods, capital, services and people between member states.
EU Data Protection Directive 95/46 EC Directive 95/46 EC focuses on the protection of individuals regarding the processing of personal data and on the free movement of such data.
EU General Data Protection Regulation 2016 Introduces many significant changes for data processors and controllers. The following may be considered some of the more significant changes: the concept of consent, transfers abroad, the right to be forgotten, establishment of the role of the “data protection officer,” access requests, home state regulation and increased sanctions.

As of March 2019, these countries included Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK, although the UK is in the process of leaving the EU.

Extradition Many countries support a formal process whereby one country transfers a suspected or convicted criminal to another country.
FedRAMP Federal Risk and Authorization Management Program. A US federal program that mandates a standardized approach to security assessment, authorization, and continuous monitoring of cloud services.
Generally Accepted Privacy Principles (GAPP) The AICPA describes 74 privacy principles in detail. These serve as a framework for organizations to use to manage privacy risk.
Gramm–Leach–Bliley Act (GLBA) Also known as the Financial Modernization Act of 1999, GLBA is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.
Guidelines Statements that are not designed for enforcement, but principles that can assist in accomplishing objectives.
Harmonization of law Specifically, in relation to the European Union, harmonization of law (or simply “harmonization”) is the process of creating common standards across the internal market.
Health Insurance Portability and Account-ability Act of 1996 (HIPAA) Adopts national standards in the United States for electronic health care transactions and national identifiers for providers, health plans and employers. Protected health information can be stored via cloud computing under HIPAA.
International law The term given to the rules that govern relations between countries.
ISO/IEC 27017:2015 This standard provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002:2013 and other ISO27k standards. The “code of practice” provides additional information security controls implementation advice beyond that provided in ISO/IEC 27002:2013, in the cloud computing context.
ISO/IEC 27018:2019 The first international “code of practice” that focuses on protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002:2013 and provides implementation guidance on ISO/IEC 27002:2013 controls applicable to public cloud personally identifiable information (PII).
ISO/IEC 27050 ISO/IEC 27050 consists of six major components across the discovery phase of a lawsuit, with an emphasis on the discovery of electronically stored information (ESI).
ISO/IEC 31000:2018 A guidance standard not intended for certification purposes, as implementing it does not address specific or legal requirements related to risk assessments, risk reviews and overall risk management.
Jurisdiction The practical authority granted to a legal body to administer justice within a defined area of responsibility.
Legal hold Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a legal hold to ensure the preservation of relevant documents.
MITRE Privacy Maturity Model A privacy evaluation tool created by the nonprofit MITRE Corp.
NIST SP 800-37r2 This publication details the NIST Risk Management Framework, a process for managing security and privacy risk. Integrates the Risk Management Framework (RMF) into the system development lifecycle (SDLC). Provides processes (tasks) for each of the six steps in the RMF at the system level.
NIST SP 800-53r4 A standard to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.
Policies Guide the overall governance of an organization and require both penalties as well as senior management sponsorship to be effective. A policy is a general high-level statement that prescribes actions and consequences for organizational members.
Privacy Act of 1988 The Australian National Privacy Act of 1988 regulates the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information and access to and correction of that information.
Privacy impact assessment (PIA) An analysis of how information is handled to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing and disposing of information in identifiable form in an electronic information system; and to examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns.
Privacy Level Agreement (PLA) Similar in concept to a Service Level Agreement (SLA) in that it defines roles and responsibilities as well as clearly defining service commitments for the protection of privacy information between a service provider and consumer.
Privacy maturity model A recognized means by which organizations can measure their progress against established benchmarks.
Procedure The methods and instructions on how to maintain or accomplish the directives of the policy.
Sarbanes-Oxley Act (SOX) U.S. legislation enacted to protect shareholders and the public from accounting errors and fraudulent practices in the enterprise.
Service Level Agreement (SLA) A legal agreement that fully defines roles and responsibilities between a service provider and consumer, including details of the service offered, the cost of the service, how it will be measured, how to determine whether the service is properly delivered and any consequences attached to nonperformance.
System and Organization Controls 1 (SOC 1) Reports on controls at a service organization relevant to user entities’ internal control over financial reporting. Used to provide information to the auditor to enable risk assessment.

Type 1 - financial control design

Type 2 - financial control effectiveness

System and Organization Controls 2 (SOC 2) Reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality and privacy.

Used to provide management and specified entities with information. Typically under NDA.

