Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA Cloud+ CV0-003 Exam: Glossary of Essential Cloud Computing Terms and Components<br>
Source: https://www.fatskills.com/cloud-computing/chapter/comptia-cloud-cv0-003-exam-glossary-of-essential-cloud-computing-terms-and-componentsbr

CompTIA Cloud+ CV0-003 Exam: Glossary of Essential Cloud Computing Terms and Components<br>

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~30 min read

A
Access control list (ACL): A list that defines access privileges to a network resource by defining rules in terms of IP address, ports, source, destination, and/or protocol.
Access key ID: An IAM credential that you can use to authenticate to a cloud resource.
Active logging: A common intelligence gathering tool used during the forensics process.
Address Resolution Protocol (ARP): A protocol that allows the resolution of a device’s assigned IP address into its MAC hardware address.
Administrative control: A control based on business and organizational processes and procedures.
Advanced Encryption Standard (AES): A symmetrical 128-bit fixed-block encryption system that has a key size of 128, 192, or 256 bits and replaces the legacy DES standard.
Advanced persistent threat (APT): A threat that is rooted in the capability to infiltrate a network and remain inside while going undetected. This access often provides the means for a more strategic target or defined objective, including the capability to exfiltrate information over a long period of time.
Agile: An SDLC model that breaks development into cycles. The Agile model combines iterative and incremental process models.
Annual loss expectancy (ALE): The expected cost per year arising from a risk’s occurrence. It is calculated as the product of the single loss expectancy (SLE) and the annualized rate of occurrence (ARO).
Annual rate of occurrence (ARO): The number of times a given risk will occur within a single year.
Antivirus: A software program used to protect the user environment that scans for email and downloadable malicious code.
Application logging: A major focus of security in a more web-based world, with exploits such as cross-site scripting and SQL injections now an everyday occurrence.
Application programming interface (API): A connection between computers or between computer programs.
Asymmetric key: A pair of key values (one public and the other private) used to encrypt and decrypt data, respectively. Only the holder of the private key can decrypt data encrypted with the public key; this means that anyone who obtains a copy of the public key can send data to the private key holder in confidence.
Attribute Based Access Control (ABAC): A logical access control model recommended as the preferred access control model for information sharing among diverse organizations by the Federal Identity, Credential, and Access Management (FICAM) Roadmap.
Auditing: The tracking of user access to resources, primarily for security purposes.
Authentication: The process of identifying users.
Authentication header (AH): A component of the IPsec protocol that provides integrity, authentication, and antireplay capabilities.
Authorization: The process of identifying what a given user is allowed to do.
Auto-scaling: An AWS service that adjusts compute capacity to maintain desired performance.
Availability zone: A fault isolation area in one AWS region that is composed of one or more data centers. Multiple availability zones are connected to independent Internet, power, uplink, and other providers to mitigate the possibility of a failure affecting more than one availability zone at a time.

B
Baseline or baselining:
Measure of normal activity, used as a point to determine abnormal system and network behaviors.
Black box: A test conducted when the assessor has no information or knowledge about the inner workings of the system or knowledge of the source code.
Block cipher: A way to transform a message from plain text (unencrypted form) to cipher text (encrypted form) one piece at a time The block size represents a standard chunk of data that is transformed in a single operation.
Block storage: Data records stored in blocks on a storage-area network.
Blowfish: A block cipher that can encrypt using any size chunk of data and perform encryption with any length encryption key, up to 448 bits.
Bot: ​​​​​​​Short for robot; an automated computer program that needs no user interaction. Bots allow hackers to take control of a system. Many bots used together can form a larger botnet.
Botnet: A large number of computers (bots) that forward transmissions to other computers on the Internet. You might also hear a botnet referred to as a zombie army.
Bring your own device (BYOD): A policy allowing employees to use personal mobile devices for access to enterprise data and systems.
Brute-force attack: An attack that relies on cryptanalysis or algorithms capable of performing exhaustive key searches.
Bucket: The storage unit for an S3 object.
Buffer overflowAn attack that occurs when the data presented to an application or service exceeds the storage space allocation that has been reserved in memory for that application or service.
Business continuity plan (BCP): A plan that describes a long-term systems and services replacement and recovery strategy, designed for times when a complete loss of facilities occurs. : A business continuity plan prepares for automatic failover of critical services to redundant offsite systems.
Business impact analysis (BIA): ​​​​​​​The process of determining the potential impacts resulting from the interruption of time-sensitive or critical business processes.
Business partner agreement (BPA): A type of contract that establishes the responsibilities of each partner.

