Circle
Events
Blog

Cloud Security Glossary

Last Updated: Jan 17, 2022

Glossary

This comprehensive glossary combines all the glossaries created by CSA Working Groups and research contributors into one place. If you have a question or need other assistance please reach out to [email protected].

Letter A

Actuators

An actuator is a component of a machine that is responsible for moving and controlling a mechanism or system, for example by opening a valve. In simple terms, it is a “mover”. An actuator requires a control signal and a source of energy. The control signal for an actuator is relatively low energy and may be electric voltage or current, pneumatic or hydraulic pressure, or even human power. Its main energy source may be an electric current, hydraulic fluid pressure, or pneumatic pressure. When it receives a control signal, an actuator responds by converting the signal’s energy into mechanical motion. 

An actuator is a mechanism by which a control system acts upon an environment. The control system can be simple (a fixed mechanical or electronic system), software-based (e.g. a printer driver, robot control system), a human, or any other input.

Sources

https://en.wikipedia.org/wiki/Actuator

Air-Gapped

An interface between two systems in which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control).

Sources

https://csrc.nist.gov/glossary/term/air-gap

Automation Gateway

Automation gateways are single or multiple devices that can operate as masters “host” or subordinates “slaves” to transmit data using serial lines or TCP/IP between disparate electronic devices. Manufacturers build automation gateways to transmit signals from instrumentation and control devices back to a main controller or data gathering system.

Sources

http://www.bb-elec.com/Learning-Center/All-White-Papers/Modbus/The-Answer-to-the-14-Most-Frequently-

Amplification Attack

Any attack where an attacker causes more resource usage than what a single connection should be capable of. The amplification factor multiplies the attack’s power through asymmetry, where a low level of resources causes a large level of target failures. Memcached server - General purpose distributed memory caching system used for increasing speed on dynamic database-driven websites. Memcrashing - utilizing a weakness in Memcached server on UDP port 11211 to execute an Amplification Attack and paralyze the hosting server Port 11211 - Memcached clients use client-side libraries to contact servers. By default, Memchached servers expose their service at port 11211 on both TCP and UDP.

Sources

Top Threats to Cloud Computing: Egregious Eleven Deep Dive : CSA

AWS EC2

The amazon web services server workloads (elastic compute) service, mostly used for virtual machines run by customers on AWS infrastructure.

Sources

Top Threats to Cloud Computing: Egregious Eleven Deep Dive : CSA

AWS API Access Key

The credentials pair of an AWS user, different to username/password credentials as they are intended for programmatic use with AWS API.

Sources

Top Threats to Cloud Computing: Egregious Eleven Deep Dive : CSA

Assets

An asset is anything of value to the organization. Assets can be abstract assets (like processes or reputation), virtual assets (data, for instance), physical assets (cables, a piece of equipment), human resources, money, et cetera.

Sources

ENISA 2015, Technical Guideline on Threats and Assets, https://www.enisa.europa.eu/publications/technical-guideline-on-threats-and-assets

Application Container

An application container is a construct designed to package and run an application or its components running on a shared operating system. Application containers are isolated from other application containers and share the resources of the underlying operating system, allowing for efficient restart, scale-up, or scale-out of applications across clouds. Application containers typically contain microservices.

Sources

NIST Special Publication (SP) 800-180 (Draft), NIST Definition of Microservices, Application Containers and System Virtual Machines, National Institute of Standards and Technology, Gaithersburg, Maryland, February 2016, 12pp. http://csrc.nist.gov/publications/drafts/800-180/sp800-180_draft.pdf

Architect

The individual or organization responsible for the set of processes to deploy and manage IT services. They ensure the smooth functioning of the infrastructure and operational environments that support application deployment to internal and external customers, including the network infrastructure, server and device management, computer operations, IT infrastructure library (ITIL) management, and help desk services20.

Sources

CSA. _Challenges in Securing Application Containers and Microservices Integrating Application Container Security Considerations into the Engineering of Trustworthy Secure Systems _(Cloud Security Alliance: 2019) 42

Architecture

Fundamental concepts or properties of a system in its environment embodied in its elements, relationships, and in the principles of its design and evolution.

Sources

ISO/IEC/IEEE 42010. (2011). Systems and Software Engineering — Architecture: A Conceptual Model of Architecture Description. Retrieved August 11, 2021, from http://www.iso-architecture.org/ieee1471/cm/.

Architecture Description

A conceptual model, an architecture description:

  • expresses an architecture
  • identifies a system of interest
  • identifies one or more stakeholders
  • identifies one or more concerns (about the system of interest)
  • includes one or more architecture viewpoints and one or more architecture views
  • may include correspondences
  • may include correspondence rules
  • includes one or more architecture rationales22
Sources

ISO/IEC/IEEE 42010. (2011). Systems and Software Engineering — Architecture: A Conceptual Model of Architecture Description. Retrieved August 11, 2021, from http://www.iso-architecture.org/ieee1471/cm/.