Type 1 - technical control design

Type 2 - technical control effectiveness

System and Organization Controls 3 (SOC 3) Reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality and privacy.

Used to provide information for general use by any interested party. Typically public and can be accessed by anyone.

Standards Specific mandates explicitly stating expectations of performance or conformance. Standards can be defined by one entity and adopted by others or can be internal mandates exclusive to an organization.
Subpoena The subpoena is deemed issued by an officer of the court and must be obeyed in much the same manner as a warrant.
Tort law A body of rights, obligations and remedies that sets out reliefs for persons suffering harm because of the wrongful acts of others.
Trust Services Principles Also known as Trust Services Criteria. An auditing system whereby various criterion areas are evaluated along with controls within an organization.
Warrant Authorization issued by a magistrate or other official allowing a constable or other officer to search or seize property, arrest a person or perform some other specified act.

Cloud Data Security

Term Notes
Anonymization Removing the linkage between an individual and any direct or indirect identifiers to prevent data analysis tools or other intelligent mechanisms from collating or pulling data from multiple sources to identify an individual or sensitive information.
Asymmetric algorithm (asymmetric encryption) An encryption system based on the concept of a key pair consisting of a public and private key. If you encrypt with one key in the key pair, you can only decrypt using the other key.
Authentication The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station or originator
Authenticity Assurance that a message does indeed come from the person who claims to have sent it.
Authorization The granting of right of access to a user, program or process.
Bit splitting Splitting up and storing encrypted information across different cloud storage services. Typically involves encrypting data at the full data set level, breaking larger data into smaller pieces, distributing them to different storage locations and applying another layer of encryption to each piece individually. This results in distributed data requiring multiple keys held by different entities to decrypt the data.
Certificate authority (CA) A trusted third party that attests that a specific certificate owner owns a particular public key.
Compute Cloud service that provides CPU and ephemeral storage with a specified operating system.
Content delivery network (CDN) A content delivery network or content distribution network (CDN) is a large distributed system of servers deployed in multiple data centers across the internet.
Containerization A platform bundles all the resources and dependencies needed for an application to run into a container
Cryptography Cryptography uses techniques to secure information in the presence of adversaries.
Data dispersion A general term that refers to any technology, algorithm or architecture that stores data in multiple locations
Data flow Any case where data moves from one location to another (whether a physical or logical location).
Data lifecycle Keep in mind the data life cycle (C StU ShAD):
  1. Create
  2. Store
  3. Use
  4. Share
  5. Archive
  6. Destroy
Data masking or data obfuscation The process of hiding, replacing or omitting sensitive information from a specific data set.
Data rights management (DRM) A technology is also commonly referred to as information rights management (IRM)
Data sink The location where the data will be received
Data states Data typically is in one of three states:
  1. Data at rest (DAR)
  2. Data in use (DIU)
  3. Data in motion (DIM / DIT)
Digital certificates Digital certificates are issued by certificate authority to certify that the certificate content accurately represents the certificate owner, including their public key.
Digital signature Provides message authenticity, integrity and non-repudiation of the sender
Distinguished name (DN) The unique identifier for a record in a directory
Dual control (or separation of duties) Requiring two or more individuals to perform a task to reduce the possibility of wrongdoing. The term dual control is more likely to be used with regards to key management, where each individual exerts control over one part of a multi-part key. Where multiple individuals have sole possession of individual portions of a multipart key and must work together to perform a task, we have implemented both split knowledge and dual control.
Encryption The process of converting information or data into a code to prevent unauthorized access.
Ephemeral computing An approach with virtual systems or containerized applications where the system is designed not to require information or state to be maintained between operations.
Geofencing (or geoblocking) Refers to any technology that can relate digital users to their actual physical location.
Governance The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles and procedures the organization uses to make those decisions.
Hardware security module (HSM) A physical computing device that provides cryptographic processing and manages cryptographic keys. This can be used in servers, data transmission, protecting log files, etc.
Hashing One-way encryption that uses a mathematical function to create a fixed length binary output from a variable length binary input.
Identity and access management (IAM) Provisioning, management and deprovisioning of credentials in order to enable authorized individuals to access desired resources.
In-band distribution A system in which the key is distributed across the same channel or communication media that the data it protects will be sent across. For most solutions that use in-band distribution, the key itself is encrypted with another key or a key distribution algorithm.
Key escrow The process of ensuring a third party maintains a copy of a private key or the symmetric key needed to decrypt information.
Key management Control over the creation, issuance, revocation, recovery, distribution and destruction of cryptographic keys. The set of all processes used to create, store, distribute, provide expiration or revocation, and destruction of cryptographic keys for all users of a particular cryptographic system.