C
Caching:
Temporarily storing frequently used data closer to the final data destination (server or client).
cat: A command-line file manipulation command to read files sequentially and used to concatenate files.
CDN: Content delivery network; a system of distributed servers (network) that deliver pages and other web content to a user, based on the geographic locations of the user.
CER: A common certificate extension. : A CER file is used to store X509 certificates.
Certificate authority (CA): A system that issues, distributes, and maintains current information about digital certificates. Such authorities can be private (operated within a company or an organization for its own use) or public (operated on the Internet for general public access).
Certificate policy: A statement that governs the usage of digital certificates.
Certificate revocation list (CRL): A list generated by a C: A that enumerates digital certificates that are no longer valid and the reasons they are no longer valid.
Certificate signing request (CSR): A request to apply for a digital certificate.
Chain of custody: ​​​​​​​The documentation of all transfers of evidence from one person to another, showing the date, time, reason for transfer, and signatures of both parties involved in the transfer. Chain of custody also refers to the process of tracking evidence from a crime scene to the courtroom.
Challenge Handshake Authentication Protocol (CHAP): A widely used authentication method in which a hashed version of a user’s password is transmitted during the authentication process.
CI/CD: ​​​​​​​Continuous integration/continuous delivery (or deployment); a practice that focuses on the toolchain that can automate the delivery of software in a fast, iterative manner.
Cipher: A method of encrypting text. The term cipher also refers to an encrypted message (although the term cipher text is preferred).
Cipher Block Chaining (CBC): A commonly used mode that provides for confidentiality only, not integrity.
CLI: Command-line interface; a tool to access a service or feature in a terminal or command-line session.
Cloud Access Security Broker: A Gartner-created term describing a cloud cybersecurity layer focused on visibility, compliance, data security, and threat protection.
Cloud Security Alliance (CSA): A nonprofit organization that provides security best practices for cloud-based services and computing.
Cloud-native application: ​​​​​​​An application designed and built to run in the cloud.
Cold site: A remote site that has electricity, plumbing, and heating installed, ready for use when enacting disaster recovery or business continuity plans. At a cold site, the company enacting the plan supplies all other equipment, systems, and configurations. Compare this with hot and warm sites.
Compensating control: An alternate control that is intended to reduce the risk of an existing or potential control weakness.
Compute: To perform calculation, computation, and transformation of incoming data or requests.
Computer/cyber incident response team (CIRT): The team of experts who respond to security incidents. Also referred to as a CSIRT (computer security incident response team).
Containers: Technology that packages applications and services together with their runtime environment enabling them to be run anywhere.
Corrective control: A control that is reactive and provides measures to lessen harmful effects or restore the system being impacted.
Cross-site request forgery (XSRF): A web attack that exploits existing site trust, such as unexpired banking session cookies, to perform actions on the trusting site using the already existing trusted account.
Cross-site scripting (XSS): Malicious executable code placed on a website that allows an attacker to hijack a user session to conduct unauthorized access activities, expose confidential data, and log successful attacks back to the attacker.
Cryptographic module: ​​​​​​​Any combination of hardware, firmware, or software that implements cryptographic functions such as encryption, decryption, digital signatures, authentication techniques, and random number generation.
Cryptography: A process that protects information by disguising (encrypting) it into a format that only authorized systems or individuals can read.
Crypto-malware: Malware that is specifically designed to find potentially valuable data on a system and encrypt it.
curl: A command-line tool that enables you to get and send data using URLs.
CVE: Common Vulnerabilities and Exposure; a list of publicly known vulnerabilities that provides descriptions and reference.
CVSS: Common Vulnerability Scoring System; a standard that provides a severity rating.
Cyber kill chain: A framework to track the steps or phases that an attacker goes through as part of an intrusion.