Architectural Pattern

A general, reusable solution to a commonly occurring problem in software architecture within a given context. Architectural patterns are similar to software design patterns but have a broader scope. The architectural patterns address various issues in software engineering, such as computer hardware performance limitations, high availability and minimization of a business risk.

Sources

Wikipedia contributors. (2020, March 20). Architectural pattern. Wikipedia. https://en.wikipedia. org/wiki/Architectural_pattern

Availability

The ability of a configuration item or IT Service to perform its agreed Function when required. Availability is usually calculated as a percentage. This calculation is often based on Agreed Service Time and Downtime. It is best practice to calculate availability using measurements of the Business output of the IT Service.

Sources

Information Technology Infrastructure Library (ITIL). IT Service Management and the IT Infrastructure Library (ITIL). IT Infrastructure Library (ITIL) at the University of Utah. Retrieved June 15, 2021, from https://itil.it.utah.edu/index.html.

Letter B

BQP

The class of problems that can be efficiently solved by quantum computers is called BQP (bounded error, quantum, polynomial time). Quantum computers only run probabilistic algorithms, so BQP on quantum computers is the counterpart of BPP (bounded error, probabilistic, polynomial time) on classical computers. BQP is defined as a set of problems solvable with a polynomial-time algorithm, whose probability of error is bounded away from one half. A quantum computer is said to “solve” a problem if, for every instance, its answer will be correct with high probability. If that solution runs in polynomial time, then the problem is in BQP. It is suspected that no Nondeterministic Polynomial-time hardness (NP-hard) problems exist in BQP.

Sources

Quantum Safe Security Glossary : CSA

Business Owner

A Product Ownership role that represents the person who is accountable to the Business for maximizing the overall value of the Deliverable Results; A role defined to represent management outside the Team. In practice the Business Owner is either the ‘lead’ Stakeholder, the Team’s Sponsor, or the Product Owner’s Product Owner.

Sources

Scrum Dictionary. Business Owner. ScrumDictionary.Com. Retrieved April 17, 2021, from https:// scrumdictionary.com/term/business-owner/.

Break Glass Administrator

Are emergency access accounts that are highly privileged, and they are not assigned to specific individuals. Emergency access accounts are limited to emergency or “break glass”’ scenarios where normal administrative accounts can’t be used.

Sources

https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access

Bastion

Platform that provides secure Remote Desktop Protocol (RDP) and Secure Shell (SSH) connectivity to all of the VMs in the virtual network in which it is provisioned.

Sources

https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

Business Continuity and Disaster Recovery (BCDR)

The implementation of measures designed to ensure operational resiliency in the event of any service interruptions.

Sources

Defined Categories of Service 2011 : CSA

Letter C

CFS

This is a code-based signature scheme designed by N. Courtois, N. Sendrier and M. Finiasz in 2001 [CFS01]. 

Sources

[CFS01] N. Courtois, M. Finiasz, and N. Sendrier. How to Achieve a McEliece-Based Digital Signature Scheme, ASIACRYPT 2001.

Closest Vector Problem (CVP)

The Closest Vector Problem is Non-deterministic Polynomial-time hardness (NP-hard) and requires the closest vector of a given vector to be found in a lattice. This is a hard problem that occurs in lattice-based cryptography. 

Sources

Quantum Safe Security Glossary : CSA

Code-based cryptography

This is a sub-area of quantum-safe cryptography and includes cryptographic schemes whose security is related to the computational hard problem of decoding linear error-correcting codes. 

Sources

Quantum Safe Security Glossary : CSA

Control Loop

A control loop is the fundamental building block of industrial control systems. It consists of all the physical components and control functions necessary to automatically adjust the value of a measured process variable (PV) to equal the value of a desired set-point (SP). It includes the process sensor, controller function, and final control element (FCE) which are all required for automatic control.

Sources

https://en.wikipedia.org/wiki/Control_loop

Controllers (or Control Server)

Controllers (or control servers) are most often comprised of Programmable Logic Controllers (PLC), designed to perform logic functions executed by electrical hardware such as relays, switches or sensors. Other types of controllers include Remote Terminal Units (RTUs) that differ from PLCs in that RTUs are more suitable for wide geographical telemetry, often using wireless communications while PLCs are more suitable for local area control. 

Master Terminal Units (MTU’s) are controllers that serve as the Master in an ICS system, controlling the operation of the Slave subsystems (PLCs and RTUs).

Sources

https://www.sciencedirect.com/topics/computer-science/industrial-control-system

CPS (Cyber Physical Systems)

Cyber-Physical Systems (CPS) are systems of collaborating computational entities that are in intensive connection with the surrounding physical world and its on-going processes, providing and using, at the same time, data-accessing and data-processing services available on the internet. In other words, CPS can generally be characterized as “physical and engineered systems whose operations are monitored, controlled, coordinated, and integrated by a computing and communicating core” (Rajkumar et al 2010). The interaction between the physical and cyber elements is of key importance: “CPS is about the intersection, not the union, of the physical and cyber. It is not sufficient to separately understand the physical components and the computational components. We must understand their interaction” (Lee and Seshia 2014).

