Plain-English definitions of the core cloud-security terms for CCSP study. Simplified for learning; the ISC2 exam outline and provider documentation are authoritative.
| Term | Definition |
|---|---|
| Shared responsibility model | The split between what the cloud provider secures and what the customer secures; it shifts by service model. |
| IaaS | Infrastructure as a Service - the provider supplies compute, storage and network; the customer manages the OS upward. |
| PaaS | Platform as a Service - the provider also manages the OS and runtime; the customer manages apps and data. |
| SaaS | Software as a Service - the provider runs the whole application; the customer manages data and access. |
| Public cloud | Cloud resources shared across many tenants over the internet. |
| Private cloud | Cloud infrastructure dedicated to a single organisation. |
| Hybrid cloud | A mix of private and public cloud connected together. |
| Community cloud | Cloud shared by organisations with common requirements (e.g. a sector or compliance regime). |
| Cloud data lifecycle | The stages data passes through: create, store, use, share, archive, destroy. |
| Data classification | Assigning sensitivity levels so the right controls apply. |
| Encryption | Reversible protection of confidentiality using a key. |
| Tokenization | Replacing a sensitive value with a non-sensitive token that maps back to it. |
| Data masking | Hiding part of a value (e.g. all but the last four digits) for display or testing. |
| Hashing | A one-way function used to verify integrity, not to hide data reversibly. |
| Key management | The processes for generating, storing, rotating and retiring encryption keys. |
| BYOK | Bring Your Own Key - the customer supplies and controls keys used in the provider’s key service. |
| CMK | Customer-Managed Key - an encryption key the customer controls rather than the provider. |
| HYOK | Hold Your Own Key - keys are kept outside the cloud provider entirely. |
| HSM | Hardware Security Module - tamper-resistant hardware that stores and uses cryptographic keys. |
| Data remanence | Residual data left on storage after deletion; addressed by secure wiping or destruction. |
| Crypto-shredding | Rendering data unrecoverable by destroying the keys that encrypt it. |
| Data residency | The physical location where data is stored. |
| Data sovereignty | The principle that data is subject to the laws of the country where it is located. |
| Tenant isolation | Keeping one customer’s data and workloads separated from others in a multi-tenant cloud. |
| Multi-tenancy | A single cloud platform serving many customers (tenants) on shared infrastructure. |
| CASB | Cloud Access Security Broker - a control point that enforces security policy between users and cloud services. |
| CSPM | Cloud Security Posture Management - tooling that finds and fixes misconfigurations in cloud environments. |
| CWPP | Cloud Workload Protection Platform - security for workloads such as VMs, containers and serverless. |
| SIEM | Security Information and Event Management - aggregates and analyses logs to detect and investigate threats. |
| IAM | Identity and Access Management - managing identities, authentication and authorization. |
| Federation | Sharing identity across domains so users authenticate once across services. |
| SAST | Static Application Security Testing - analysing source code without running it. |
| DAST | Dynamic Application Security Testing - testing a running application for flaws. |
| API gateway | A managed entry point that routes, secures and throttles API calls. |
| Sandboxing | Isolating code so it cannot affect the wider system if it misbehaves. |
| BC/DR | Business Continuity and Disaster Recovery - keeping the business running and restoring IT after disruption. |
| RTO / RPO | Recovery Time Objective (target time to restore) and Recovery Point Objective (acceptable data loss). |
| SLA | Service Level Agreement - the provider’s committed levels of availability and performance. |
| SOC 2 | An assurance report on a service provider’s controls for security, availability and related criteria. |
| GDPR | EU data-protection regulation governing personal data and privacy. |
| Vendor lock-in | Difficulty moving away from a provider due to proprietary services or data formats. |
| Shadow IT | Cloud services used without the organisation’s approval or oversight. |