D
Data Encryption Standard (DES): A block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chunk of data.
Data exfiltrationThe unauthorized transfer of data. : A more basic definition is data theft.
Data loss prevention (DLP): Security services that identify, monitor, and protect data during use, storage, or transfer between devices. DLP software relies on deep inspection of data and transactional details for unauthorized access operations.
Data sensitivity: The classification scheme of data among organizations.
Decryption: ​​​​​​​The process of turning cipher text into plain text.
Defense-in-depth: A term rooted in military strategy that requires a balanced emphasis on people, technology, and operations to maintain information assurance (IA).
Denial of service (DoS): A type of attack that denies legitimate users access to a server or services by consuming sufficient system resources or network bandwidth that it renders a service unavailable.
DER: The binary form of a PEM certificate.
Detective control: A control that warns that physical security measures are being violated.
Deterrent control: A control that is intended to discourage individuals from intentionally violating information security policies or procedures.
Development and Operations (DevOps): A software development practice focused on culture, automation, and iterative development of software.
Differential backup: A backup that provides only the data that has changed since the last full backup. It is incomplete without the last full backup.
Diffie-Hellman (D-H) : key exchangeAn early key exchange design in which two parties, without prior arrangement, can agree on a secret key that is known only to them.
Digital certificate: An electronic document that includes the user’s public key and the digital signature of the certificate authority (CA) that has authenticated the user. The digital certificate can also contain information about the user, the CA, and attributes that define what users are allowed to do with systems they access using the digital certificate.
Digital Signature Algorithm (DSA): A U.S. standard for the generation and verification of digital signatures to ensure authenticity.
Disaster recovery plan (DRP): Actions to be taken in case a business is hit with a natural or man-made disaster.
Discretionary access control (DAC): Access control method in which access rights are configured at the discretion of accounts with authority over each resource, including the capability to extend administrative rights through the same mechanism.
Distributed denial of service (DDoS): ​​​​​​​Attack that originates from multiple systems simultaneously, causing even more extreme consumption of bandwidth and other resources than a DoS attack.
Domain Name Service (DNS): ​​​​​​​The service responsible for translation of hierarchical human-readable named addresses into their numeric IP equivalents.

E
EC2: Elastic Compute Cloud; the VM instance-running service in AWS.
Edge computing: ​​​​​​​Computing that happens near the edge of a network closer to where it’s used or needed.
e-discovery: ​​​​​​​The discovery process for electronically stored information.
Elasticity: ​​​​​​​The capability to expand and reduce cloud resources as needed at any given point in time.
Electromagnetic interference (EMI): Electronic device interference that occurs when the device is in the area of another device. EMI affects the performance of a device.
Encapsulating Security Payload (ESP): Method to provide confidentiality, data origin authentication, connectionless integrity, an antireplay service, and traffic flow confidentiality.
Encryption: The process of turning plain text into cipher text.
Encryption algorithm: A mathematical formula or method used to scramble information before it is transmitted over unsecure media. Examples include RSA, DH, IDEA, Blowfish, MD5, and DSS/DSA.
End-of-life (EOL): Software that is unsupported because the vendor has retired it.
Endpoint detection and response (EDR): Software that offers protection from malware for endpoints.
Escalation of privilege: ​​​​​​​An exploitation technique that gives an attacker or tester access at a higher authorization and also provides the capability to conduct more advanced commands and routines.

F
Federation: A way to connect identity management systems by allowing identities to cross multiple jurisdictions.
File Transfer Protocol (FTP): A client/server data file transfer service for TCP networks that are capable of anonymous or authenticated access.
Firewall: A network system that monitors incoming and outgoing traffic and makes determinations to allow or deny the traffic based upon policy.
Framework: A structure that generally includes more components than a guide and is used as a basis for implementing and managing security controls.
Full backup: A complete backup of all data. This is the most time- and resource-intensive form of backup, requiring the largest amount of data storage.

G
General Data Protection Regulation (GDPR): A regulation intended to strengthen data protection for all individuals within the European Union (EU).
Gray box: A testing method that combines white box and black box techniques. It can be more easily thought of as being translucent. Specifically, the tester has some understanding of or limited knowledge of the inner workings.
grep: A command-line file manipulation command to search files for patterns.
Group: A group of users that can be grouped as per common attributes.
Guide: Specific information about how standards should be implemented. A guide or guideline is generally not mandatory and provides recommendations or good practices.