Sources

https://link.springer.com/referenceworkentry/10.1007/978-3-642-35950-7_16790-1

Cloud Security Posture Management (CSPM)

Security technology that can discover, assess, and resolve cloud infrastructure misconfigurations vulnerable to attack.

Sources

The Six Pillars of DevSecOps: Automation : CSA

Cloud Security Monitoring and Compliance

Security technology that monitors virtual servers and assesses data, applications, and infrastructure for security risks.

Sources

The Six Pillars of DevSecOps: Automation : CSA

CSA DevSecOps Software Delivery Pipeline (CDDP)

Security-enabled software delivery pipeline aligned with DevSecOps principles.

Sources

The Six Pillars of DevSecOps: Automation : CSA

Credential Stuffing

A cyberattack method in which attackers use lists of compromised user credentials to breach into a system. The attacker uses bots for automation and scale and is based on the assumption that many users reuse usernames and passwords across multiple services.

Sources

Top Threats to Cloud Computing: Egregious Eleven Deep Dive : CSA

Cloud Incident Response (CIR)

CIR can be defined as the process designed to manage cyberattacks in a cloud environment and comprises four phases: • Phase 1: Preparation • Phase 2: Detection and Analysis • Phase 3: Containment, Eradication and, Recovery • Phase 4: Postmortem

Sources

Cloud Penetration Testing : CSA

Container Management Platform

A container management platform is an application designed to manage containers and their various operations, including but not limited to deployment, configuration, scheduling, and destruction.

Sources

Challenges in Securing Application Containers and Microservices : CSA

Container Lifecycle Events

The main events in the life cycle of a container are create container, run container, pause container, unpause container, start container, stop container, restart container, kill container, destroy container.

Sources

Challenges in Securing Application Containers and Microservices : CSA

Container Rehosting

Redeploying containers on another platform.

Sources

Challenges in Securing Application Containers and Microservices : CSA

Container Resources

Four resources required for containers to operate are CPU, memory (+swap), disk (space + speed), and Network.

Sources

Challenges in Securing Application Containers and Microservices : CSA

Container Resource Requests

The amount of CPU, memory (+swap), and disk (space + speed) that the system will allocate to the container considering the resource limit.

Sources

Challenges in Securing Application Containers and Microservices : CSA

Container Resource Limit

The maximum amount of resources (CPU, memory (+swap) and disk (space + speed)) that the system will allow a container to use.

Sources

Challenges in Securing Application Containers and Microservices : CSA

Client-Side Discovery

The client requests the network locations of available services from the service registry.

Sources

Best Practices in Implementing a Secure Microservices Architecture

Control

The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature. Scope Notes: Also used as a synonym for safeguard or countermeasure. See also Internal control.

Sources

ISACA. Interactive Glossary & Term Translations. Retrieved August 11, 2021, from https://www. isaca.org/resources/glossary.

Cache

Caching is a requirement for building scalable microservice applications. Data can be cached in memory or on fast local disks.

Sources

Microservices Architecture Pattern : CSA

Control Objective

A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process.

Sources

ISACA. Interactive Glossary & Term Translations. Retrieved August 11, 2021, from https://www. isaca.org/resources/glossary.

Control Framework

A set of fundamental controls that facilitates the discharge of business process owner responsibilities to prevent financial or information loss in an enterprise.

Sources

ISACA. Interactive Glossary & Term Translations. Retrieved August 11, 2021, from https://www. isaca.org/resources/glossary.

Cloud-Native KMS

The KMS is built and owned by the same provider that delivers the cloud service the customer consumes, and all components of the KMS are in the cloud.

Sources

https://cloudsecurityalliance.org/artifacts/key-management-whenusing-cloud-services/

Cross-cloud capabilities

Unified data management platform that facilitates secure data sharing should carry out cross-cloud management. The platform gives the organization a single source of truth by allowing data to move freely across clouds. Cross-cloud compatibility drives operational efficiency in the multi-cloud.

Sources

https://www.cloudbolt.io/blog/driving-operational-efficiency-in-multi-cloud-with-cross-cloud-management/

Cloud operating system

A type of operating system (OS) designed to operate within cloud computing and virtualization environments. A cloud operating system manages the operation, execution, and processes of virtual machines, virtual servers, and virtual infrastructure, as well as back-end hardware and software resources.

Sources

Cloud OS Security Specification v2.0

Community cloud

The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off-premises.

Sources

NIST 2011, The NIST Definition of Cloud Computing, https://csrc.nist.gov/publications/detail/ sp/800-145/final

Continuous Monitoring

performs the function of continuous risk management presenting the current security posture of the organization. Using industry approved risk management frameworks, Continuous Monitoring collects inventory of deployed organizational assets (including but not limited to current patch/version status, vulnerabilities, threats, and traffic) and generates ongoing risk scores across the enterprise. The intent of Continuous Monitoring is to reduce the time and effort required to identify security risks, assist in defining mitigation strategies, and implement any necessary controls reducing the security risk window. 