Considerations:

  • What are you trying to protect against?
  • Performance implications?
  • Laws, regulations in different jurisdictions?
  • Key lifecycle (who has access to the key, how is it deleted)
Key Management Interoperability Protocol KMIP is an open-source communication protocol from OASIS (Organization for the Advancement of Structured Information Standards) that defines message formats for the manipulation of cryptographic keys on a key management server and operations involving key management.
Key pair Consists of a public key and a private key, one key can be used to encrypt a message that can only be decrypted using the other key.
Lightweight directory access protocol (LDAP) The primary protocol relates to interfacing with many centralized directory services.
Message digest The output of a hashing algorithm.
Non-repudiation The assurance that a person sending a message or conducting an action cannot later claim that they did not do it.
Object storage Objects (files) are stored with additional metadata (content type, redundancy required, creation date, etc.). These objects are accessible through APIs and potentially through a web user interface.
Out-of-band distribution A system in which the key is distributed using a different form of transmission channel or media than the one that the data it protects will be sent across.
Private key A secret key that is used with an algorithm to encrypt and decrypt data.
Privileged account management Refers to mechanisms that provide automated dynamic provisioning and deprovisioning of access on systems or services only when those permissions are required.
Privileged user management Refers to the process and ongoing requirements to manage the life cycle of user accounts with the highest privileges in a system.
Public-key infrastructure (PKI) A set of system, software and communication protocols required to use, manage and control public-key cryptography.
Public key A cryptographic key that can be used by anyone to encrypt data.
Redundant Array of Independent Disks (RAID) A method that is used to provide data redundancy.
Role-based access control (RBAC) An access control policy that restricts information system access to authorized users.
Session key A shared symmetric key that is used to encrypt communications traffic only for a single communication session.
Split knowledge Splitting information required to perform and operation into multiple pieces such that all pieces must be brought back together to perform a function. Where multiple individuals have sole possession of individual portions of a multi-part key and must work together to perform a task, we have implemented both split knowledge and dual control.
Symmetric algorithm (symmetric encryption) An encryption system that operates with a single cryptographic key that is used for both encryption and decryption of the data.
Tokenization The process of replacing a sensitive data element with a nonsensitive equivalent, referred to as a token. The token may be constructed to look like the data it is replacing in format, or simply appear at a random appearing set of characters. Each token is unique to the data it is replacing, so the original data can be re-inserted into the data set, or the original value represented by a token retrieved upon request.
Trusted Platform Module (TPM) TPM is a special case of an HSM that is designed to be integrated into other products and follows the Trusted Platform Module standard from the Trusted Computing Group.
XML Key Management Specification A specification that allows systems to be designed with a degree of cryptographic interoperability, essentially to understand the “language” of cryptographic exchanges