H
HA:
High availability; the capability to withstand failure and adhere to availability as defined in an SLA.
Hardware Security Module (HSM): A dedicated crypto-processor that is specifically designed for the protection of transactions, identities, and applications by securing cryptographic keys.
Hash value: ​​​​​​​The resultant output or data generated from an encryption hash when applied to a specific set of data. If it is computed and passed as part of an incoming message and then is recomputed upon message receipt, such a hash value can be used to verify the received data when the two hash values match.
Hash-based Message Authentication Code (HMAC): ​​​​​​​Additional security provided to MAC by adding another integrity check to the data being transmitted.
Hashing: A methodology used to calculate a short, secret value from a data set of any size (usually for an entire message or for individual transmission units). This secret value is recalculated independently on the receiving end and is compared to the submitted value to verify the sender’s identity.
Health Insurance Portability and Accountability Act (HIPAA): ​​​​​​​U.S. legislation that provides data privacy and security provisions for protecting medical information.
Honeypot: A decoy system designed to attract hackers. : A honeypot usually has all its logging and tracing enabled, and its security level is lowered on purpose. Such systems often include deliberate lures or bait, in hopes of attracting would-be attackers who think they can obtain valuable items on these systems.
Host-based IDS (HIDS): Systems that monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity.
Host-based IPS (HIPS): A software intrusion prevention system capable of reacting to and preventing or terminating unauthorized access within a single host system.
Hot site: A site that is immediately available for continuing computer operations if an emergency arises. It typically has all the necessary hardware and software loaded and configured, and it is available continuously. Compare this with warm and cold sites.
Hybrid cloud: A cloud deployment model in which an organization provides and manages some resources in-house and has other resources provided externally via a public cloud.
Hypertext Transfer Protocol (HTTP): A client/server protocol for network transfer of information between a web server and a client browser over the World Wide Web (WWW).
Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS): A protocol used in a secured connection that encapsulates data transferred between the client and web server. It occurs on port 443.
Hypervisor: A virtualization platform that provides more than one operating system to run on a host computer at the same time. It controls how access to a computer’s processors and memory is shared. : A Type I native or bare-metal hypervisor is software that runs directly on a hardware platform. : A Type II or hosted hypervisor is software that runs within an operating system environment.

I
IaaS:
Infrastructure as a Service; a service that makes it possible to provision and use infrastructure components such as compute units, disk, and network from the cloud.
IAM: Identity and Access Management; the identity service that cloud providers offer with which you provide access control for users, group, and roles.
IDE: Integrated development environment; a software application that provides comprehensive facilities to computer programmers for software development.
Identification: A process of presenting information such as a username, a process ID, a smart card, or another unique identifier, claiming an identity.
Identity: An attribute that identifies an individual in the cloud.
IdP: Identity provider; a directory that can authenticate a user when federated with IAM.
Incremental backup: Backup that includes only the data that has changed since the last incremental backup. It resets the archive bit.
Infrastructure as Code (IaC): A term meaning that infrastructure configuration can be incorporated into application code. Also known as the programmable infrastructure.
International Organization for Standardization (ISO): A body that provides best practice recommendations on information security management.
Internet Control Message Protocol (ICMP): A transport protocol within the TCP/IP suite that operates separately from TCP or UDP transfer. ICMP is intended for passing error messages and is used for services such as pingand traceroute.
Internet of Things (IoT): ​​​​​​​Connected everyday devices performing specific functions using embedded systems and sensors.
Internet Protocol Security (IPsec): A mechanism used for the encryption of TCP/IP traffic. IPsec provides security extensions to IPv4. It manages special relationships between pairs of machines, called security associations.
Intranet: A portion of the information technology infrastructure that belongs to and is controlled by the company in question.
Intrusion detection system (IDS): A sophisticated network protection system designed to detect attacks in progress but not to prevent potential attacks from occurring. Many IDSs actually can trace attacks back to an apparent source, and some can even automatically notify all hosts through which attack traffic passes that they are forwarding such traffic.
IOPS (input/output per second): A performance specification that defines the rate of input and output per second when storing and retrieving data.
IP spoofing: An attack that seeks to bypass IP address filters by setting up a connection from a client and sourcing the packets with an IP address that is allowed through the filter.
ipconfig: A command that displays network settings such as IP address, subnet mask, and default gateway.

J
JSON: ​​​​​​​
JavaScript Object Notation; a scripting language used widely in the cloud to define infrastructure characteristics, security, and so on.