Sources

Defining Categories of Security as a Service: Continuous Monitoring : CSA

Continuous Auditing

Allows an organization to show control compliance at all times. As a consequence of the shortcomings of traditional assurance tools, organizations that want continuous assurance must rethink their approach to security assessments. For continuous assurance, manual assessments must be traded for automated measurements, which largely leave humans out of the loop. Instead of assessing controls directly, tools are used to measure the security attributes of an information system and infer indirectly whether controls are effectively in place.

Sources

The Continuous Audit Metrics Catalog : CSA

Letter D

D-Wave machine

This is the first quantum machine publicly available (from D-Wave Systems, Canada). The machine is not a general purpose quantum computer, but instead is targeted at quantum annealing. 

Sources

Quantum Safe Security Glossary : CSA

Data Historian

A centralized database located in the control system LAN supporting data archival and data analysis using statistical process control techniques.

Sources

https://www.us-cert.gov/ics/Control_System_Historian-Definition.html

DCS (Distributed Control Systems)

Refers to control achieved by intelligence that is distributed throughout the system, rather than by a centrally located single unit.

Sources

NIST SP 800-82r2 https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final

DMZ (Demilitarized Zone)

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The purpose of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network – hosts in the DMZ may not connect to the internal network. This allows the DMZ’s hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end. 

The Security DMZ is used for providing controlled and secure access to services used by external personnel or systems. Access may be granted to control system networks, control system equipment, or other applications services provided.

Sources

https://www.us-cert.gov/ics/Control_System_Security_DMZ-Definition.html

DevOps

Application of software development methodologies to infrastructure operations. 

Sources

As defined in ISO 27000 and Information Security Management through Reflexive Security : CSA.

DevOpsSec

Application of information security principles and practices to protect processes that utilize DevOps culture, practices, and workflows.

Sources

As defined in ISO 27000 and Information Security Management through Reflexive Security : CSA.

DevSecOps (DSO)

The integration of continuous security principles, processes, and technologies into DevOps culture, practices, and workflows.

Sources

As defined in ISO 27000 and Information Security Management through Reflexive Security : CSA.

Dynamic Application Security Testing (DAST)

Security testing that analyzes a running application by exercising application functionality and detecting vulnerabilities based on application behavior and response.
Note 1 to entry: Also called “blackbox testing”

Sources

The Six Pillars of DevSecOps: Automation : CSA

Denial of Service

The act of making a system, feature or resource unavailable for intended users. In cloud testing, denial of service often takes the form of destruction or encryption of cloud resources, disablement of accounts, credentials or users.

Sources

Cloud Penetration Testing : CSA

Developer

A business or technology professional that builds software programs; a computer programmer (syn.) can refer to a specialist in one area of computers, or to a generalist who writes code for many kinds of software in one or more computer programming languages.

Sources

Wikipedia contributors. (2021b, August 7). Programmer. Wikipedia. https://en.wikipedia.org/wiki/ Programmer

Disaster Recovery as a Service (DRaaS)

A cloud computing service model that allows an organization to back up its data and IT infrastructure in a third-party cloud computing environment from which it is possible to regain access and functionality to IT infrastructure after a disaster.

Sources

Disaster Recovery as a Service : CSA

Data Loss Prevention (DLP)

The monitoring, protecting, and verifying the security of data at rest, in motion, and in use.

Sources

Defined Categories of Service 2011 : CSA

Letter E

Entropy source

The combination of a noise source—such as a Quantum Random Number Generator, health tests and an (optional) conditioning component—to produce full-entropy random bits [NIST].

Sources

[NIST] M. S. Turan, E. Barker, J. Kelsey, K. A. McKay, M. L. Baish and M. Boyle. Recommendation for the Entropy Sources Used for Random Bit Generation (Second DRAFT). NIST Special Publication 800-90B, 2016.

EMS (Energy Management System)

An energy management system (EMS) is a computer-aided tool used by power system operators to monitor, control, and carry out optimal energy management. The purpose of an EMS is to determine power generation or power demands that minimize a certain objective such as generation cost, power loss, or environmental effect. 

Sources

https://www.sciencedirect.com/topics/engineering/energy-management-system

Elasticsearch

An open-source, distributed data search and analytics engine built on Apache Lucene. You can send data in the form of JSON documents to Elasticsearch using the RESTful API or ingestion tools such as Logstash. Elasticsearch automatically stores the original document and adds a searchable reference to the document in the cluster’s index. You can then search and retrieve the document using the Elasticsearch API. Amazon provides fully managed Elasticsearch services that enables you to deploy, secure, and run Elasticsearch at scale.

Sources

Top Threats to Cloud Computing: Egregious Eleven Deep Dive : CSA

Elevation of Privileges

The act of leveraging a vulnerability or configuration to enable or achieve an elevation of access or privilege beyond what was intended. In cloud testing, elevation of privileges often takes the form leveraging misconfigured IAM permissions that allow escalation or permissions employed by compromised or targeted services and systems.

Sources

Cloud Penetration Testing : CSA

Enterprise Operator

The individual or organization responsible for the set of processes to deploy and manage IT services. They ensure the smooth functioning of the infrastructure and operational environments that support application deployment to internal and external customers, including the network infrastructure, server and device management, computer operations, IT infrastructure library (ITIL) management, and help desk services.