Cloud Platform and Infrastructure Security

TERM DEFINITION
Availability class Protection specified in the ISO/IEC 22237 series that specifies redundant and resilient designs to prevent or mitigate outages in a data center.
Business continuity and disaster recovery (BCDR) The capability of an organization to continue delivery of products and services within acceptable time frames at predefined capacity relating to a disruption along with ability of the information and communication technology (ICT) elements of an organization to support its critical business functions to an acceptable level within a predetermined time following a disruption.
Business continuity management system (BCMS) The combination of activities, roles and processes involving leadership, recovery teams, legal and regulatory requirements, risk analysis and other elements that programmatically support BCDR.
Cloud computing interoperability The goal of interoperability is to provide seamless service consumption and management between standalone services and cloud service providers.
Cloud computing portability The goal of portability is to enable cloud service customers to move their data or applications between standalone services and cloud service providers.
Cloud orchestration The end-to-end automation workflow, or process, that coordinates multiple lower-level automations to deliver a resource or set of resources as a service.
Control plane The control of network functionality and programmability is directly made to devices at this layer. OpenFlow was the original framework/protocol specified to interface with devices through southbound interfaces.
Data plane The network switches and routers located at this plane are associated with the infrastructure. The process of forwarding data is accomplished at this plane, so it can also be referred to as a forwarding plane.
Deep packet inspection DPI, also known as information extraction, IX or complete packet inspection, is a type of network packet filtering that evaluates the data part and the header of a packet that is transmitted through an inspection point, weeding out any non-compliance to protocol, spam, viruses, intrusions and any other defined criteria to block the packet from passing through the inspection point.
Disaster recovery as a service (DRaaS) A service provided to on-premises data centers to recover to/from the cloud.
East-west traffic Network traffic that traverses systems within a data center.
Hardware security module (HSM) A physical computing device that provides cryptoprocessing as well as safeguarding and managing digital keys for strong authentication. They may be provided to the client by the CSP. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server and are designed to be tamperproof.
Hyperconverged infrastructure The cross-sectional control of major services consumed in a data center that includes compute, storage and network systems.
Hypervisor (Type 1) Commonly known as a bare metal, embedded or native hypervisor. It works directly on the hardware of the host and can monitor operating systems that run above the hypervisor. The hypervisor is small, as its main task is sharing and managing hardware resources between different guest operating systems.
Hypervisor (Type 2) Installed after a traditional operating system and supports other guest operating systems running above it as VMs. Completely dependent on the host operating system for its operations. Unlikely to be seen in a cloud context.
Internet gateway A network entity that allows a network to interface with another network with different protocols.
IP Flow Information Export Protocol (IPFIX) Standard protocol RFC 7011 that is used to determine the nature of network traffic. Traffic on a data network can be seen as consisting of flows passing through network elements. For administrative or other purposes, it is often interesting, useful or even necessary to have access to information about these flows that pass through the network elements.
Limit A maximum resource allocation per VM. This ceiling may be fixed or expandable, allowing for the acquisition of more compute resources through a borrowing scheme from the CSP.
Management plane Controls the entire infrastructure; parts of it will be exposed to customers independent of network location. It is a prime resource to protect.
Maximum tolerable period of disruption (MTPD) The estimated period in which a continued disruption could lead to the permanent failure of a business.
Microsegmentation Identification of network traffic flows (see east-west/north-south) that lead to creating granular policy schemes to isolate access for and based upon specific workloads.
Network-attached storage (NAS) A file-level computer data storage server connected to a computer network that provides data access to a heterogeneous group of clients.
Network function virtualization (NFV) Alternately referred to as virtual network function. The objective of NFV is to decouple functions, such as firewall management, intrusion detection, network address translation and name service resolution, away from specific hardware implementation and move them into software solutions. NFV’s focus is to optimize distinct network services.
North-south traffic Network traffic that travels to and from the internet and a data center.
Object storage Objects (files) are stored with additional metadata (content type, redundancy required, creation date and others). These objects are accessible through APIs and potentially through a web user interface.
Open Authorization (OAuth) 2.0 Authorization Framework A framework to enable a third-party application for obtaining limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
OpenID Connect OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 standard. It sends and receives messages with the intent of simplification. The focus is to confirm the identity of the person consuming service from a browser or native application, thus allowing developers to authenticate users across different websites and applications.
Open Virtualization Format (OVF) Syntactic standard of sending and receiving data between different vendor virtualization systems.
Protect surface The specific area (systems/resources) afforded protection through isolation and microsegmentation.
Protection classes Standards defined as necessary for spaces within a data center. In the most central location, or the core, in the data center, will be found the systems that garner the greatest levels of protection as they are the most critical and highly valued. Protection classes are included in the ISO/IEC 22237 series that specifies redundant and resilient designs to prevent or mitigate outages in a data center.
Recovery point objective (RPO) Relates to the amount of data that is lost and unrecoverable due to the disruption. This is represented on the timeline as the amount of time between the last good backup and when the disruption event occurs.
Recovery time objective (RTO) Per product, service or activity, the acceptable amount of time from the point at which a disruption occurs until the product, service or activity is recovered.
Region A geographic span containing multiple zones hosted by a cloud provider.
Reservation A guaranteed minimum resource allocation, which must be met by the host with physical computer resources to allow for a guest to power on and operate.
Risk Assessment Careful analysis of cloud threats and vulnerabilities to determine the extent of adverse impact and the likelihood of occurrence.
Routing table A set of rules, often viewed in table format, that is used to determine where data packets traveling over an Internet Protocol (IP) network will be directed. All IP-enabled devices, including routers and switches, use routing tables.
Security Assertion Markup Language 2.0 (SAML 2.0) SAML defines an XML-based framework for describing and exchanging security information between online business relationships.
Security group VPC- and VM-associated access control list for allowance or denial of ingress and egress traffic flows.
Share If resource contention takes place, share values are used to prioritize compute resource access for all guests assigned a certain ratio of shares.
Snapshot The state of an instance, at a point in time.
Software-defined networking (SDN) A broad and developing concept addressing the management of the various network components.The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components and separate forwarding of data.
Stateful inspection firewall Also known as dynamic packet filtering, this type of firewall will watch the interaction between the two hosts and allow or deny connections according to other factors beyond the rule set.
Static packet filtering Also known as a stateless firewall, this type of filter examines each packet without regard to the packet’s context in a session. Packets are examined against static criteria, which cannot be temporarily changed by the firewall to accommodate legitimate traffic. If a protocol requires a port to be temporarily opened, administrators must choose between permanently opening the port and disallowing the protocol.
Storage area network (SAN) A network that provides access to consolidated, block-level data storage. SANs are primarily used to enhance storage devices, such as disk arrays, tape libraries and optical jukeboxes, accessible to servers so that the devices appear to the operating system as locally attached devices.
Trusted Platform Module (TPM) An isolated and separate compute and storage unit that enables trust in computing platforms by employing security and privacy techniques using cryptography.
Virtual Private Cloud (VPC) A logically isolated section of a cloud (not a private cloud per se) where resources can be launched in a virtual network that is customer defined. The customer has complete control over their virtual networking environment, including selection of private IP address range, creation of subnets and configuration of route tables and network gateways.
Volume storage A virtual hard drive that can be attached to a VM instance and be used to host data within a file system. Storage is written to committed blocks of data. Volumes attached to IaaS instances behave just as a physical drive or an array does.
Zero Trust Model Removing the design belief that the network has any trusted space. Security is managed at a protect surface, representing the most granular asset. Microsegmentation of workloads is a tool of the model.
Zone One or more data centers hosted by a cloud provider.