K
Kerberos: A set of authentication services, including the Authentication Service (AS) Exchange protocol, the Ticket-Granting Service (TGS) Exchange protocol, and the Client/Server (CS) Exchange protocol.
Key escrowSituation in which a C: A or other entity maintains a copy of the private key associated with the public key signed by the CA.
Key exchange: A technique in which a pair of keys is generated and then exchanged between two systems (typically, a client and a server) over a network connection to allow them to establish a secure connection.
Key management: The methods for creating and managing cryptographic keys and digital certificates.
KMS: ​​​​​​​Key Management Service; a cloud service that centrally manages customers’ cryptographic keys and policies across the cloud services that require data encryption.

L
Layer 2 Tunneling Protocol (L2TP): A protocol that performs tunneling at Layer 2 of the OSI model.
Least privilege: An access control practice in which a logon is given only minimal access to resources required to perform its tasks.
Lightweight Directory Access Protocol (LDAP): A TCP/IP protocol that enables client systems to access directory services and related data. In most cases, LDAP is used as part of management or other applications, or in browsers to access directory services information.
Logger: A command-line tool used to add logs to the local syslog file or a remote syslog server.

M
Machine learning: ​​​​​​​Capability of software to gather information and make conclusions.
Malware: Malicious software used to cause damage or gain unauthorized access to systems.
Mandatory access control (MAC): A centralized security method that does not allow users to change permissions on objects.
Man-in-the-middle: ​​​​​​​An attack in which a hacker attempts to intercept data in a network stream and then inserts his or her own data into the communication. The goal is to disrupt or take over communications.
Mean time between failures (MTBF): The point in time at which a device will still be operational, denoting the average time a device will function before failing.
Mean time to failure (MTTF): The expected time to failure for a nonrepairable system.
Mean time to recovery (MTTR): The average time that a device will take to recover from any failure.
Message Authentication Code (MAC): Way to authenticate a message. It works like a hash because it is used to detect tampering.
Message digestThe output of an encryption hash that is applied to some fixed-size chunk of data. : A message digest provides a profound integrity check because even a change to 1 bit in the target data changes the resulting digest value. This explains why digests are included so often in network transmissions.
Message digest algorithm: A hashing algorithm based on message digest.
Migration: The process of moving an application to the cloud.
MITRE ATT&CK: A knowledgebase and framework of different attack techniques to understand and defend against an attacker.
Monitoring: Tracking performance, logs, and the state of an application.
Multifactor Authentication (MFA): ​​​​​​​Authentication that involves multiple factors, such as something you have and something you know.

N
National Institute of Standards and Technology (NIST):
An agency within the U.S. Department of Commerce that is responsible for developing measurement standards, including standards for cybersecurity best practices, monitoring, and validation.
netcat: A network utility for gathering information from TCP and UDP network connections.
Network access control list (NACL): A stateless subnet firewall that protects both inbound and outbound subnet traffic.
Network Address Translation (NAT): A service that provides indirect Internet access to cloud instances that are located on private subnets, hiding internal IPs.
Network Time Protocol (NTP): A UDP protocol used for device clock synchronization, providing a standard time base over variable-latency networks. This is critical for time-synchronized encryption and access protocols such as Kerberos.
Network-based IDS (NIDS): An IDS that monitors packet flow and tries to locate unauthorized packets that might have gotten through the firewall. An NIDS is best at detecting DoS attacks and unauthorized user access.
Network-based IPS (NIPS): A device or software program designed to sit inline with traffic flows and prevent attacks in real time.
Next-generation firewall (NGFW): ​​​​​​​Firewalls that go beyond traditional port and IP address examination to include application and user awareness.
nmap: A network scanning tool used for locating network hosts, detecting operating systems, and identifying services.
Nondisclosure agreement (NDA): A legally binding document that organizations might require of their employees and other people who come into contact with confidential information.
Normalization: ​​​​​​​The conversion of data to its anticipated, simplest known form.
NoSQL: A type of database that does not follow SQL rules and architecture.
nslookup: A command-line utility used for troubleshooting DNS.