Sources

Wikipedia. Information technology operations. Retrieved from https://en.wikipedia.org/wiki/Information_ technology_operations

Enterprise Architect

The individual or organization responsible for strategic design recommendations. They determine, by applying their knowledge of cloud, container and microservices components to the problems of the business; the best architecture to meet the strategic needs of the business. Additionally, they develop and maintain solution roadmaps and oversee their adoption working with Developers and Operators to ensure an efficient and effective solution implementation.

Sources

Challenges in Securing Application Containers and Microservices : CSA

Email Security

Provides control over inbound and outbound email, protecting the organization from phishing, malicious attachments, and spam, and providing business continuity options.

Sources

Defined Categories of Service 2011 : CSA

Encryption

The process of obfuscating data using cryptographic and numerical ciphers. Transforming clear-text into cipher-text to make it unreadable.

Sources

Defined Categories of Service 2011 : CSA

Letter F

Fourth Industrial Revolution

The phrase Fourth Industrial Revolution was first introduced by Klaus Schwab, executive chairman of the World Economic Forum. In the 2015 article in Foreign Affairs, “Mastering the Fourth Industrial Revolution” was the theme of the World Economic Forum Annual Meeting 2016 in Davos-Klosters, Switzerland. On October 10, 2016, the Forum announced the opening of its Centre for the Fourth Industrial Revolution in San Francisco. This was also the subject and title of Schwab’s 2016 book. Schwab includes in this fourth era technologies that combine hardware, software, and biology (cyberphysical systems), and emphasizes advances in communication and connectivity. This Fourth Industrial Revolution is, however, fundamentally different. It is characterized by a range of new technologies that are fusing the physical, digital and biological worlds, impacting all disciplines, economies and industries, and even challenging ideas about what it means to be human. The resulting shifts and disruptions mean that we live in a time of great promise and great peril. The world has the potential to connect billions of more people to digital networks, dramatically improve the efficiency of organizations and even manage assets in ways that can help regenerate the natural environment, potentially undoing the damage of previous industrial revolutions. (WEFORUM)

Sources

https://www.weforum.org/about/the-fourth-industrial-revolution-by-klaus-schwab

Firewall

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate network-traffic to pass. Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components.

Sources

Enterprise Architecture Reference Guide v2 : CSA: Security and Risk Management (SRM) Domain

Letter G

Grover’s algorithm

This is an algorithm named after L.K. Grover [Grover96]. The algorithm provides a quadratic speed-up for an exhaustive search on quantum computers. It was designed as a database search algorithm, but can be used to reduce the cryptographic strength of symmetric algorithms by half. 

Sources

[Grover96] Lov K. Grover. A Fast Quantum Mechanical Algorithm for Database Search. STOC 1996.

Letter H

Hash-based cryptography

This is a sub-area of quantum-safe cryptography which refers to signature schemes whose security are based on the hardness of finding a collision in a hash-function. The signature schemes are usually constructed by combining a one-time signature scheme or few time signature scheme with a Merkle tree. Some examples are the Leighton-Micali scheme [LM], SPHINCS [SPHINCS], and XMSS [XMSS].

Sources

[LM] F.T. Leighton and S. Micali. Large Provably Fast and Secure Digital Signature Schemes based on Secure Hash Functions. US Patent 5,432,852, July 11, 1995.

[SPHINCS] D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, M. Schneider, P. Schwabe and Z. Wilcox-O’Hearn. SPHINCS: Practical Stateless Hash-Based Signatures. EUROCRYPT 2015.

[XMSS] J. Buchmann, E. Dahmen, and A. Hülsing. XMSS - a Practical Forward Secure Signature Scheme Based on Minimal Security Assumptions. Post-Quantum Cryptography, 2011.

Hidden Field Equations (HFE)

This is multivariate public-key scheme (encryption and signature) proposed by J. Patarin [HFE] in 1996. HFEv- [PCG01] is a secure variant of HFE which only permits a signature that can not be utilized to encrypt data.

Sources

[HFE] J. Patarin. Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. EUROCRYPT’96.

[PCG01] J. Patarin, N. Courtois, and L. Goubin. Quartz. 128-bit Long Digital Signatures. CT-RSA’01.

HMI (Human Machine Interface)

A Human-Machine Interface (HMI) is a user interface or dashboard that connects a person to a machine, system, or device. While the term can technically be applied to any screen that allows a user to interact with a device, HMI is most commonly used in the context of an industrial process. In industrial settings, HMIs can be used to visually display data, track production time, trends, and tags, oversee key performance indicators, and monitor machine inputs and outputs.

Sources

https://www.inductiveautomation.com/resources/article/what-is-hmi

Host

OS supporting the container environment.

Sources

Challenges in Securing Application Containers and Microservices : CSA

Hardware Security Modules (HSMs)

Are hardened, tamper-resistant hardware devices that strengthen encryption practices by generating keys, encrypting and decrypting data, and creating and verifying digital signatures.

