CCSP Flashcards

All 42 terms

Shared responsibility model

The split between what the cloud provider secures and what the customer secures; it shifts by service model.

IaaS

Infrastructure as a Service - the provider supplies compute, storage and network; the customer manages the OS upward.

PaaS

Platform as a Service - the provider also manages the OS and runtime; the customer manages apps and data.

SaaS

Software as a Service - the provider runs the whole application; the customer manages data and access.

Public cloud

Cloud resources shared across many tenants over the internet.

Private cloud

Cloud infrastructure dedicated to a single organisation.

Hybrid cloud

A mix of private and public cloud connected together.

Community cloud

Cloud shared by organisations with common requirements (e.g. a sector or compliance regime).

Cloud data lifecycle

The stages data passes through: create, store, use, share, archive, destroy.

Data classification

Assigning sensitivity levels so the right controls apply.

Encryption

Reversible protection of confidentiality using a key.

Tokenization

Replacing a sensitive value with a non-sensitive token that maps back to it.

Data masking

Hiding part of a value (e.g. all but the last four digits) for display or testing.

Hashing

A one-way function used to verify integrity, not to hide data reversibly.

Key management

The processes for generating, storing, rotating and retiring encryption keys.

BYOK

Bring Your Own Key - the customer supplies and controls keys used in the provider's key service.

CMK

Customer-Managed Key - an encryption key the customer controls rather than the provider.

HYOK

Hold Your Own Key - keys are kept outside the cloud provider entirely.

HSM

Hardware Security Module - tamper-resistant hardware that stores and uses cryptographic keys.

Data remanence

Residual data left on storage after deletion; addressed by secure wiping or destruction.

Crypto-shredding

Rendering data unrecoverable by destroying the keys that encrypt it.

Data residency

The physical location where data is stored.

Data sovereignty

The principle that data is subject to the laws of the country where it is located.

Tenant isolation

Keeping one customer's data and workloads separated from others in a multi-tenant cloud.

Multi-tenancy

A single cloud platform serving many customers (tenants) on shared infrastructure.

CASB

Cloud Access Security Broker - a control point that enforces security policy between users and cloud services.

CSPM

Cloud Security Posture Management - tooling that finds and fixes misconfigurations in cloud environments.

CWPP

Cloud Workload Protection Platform - security for workloads such as VMs, containers and serverless.

SIEM

Security Information and Event Management - aggregates and analyses logs to detect and investigate threats.

IAM

Identity and Access Management - managing identities, authentication and authorization.

Federation

Sharing identity across domains so users authenticate once across services.

SAST

Static Application Security Testing - analysing source code without running it.

DAST

Dynamic Application Security Testing - testing a running application for flaws.

API gateway

A managed entry point that routes, secures and throttles API calls.

Sandboxing

Isolating code so it cannot affect the wider system if it misbehaves.

BC/DR

Business Continuity and Disaster Recovery - keeping the business running and restoring IT after disruption.

RTO / RPO

Recovery Time Objective (target time to restore) and Recovery Point Objective (acceptable data loss).

SLA

Service Level Agreement - the provider's committed levels of availability and performance.

SOC 2

An assurance report on a service provider's controls for security, availability and related criteria.

GDPR

EU data-protection regulation governing personal data and privacy.

Vendor lock-in

Difficulty moving away from a provider due to proprietary services or data formats.

Shadow IT

Cloud services used without the organisation's approval or oversight.