Cloud Application Security

TERM DEFINITION
Application programming interfaces (APIs) A set of routines, standards, protocols and tools for building software applications to access a web-based software application or web tool.
Application virtualization Software technology that encapsulates application software from the underlying operating system on which it is executed.
Dynamic application security testing (DAST) A process of testing an application or software product in an operating state.
Identity and access management (IAM) Provisioning, management and deprovisioning of credentials to enable authorized individuals to access desired resources.
Minimum Viable Product (MVP) A preliminary version of a product designed to ensure that product vision and strategy are aligned with market needs.
Rules of engagement A set of rules, constraints, boundaries or conditions that establishes limits on what participants in an activity may or may not do. Used, for example, to define the scope of penetration testing that is to be done, and to establish liability. limitations for both the testers and the sponsoring organization or systems owners.  
Sandbox A testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development including web development and revision control.
Software Composition Analysis (SCA) An automated process that identifies the open-source software in a codebase. Third-party/open-source components are an essential part of contemporary software development.
Static application security testing (SAST) A set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities.
STRIDE threat model A classification scheme for characterizing known threats according to the kinds of exploit that are used (or motivation of the attacker).
Synthetic transactions Refer to transactions that serve no business value other than to exercise the system programming and infrastructure
Test harness Typically used for test automation, a test harness consists of many items such as drivers, stubs and other tools needed to successfully run a test.
Web application firewall (WAF) An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

Cloud Security Operations

TERM DEFINITION
Blue/green May be used where the organization has a mirror of the production environment and logic that can switch users to the new environment once confidence of functionality is reached.
Container Small form factor–independent executable package of software that is installed and maintained upon a host operating system and includes everything that is needed to run an application, which includes system tools, libraries, settings and code.
Continuous integration/continuous delivery (CI/CD) Integrated set of practices and tools used to merge developer code, build and test software and develop deploy-ready packaging.
Deployment management Moves new hardware, software, documentation, processes or other components to live environments.
Domain Keys Identified Mail (DKIM) An asymmetric cryptographic key system that creates organizational nonrepudiation of messaging. Emails are received through proof-of-origin processing to detect spoofing and other fraudulent behavior.
Domain Name System (DNS) This acronym can be applied to three interrelated elements: a service, a physical server and a network protocol.
DNS shadowing Threat where the attacker gets access to the domain registrant’s account and creates subdomains from the parent domain of the victim to draw unsuspecting visitors to bogus sites.
Domain-based message authentication, reporting and conformance (DMARC) A scalable system for providing policy configuration for message validation, disposition and reporting that mail-sending organizations can use for email life cycle management.
Drift The change in configuration away from the desired baseline if adherence to the baseline.
Forward secrecy Also known as perfect forward secrecy, forward secrecy is the cryptographic protection for encrypted data based upon the discovery or compromise of a private key in an asymmetric pair. The session key that was used in a previous session will not be available for decryption.
Immutable environment New servers are based on a validated and version-controlled image. When a new system is required, the old is destroyed after the new is deployed.
Information security continuous monitoring (ISCM) NIST 800-137 defines Information security continuous monitoring (ISCM) as “maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions.”
Patch management Updates a system to fix functionality, features or security.
Release management Makes available new and changed services and features for use. A version of a service or configuration item (CI) that is made available for use.
Security Content Automation Protocol (SCAP) SCAP is a multipurpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities and security measurement. Goals for the development of SCAP include standardizing system security management, promoting interoperability of security products and fostering the use of standard expressions of security content.