Sources

https://cpl.thalesgroup.com/faq/hardware-security-modules/what-general-purpose-hardware-security-module-hsm

Hybrid Cloud

The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

Sources

NIST 2011, The NIST Definition of Cloud Computing, https://csrc.nist.gov/publications/detail/ sp/800-145/final

Hybrid multi-cloud

Refers to an organization that uses multiple public clouds from several vendors to deliver its IT services, in addition to private cloud and traditional on-premises IT. A hybrid multi-cloud environment consists of a combination of private, public and hybrid infrastructure-as-a-service (IaaS) environments all of which are interconnected and work together to avoid data silos. Many enterprise companies are failing to make their various data repositories and systems ‘talk to each other’ effectively and efficiently, if at all. The result: more data silos that hinder or prevent data movement and sharing. With a modern hybrid multi-cloud architecture in place, you gain access to a single source of truth as it relates to your data. If optimized properly, you can quickly access data that is reliable and accurate. Moreover, data that is unified in one location is accessible whether it resides on-premises or off-premises. 

Sources

IBM, Hybrid cloud: The best of all worlds, https://www.ibm.com/downloads/cas/E97LZYVG

Letter I

Information-theoretic secure

A cryptosystem is information-theoretically secure if its security derives purely from information theory. That is, the cryptosystem cannot be breached even when the adversary has unlimited computing power. Examples of information-theoretically secure cryptosystems include the classical one-time pad and Quantum-Key Distribution (QKD).

Sources

Quantum Safe Security Glossary : CSA

Isogeny

This is a particular type of mapping between two elliptic curves.

Sources

Quantum Safe Security Glossary : CSA

Isogeny-based cryptography

This is a sub-area of quantum-safe cryptography that constructs publickey schemes whose security is dependent on the difficulty of recovering an unknown isogeny between a pair of elliptic curves. An example is the scheme of D. Jao and L. De Feo [JF].

Sources

[JF] D. Jao and L. De Feo. Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies, Post-Quantum Cryptography 2011.

ICS (Industrial Control Systems)

A general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy). 

Sources

NIST SP 800-82r2 https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final

IEC (International Electrotechnical Commission)

Founded in 1906 IEC prepares and publishes International Standards for all electrical, electronic and related technologies. These are known collectively as “electrotechnology”. The IEC is one of three global sister organizations (IEC, ISO, ITU) that develop International Standards for the world. Of particular interest to the CSA WG is IEC’s work on the IEC-62443 series of standards addressing Security for industrial automation and control systems. The IEC-62443 series of standards was adopted from the ISA-99 series developed by the ISA (International Society of Automation) providing a framework for mitigating vulnerabilities in Industrial Automation and Control Systems (IACS) associated with Industry 4.0 and Critical Infrastructure.

Sources

https://www.iec.ch/homepage

https://isaeurope.com/how-can-the-62443-series-of-standards-help-your-company/

IED (Intelligent Electronic Device)

An Intelligent Electronic Device (IED) is a term used in the electric power industry to describe microprocessor-based controllers of power system equipment, such as circuit breakers, transformers and capacitor banks.

Sources

https://en.wikipedia.org/wiki/Intelligent_electronic_device

IIoT (Industrial Internet of Things)

A system that connects and manages sensors as well as actuators while integrating them with mainly cloud-based control components that act together to exercise control in the physical world. IIoT connects and integrates industrial control systems with enterprise systems, business processes and analytics. This combination of machines, computers, and people, enable intelligent industrial operations using advanced data analytics for transformational business outcomes. 

IIoT may also refer to the integration of a cloud-based IIoT device management solution with on-premise SCADA systems to enable new business processes and analytics. 

Sources

Industrial internet Consortium (IIC). The Industrial Internet of Things Vocabulary Technical Report V2.2. https://www.iiconsortium.org/ vocab/

IIoT Edge Gateway & Device

An Edge Gateway is an intelligent device in edge computing. It is deployed between networks and fulfills mainly two functions: 

  1. Act as a gateway between the connected industry control system (external) and the local (internal) industry control network. 
  2. Act as local Control Server (IoT Edge runtime) controlling the locally deployed devices (PLCs, sensors, actors, …) 
    The IoT Edge runtime runs on each IoT Edge device and manages all local devices using a large variety of protocols, like WiFi, Ethernet, CAN-Bus, Modbus, BACnet or ZigBee. At the same time, it analyses and uses collected process and sensor data to control the actors and provide feedback into a central, mostly cloud-based, control system.
Sources

https://www.itwissen.info/edge-gateway-EGW-Edge-Gateway.html%20and%20https://brainly.in/question/2436258

Industrial Control Plane

Carries the control information in the network. In industrial networks, control-plane activity consists of any engineering activity related to the maintenance life cycle of the industrial controllers, including any read/change of controller state, control-logic, configuration settings, or firmware. In industrial networks, industrial controllers (e.g. PLCs, RTUs, DCS) are the “brains” responsible for the continuous execution of the entire industrial process lifecycle. These controllers are specialized computers, provided by vendors like Rockwell Automation, Siemens, GE, Schneider Electric and others. These industrial solid-state computers monitor inputs and outputs, and make logic-based decisions. The control plane uses protocols for communicating activities (e.g. firmware download/ upload, configuration updates, code and logic changes) and are mostly proprietary and undocumented. Each vendor uses their own unique implementation of the IEC-61131 standard for programmable controllers. Therefore, they vary based on the vendor and device models. Usually, these control-plane protocols are unnamed because of the fact they were meant to be used internally only via the vendor’s engineering software.