O
OAuth (Open Authorization): A framework used for Internet token-based authorization. The main purpose of OAuth is API authorization between applications.
Object storage: ​​​​​​​Data stored as a distinct object with associated metadata containing relevant information.
Onboarding: A process used to create an identity profile and the necessary information required to describe the identity.
Online Certificate Status Protocol (OCSP): An Internet protocol defined by the IETF that is used to validate digital certificates issued by a CA. OCSP was created as an alternative to certificate revocation lists (CRLs) and overcomes certain limitations of CRLs.
Open Web Application Security Project (OWASP): A nonprofit organization that provides resources to improve the security of software.
OpenID Connect: An identity layer based on OAuth 20 specifications used for consumer single sign-on.
Order of restoration: The order in which backup tapes are restored.

P
Password attack:
Assaults on passwords using manual or automated techniques using methods such as dictionary, brute-force, spraying, and rainbow-table type attacks.
Password policy: A policy containing global password settings for AWS account IAM users.
Payment Card Industry Data Security Standard (PCI DSS): A standard that governs the use and storage of credit card data.
Peering connection: A private networking connection between two VPCs or two transit gateways.
PEM: ​​​​​​​The most common format and extension for certificates.
Personal Health Information (PHI): Any medical data that can be used to identify an individual.
Personally Identifiable Information (PII): Broadly, any data that can be used to identify an individual.
ping: A network tool to test the basic functions of a network commonly used to test whether a remote host is alive or responding.
Platform as a Service (PaaS): ​​​​​​​The delivery of a computing platform, often an operating system with associated services, over the Internet without downloads or installation.
Preventive control: A control that attempts to avoid the occurrence of unwanted events by inhibiting the free use of computing resources.
Privacy: A term that relates to rights to control the sharing and use of one’s personal information.
Privacy Impact Assessment (PIA): ​​​​​​​An assessment needed for any organization that collects, uses, stores, or processes personal information such as PII or PHI.
Private cloud: A cloud deployment model in which a private organization implements a cloud in its internal enterprise, and that cloud is used by the organization’s employees and partners.
Private key: A key that is maintained on the host system or application.
Privilege escalation: A method of software exploitation that takes advantage of a program’s flawed code. Usually, this crashes the system and leaves it in a state in which arbitrary code can be executed or an intruder can function as an administrator.
Protocol analyzer: Tool that troubleshoots network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis.
Public cloud: A cloud deployment model in which a service provider makes resources available to the public over the Internet.
Public key: A key that is made available to whoever is going to encrypt the data sent to the holder of a private key.
Public key infrastructure (PKI): A collection of systems, software, and communication protocols that distribute, manage, and control public key cryptography.
Python: A popular and widely used general-purpose programming language.

R
RAID: ​​​​​​​
Redundant Array of Inexpensive (or Independent) Disks; the organization of multiple disks into a large, high-performance logical disk to provide redundancy in case of disk failure.
Ransomware: A form of malware that attempts to hold a person or company ransom, often for monetary gain.
Read replica: A read-only copy of a linked primary database.
Recovery point objective (RPO): ​​​​​​​The amount of time that can elapse during a disruption before the quantity of data lost during that period exceeds the BCP’s maximum allowable threshold.
Recovery site: ​​​​​​​The type of site an organization chooses for disaster recovery.
Recovery time objective (RTO): A measure of the time in which a service should be restored during disaster recovery operations.
Redundancy: ​​​​​​​Replication of a component in identical copies to compensate for random hardware failures.
Refactoring: A practice for software developers that identifies ways to make code more efficient through better design.
Region: A set of cloud resources in a geographic area of the world. : A region consists of two or more availability zones.
Relational database: A database that has the capability to perform complex queries over the data in a structured manner.
Representational state transfer (REST): A client/server model for interacting with content on remote systems, typically using HTTP.
Reserved instance: A cloud instance for which you have prepaid.
risk acceptance: A process of recognizing a risk, identifying it, and then accepting that it is sufficiently unlikely or of such limited impact that corrective controls are not warranted.
Role-based access control (RBAC): A security method that combines both MAC and DAC. RBAC uses profiles. Profiles are defined for specific roles within a company, and then users are assigned to such roles. This facilitates administration in a large group of users because when you modify a role and assign it new permissions, those settings are automatically conveyed to all users assigned to that role.
Router: A device that connects multiple network segments and routes packets between them. Routers split broadcast domains.
RS: A algorithmAn asymmetric cryptography algorithm that allows anyone to create products that incorporate different implementations of the algorithm, without being subject to license and patent enforcement.
Rule-based access control (RBAC): An extension of access control that includes stateful testing to determine whether a particular request for resource access may be granted. When a rule-based method is in force, access to resources might be granted or restricted, based on conditional testing.