SCAP 1.3 has 12 component specifications

Security operations management system (SOMS) The set of guidelines and other elements that work together to ensure the effectiveness of security operations and their processes. ISO/IEC 18788-2015 specifies the requirements for management systems for private security operations. This is designed for organizations conducting or contracting security operations. The document provides a business and risk management framework for effective conduct of security operations.
Sender Policy Framework (SPF) Email authentication that defines a process to validate an email message that has been sent from an authorized mail server in order to detect forgery and to prevent spam. The owner of a domain can identify exactly which mail servers they are able to send from with SPF protocols.
Virtual extensible LAN (VXLAN) VXLAN is an overlay technology encapsulating layer 2 over layer 3. VXLAN doubles the 12-bit ID of a traditional VLAN (ie. up to 4094 VLANs) to a 24-bit ID VXLAN Network Identifier (VNI), thus allowing for 16 million networks.
Configuration management database (CMDB) An asset management system that has configuration management capabilities built-in to enable documentation of all system configuration items authoritatively.
Center for Internet Security (CIS) CIS controls benchmarks are best practices to mitigate against attacks for systems and networks.

There are benchmarks for: OS, server and desktop software, cloud providers, mobile and network devices (including printers)

Security Technical Implementation Guides (STIGs) STIGs are configuration standards for the US DoD. STIGs contain technical guidance to secure information systems and software.
Well-Architected Framework Well-Architected Framework documents are written by the CSP that offers best practices for services offered by the CSP.

It's a framework because it typically contains best practices for the target cloud in the following topics: Operational excellence, Security, Reliability, Performance optimization, Cost optimization.

Transport Layer Security (TLS) TLS allows client-server applications to communicate securely. When working with TLS, you are typically working with TLS 1.2 and TLS 1.3.

TLS 1.3 is newer and has the following features over TLS 1.2:

  • dropped legacy encryption algorithms. All supported algorithms are all AEAD algorithms. Includes Elliptic curve algorithms in base spec.
  • Zero RTT mode to save a round trip at connection setup
  • All messages after ServerHello is encrypted
Authenticated Encryption (AE) with Associated Data (AEAD) Authenticated encryption means the data you encrypt can be authenticated and that its plaintext can be verified as being authentic and unaltered.

AEAD allows a recipient to check the integrity of both the encrypted and unencrypted data in a message. AEAD is typically used in network packets or frames where the header needs to be visible but the payload needs to be encrypted while allowing for the recipient to know whether the message in its entirety is authentic and unaltered.

Firewalls A firewall is a network security system that controls incoming and outgoing network traffic. There are 3 types:
  • Stateless access control lists using IP addresses and port numbers.
  • Dynamic filters configured by anomalies, heuristics, patterns and behaviors
  • Next-gen firewalls with IDS/IDP and traffic management through micro segmentation policies

There are application specific firewalls including:

  • Web Application Firewall or WAF
  • Database activity monitors or DAM
  • API gateways to monitor, limit, and secure APIs
Information Technology Service Management (ITSM) ITSM is a set of documents that outline best practices used by major companies for dealing with IT.

ISO/IEC 20000-1:2018 - How to establish requirements for implementing, maintaining, and improving a service management system (SMS). ITIL (Information Technology Infrastructure Library) v4 deals with service value streams (SVS)

Change Management Change Management is described in ITIL v4 as "a practice to ensure [...] that changes in an organization are smoothly and successfully implemented [...]". All changes must contribute to the service value chain. Changes are categorized into the following:
  • Standard change - low risk and pre-authorized changes
  • Normal changes - Changes that are scheduled, tested and assessed, before being authorized and applied.
  • Emergency changes - changes that are part of the resolution of an incident or high-impact security concern. Authorization is expedited
Problem Management Problem management is to minimize the impact of problems in an organization.

Problems are the causes of incidents. They are 'known problems' when the root cause is known.