Sources

Pages 2, 3 and 7 from: https://info.indegy.com/wp-5-things-industrial-control-planety?submissionGuid=84f66e5e-db70-419c-817f-b678e5ed08f4

Industrial Data Plane

Sometimes referred to as the user plane, Industrial Data Plane carries the user-data traffic. In industrial networks, the data-plane is used by the HMI and SCADA applications to communicate process parameters and physical measurements between the human operator and the industrial equipment (I/Os). The Data Plane uses protocols like Modbus, PROFINET and DNP3 which are used by HMI/ SCADA applications to communicate physical measurements and process parameters (e.g. current temperature, current pressure, valve status, etc.). These protocols are typically well documented and standardized.

Sources

Pages 2 and 6 from: https://info.indegy.com/wp-5-things-industrial-control-planety?submissionGuid=84f66e5e-db70-419c-817f-b678e5ed08f4

Industry 4.0

Industry 4.0 is the subset of the fourth industrial revolution that concerns industry. The fourth industrial revolution encompasses areas that are not normally classified as industry, such as smart cities for instance. 
Although the terms “industry 4.0” and “fourth industrial revolution” are often used interchangeably, “industry 4.0” factories have machines which are augmented with wireless connectivity and sensors, connected to a system that can visualize the entire production line and make decisions on its own. 
In essence, industry 4.0 is the trend towards automation and data exchange in manufacturing technologies and processes which include cyber-physical systems (CPS), the internet of things (IoT), industrial internet of things (IIOT), cloud computing, cognitive computing, and artificial intelligence. 
The concept includes:

  • Smart manufacturing
  • Smart factory
  • Lights out (manufacturing) also known as dark factories
  • Industrial internet of things also called internet of things for manufacturing
Sources

https://en.wikipedia.org/wiki/Industry_4.0

Industry 4.0 Technologies

Below are some of the technologies that will transform manufacturing and the supply chain allowing Industry 4.0 to realize its full potential: “Big Data and Analytics, Autonomous Robots , Simulation, Horizontal and Vertical System Integration, The Industrial, Internet of Things, Cybersecurity, The Cloud, Additive Manufacturing, Augmented Reality”BCG, “Artificial Intelligence, Robotics, Internet of Things, Autonomous Vehicles, 3-D Printing, Nanotechnology, Biotechnology, Materials Science, Energy Storage, Quantum Computing” (WEFORUM)

Sources

https://www.bcg.com/capabilities/operations/embracing-industry-4.0-rediscovering-growth.aspx

https://www.weforum.org/agenda/2016/01/the-fourth-industrial-revolution-what-it-means-and-how-to-respond/

IOC (Indicators of Compromise)

IOCs are technical artifacts or observables that suggest an attack is imminent or is currently underway, or that a compromise may have already occurred. Indicators can be used to detect and defend against potential threats. Examples of indicators include the Internet Protocol (IP) address of a suspected command and control server, a suspicious Domain Name System (DNS) domain name, a Uniform Resource Locator (URL) that references malicious content, a file hash for a malicious executable, or the subject line text of a malicious email message.

Sources

Page 2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf

ISA (International Society of Automation)

Founded in 1945 ISA set the standards for those who apply engineering and technology to improve the management, safety, and cybersecurity of modern automation and control systems used across industry and critical infrastructure. Of particular interest to the CSA WG is IEC’s work on the ISA-99 series of standards addressing Security Technologies for Industrial Automation and Control Systems. The ISA-99 series of standards developed by ISA (International Society of Automation) was adopted by the International Electrotechnical Commission (IEC) as IEC-62443 providing a framework for mitigating vulnerabilities in Industrial Automation and Control Systems (IACS) associated with Industry 4.0 and Critical Infrastructure.

Sources

https://www.isa.org/about-isa/

https://isaeurope.com/how-can-the-62443-series-of-standards-help-your-company/

IT / OT (Operational Technology) Convergence

IT and OT are primarily seen as different technology areas with different responsibilities. This is due to the different requirements in regards to CIA and safety. 

IT/OT convergence is the end state sought by organizations, where instead of a separation of IT and OT as technology areas, a integrated process and information flow is used.

Sources

https://www.gartner.com/en/information-technology/glossary/it-ot-integration

Interactive Application Security Testing (IAST)

Software component deployed with an application that assesses application behavior and detects presence of vulnerabilities on an application being exercised in realistic testing scenarios.