S
Sandboxing: A method that enables programs and processes to be run in an isolated environment, to limit access to files and the host system.
Scalability: ​​​​​​​The capability to handle the changing needs of a system, process, or application within the confines of the current resources.
Scale up: ​​​​​​​To increase compute power automatically.
Scaling policy: A policy that describes the type of scaling of compute resources to be performed.
Scrum: A framework for managing application development as a team following three pillars: transparency, inspection, and adaptation.
Secure Hash Algorithm (SHA): ​​​​​​​Hash algorithm pioneered by the National Security Agency and widely used in the U.S. government.
Secure Hypertext Transfer Protocol (S-HTTP): ​​​​​​​An alternative to HTTPS. The Secure Hypertext Transfer Protocol was developed to support connectivity for banking transactions and other secure web communications.
Secure Shell (SSH): A protocol designed to support secure remote login, along with secure access to other services across an unsecure network. SSH includes a secure transport layer protocol that provides server authentication, confidentiality (encryption), and integrity (message digest functions), along with a user authentication protocol and a connection protocol that runs on top of the user authentication protocol.
Secure Sockets Layer (SSL): ​​​​​​​An Internet protocol that uses connection-oriented, end-to-end encryption to ensure that client/server communications are confidential (encrypted) and meet integrity constraints (message digests). Because SSL is independent of the application layer, any application protocol can work with SSL transparently. SSL can also work with a secure transport layer protocol, which is why the term SSL/TLS appears frequently. See also Transport Layer Security.
Secure/Multipurpose Internet Mail Extensions (S/MIME): An Internet protocol governed by RFC 2633 and used to secure email communications through encryption and digital signatures for authentication. It generally works with PKI to validate digital signatures and related digital certificates.
Security Assertion Markup Language (SAML): ​​​​​​​An open standards protocol that uses Extensible Markup Language (XML) formatted messages for authentication and authorization.
Security group: A stateful firewall protecting EC2 instances’ network traffic.
Server Message Block (SMB): A network protocol used by Windows systems on the same network to store files.
Serverless: A type of computing in which compute servers and integrated services are fully managed by the cloud provider.
Server-Side Encryption (SSE): ​​​​​​​Encryption of data records at rest by an application or a service.
Service-level agreement (SLA): A contract between two companies or a company and an individual that specifies, by contract, a level of service to be provided. Supplying replacement equipment within 24 hours of loss is a simple example of an SLA.
Session keys: ​​​​​​​Randomly generated keys that perform both encryption and decryption during the communication of a session between two parties.
Simple Network Management Protocol (SNMP): ​​​​​​​UDP-based application layer Internet protocol used for network management. SNMP is governed by RFCs 2570 and 2574. In converting management information between management consoles (managers) and managed nodes (agents), SNMP implements configuration and event databases on managed nodes that can be configured to respond to interesting events by notifying network managers.
Single loss expectancy (SLE): ​​​​​​​The expected cost per instance arising from a risk’s occurrence. The SLE is calculated as the product of the asset value and the risk’s exposure factor (a percentage of loss if a risk occurs).
Snapshot: An image of the file system that preserves the entire state and data of the virtual machine at the time it is taken.
Software as a Service (SaaS): A cloud computing model in which software applications are virtualized and provided by an outsourced service provider.
Software-defined networking (SDN): A method by which organizations can manage network services through a decoupled underlying infrastructure, enabling quick adjustments to changing business requirements.
Staging environment: ​​​​​​​An SDLC environment that is primarily used to unit test the actual deployment of code before it is put into production.
Standard: ​​​​​​​Specific mandatory controls based on policies.
Stateful: A type of service that requires knowledge of all internal functions.
Stateless: A type of self-contained redundant service that has no knowledge of its place in the application stack.
Structured Query Language (SQL): ​​​​​​​The de facto programming language used in relational databases.
Subnet: A defined IP address range hosted within a VPC/VNet.
Symmetric key: A single encryption key that is generated and used to encrypt data. This data is then passed across a network. After that data arrives at the recipient device, the same key used to encrypt that data is used to decrypt it. This technique requires a secure way to share keys because both the sender and the receiver use the same key (it is also called a shared secret because that key should be unknown to third parties).
Syslog: A system logging protocol used to send logs or messaging events to a server.
System logging: The process of collecting system data to be used for monitoring and auditing purposes.

T
Tag: A metadata description for types of resources.
tcpdump: A command-line packet analyzer tool that captures packets sent and received on an interface.
Transport Layer Security (TLS): ​​​​​​​An end-to-end encryption protocol originally specified in ISO Standard 10736 that provides security services as part of the transport layer in a protocol stack.
Tunneling: ​​​​​​​The process of transporting data securely over a network via an encrypted connection.
Type 1 hypervisorVirtualization software that is installed on hardware directly, which is why it is commonly called a bare metal hypervisor. : A guest operating system runs on another level above the hypervisor. Examples include Citrix XenServer, Microsoft Hyper-V, and VMware vSphere.
Type 2 hypervisor: A hypervisor installed over an existing operating system. Examples include VMware Workstation and Oracle VM VirtualBox.

U–V
User state: ​​​​​​​
Data that identifies an end user and the established session between the end user and a hosted application.
Versioning: A process in which multiple copies of S3 objects, including the original object, are saved.
Virtual desktop infrastructure (VDI)The server-based virtualization technology that hosts and manages virtual desktops.
Virtual local-area network (VLAN): A software technology that facilitates the grouping of network nodes connected to one or more network switches into a single logical network. By permitting logical aggregation of devices into virtual network segments, VLANs offer simplified user management and network resource access controls for switched networks.
Virtual machine (VM): An emulation that virtualizes a complete operating system and can be used as a substitute for a physical machine.
Virtual private cloud (VPC): A logically isolated virtual network in the AWS cloud.
Virtual private network (VPN): A popular technology that supports reasonably secure, logical, private network links across some unsecure public network infrastructure, such as the Internet. VPNs are more secure than traditional remote access because they can be encrypted and because VPNs support tunneling (hiding numerous types of protocols and sessions within a single host-to-host connection).
Virtualization technology: A technology developed to allow a guest operating system to run along with a host operating system with one set of hardware.
Virus: A piece of malicious code that spreads to other computers by design, although some viruses also damage the systems on which they reside. Viruses can spread immediately upon reception or implement other unwanted actions, or they can lie dormant until a trigger in their code causes them to become active. The hidden code a virus executes is called its payload.
Voice over IP (VoIP): ​​​​​​​Network communications that are subject to the same attacks as other Internet communication methods.
Vulnerability scan: A scanning method that identifies vulnerabilities, misconfigurations, and lack of security controls.
Vulnerability scanner: A software utility that scans a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services.

W
Warm site/Warm standby: A backup site that has some of the equipment and infrastructure necessary for a business to begin operating at that location. Typically, organizations bring their own server systems and hardware to a warm site, but that site usually already includes a ready-to-use networking infrastructure. It also might include reliable power, climate controls, lighting, and Internet access points. Compare with hot and cold sites.
Waterfall: A traditional SDLC model that starts with a defined set of requirements and a well-developed plan. Adjustments are confined to the current development stage.
Web application firewall (WAF)Software or a hardware appliance used to protect the organization’s web server from attack. : A WAF is leveraged specifically for HTTP/HTTPS traffic at the application layer of the OSI model.
Web identity: An identity provider that offers authentication of users from the web.
Web server: A service hosting a website that is accessible via HTTP or HTTPS.
White box: A testing method that provides some transparency. The assessor has knowledge about the inner workings of the system or knowledge of the source code. Also called clear box or glass box testing.
Wireshark: A well-known packet analyzer.
Workflow orchestration: ​​​​​​​ Sequencing of events based on certain parameters by using scripting and scripting tools.
Worm: A type of virus designed primarily to reproduce and replicate itself on as many computer systems as possible. : A worm does not normally alter files; instead, it remains resident in a computer’s memory. Worms typically rely on access to operating system capabilities that are invisible to users.

X, Y, Z
X509
A digital certificate that uniquely identifies a potential communications party or participant. An X509 digital certificate includes a party’s name and public key, among other pieces, but it can also include organizational affiliation, service or access restrictions, and other access- and security-related information.
Yet Another Markup Language (YAML) A language that is used widely in the cloud to define infrastructure characteristics, security, and so on.



ADVERTISEMENT