Sources

The Six Pillars of DevSecOps: Automation : CSA

IoT Search Engine

Internet of Things (IoT) search engine which enables you to find physical devices with embedded computing capabilities - such as webcams, home appliances, medical devices - that are connected to and can exchange data over the Internet. Two examples of IoT search engines are Thingful (https://www.thingulf.com) and Shodan (https://www.shodan.io).

Sources

Top Threats to Cloud Computing: Egregious Eleven Deep Dive : CSA

Information Disclosure

The breach of privacy or leak of information to unauthorized persons or to the public domain. In cloud testing information disclosure often takes the form of leak of data from misconfigured public cloud data stores.

Sources

Cloud Penetration Testing : CSA

Incident

An issue that harms the operation of network and information systems core services.

Sources

Cloud Penetration Testing : CSA

Incident Handling

The corrective action to address an issue/incidence in violation of security practices and recommended practices. 

Sources

NIST.SP800-61r2: Computer Security Incident Handling Guide

Incident Response Plan

A clear set of instructions that helps an organization prepare, detect, analyze and recover from an incident.

Sources

Cloud Penetration Testing : CSA

Incident Reporting

The procedure by which the reporting party (cloud provider or cloud operator) shall submit to a national competent authority a report with information on the incident on an ad-hoc basis.

Sources

Cloud Penetration Testing : CSA

Incident Impact

A measure of the extent of damage caused by an incident before it can be resolved.

Sources

Cloud Penetration Testing : CSA

Incident Root Cause

The reason (ultimate root cause) that caused the incident. (A root cause analysis could identify multiple “causes and effects” but will have a single root cause).

Sources

Cloud Penetration Testing : CSA

Inter-Mediation

An API Facade is a layer or gateway that sits between the microservices and the API exposed to external services. The facade creates a buffer or layer between the interface exposed to apps and app developers and the complex services. You may have several API’s into different microservices, the facade abstracts the complexity with a simple singular interface.

Sources

Microservices Architecture Pattern : CSA

Infrastructure as a Service (IaaS)

Offers access to a resource pool of fundamental6 computing infrastructure, such as compute, network, or storage.

Sources

Disaster Recovery as a Service : CSA

Identity and Access Management (IAM)

Provides identity administration, governance and access controls. This includes authentication, identity assurance, access intelligence, and privileged user management.

Sources

Defined Categories of Service 2011 : CSA

Intrusion Management

The process of using pattern recognition to detect statistically unusual events, prevent or detect intrusion attempts, and manage the incidents.

Sources

Defined Categories of Service 2011 : CSA

Letter K

Kill Chain for Industrial Control Systems

In 2011, Lockheed Martin analysts Eric M. Hutchins, Michael J. Cloppert and Rohan M. Amin created the Cyber Kill Chain™ to help the decision-making process for better detecting and responding to adversary intrusions. This model was adapted from the concept of military kill chains and has been a highly successful and widely popular model for defenders in IT and enterprise networks. This model is not directly applicable to the nature of ICS-custom cyber attacks, but it serves as a great foundation and concept on which to build. 

The ICS Kill Chain has 2 stages: 

  • Stage 1 - Cyber Intrusion Preparation and Execution
    1. Preparation
    2. Cyber Intrusion 3. Management and Enablement
  • Stage 2 - Attack Development and Execution
    1. Attack Development and Tuning
    2. Validation and
    3. The Actual Attack
Sources

https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297

Kubernetes

An open-source container-orchestration system for automating deployment, scaling, and management of containerized applications across multiple hosts.

Sources

Top Threats to Cloud Computing: Egregious Eleven Deep Dive : CSA

Letter L

Lamport one-time signature scheme

This is the scheme that inspired hash-based signature scheme. The technique proposed by L. Lamport [LamportRR] requires a one-way function and can be used to sign, at most, one message. 

Sources

[LamportRR] L. Lamport. Constructing Digital Signatures from a One Way Function. Technical Report SRICSL-98, SRI International Computer Science Laboratory, 1979.

Lattice-based cryptography

This is a sub-area of quantum-safe cryptography and includes cryptographic schemes whose security is related to the Closest Vector Problem (CVP), the Learning with Errors (LWE) problem or the Shortest Vector Problem (SVP). 

Sources

Quantum Safe Security Glossary : CSA

Learning with Errors (LWE) problem

This is a hard problem used in lattice-based cryptography. The solution to the problem, an issue introduced by O. Regev [Reg05], requires the recovery of a noisy linear equations system.

Sources

[Reg05] O. Regev. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. STOC 2005.

Lateral Movement

Lateral action from a compromised internal host to strengthen the attacker foothold inside the organizational network, to control additional machines, and to eventually control strategic assets.

Sources

Cyber Weapons Report 2016, LightCyber, Ramat Gan, Israel, 2016, 14pp. http://lightcyber.com/cyber-weapons-report-network-traffic-analytics-revealsattacker-tools/ [accessed 5/11/17].

Letter M

McEliece encryption scheme

This is a code-based public-key encryption scheme proposed by R.-J. McEliece in 1978 [McE78]. 

Sources

[McE78] R.-J. McEliece. A Public-Key System Based on Algebraic Coding Theory, pages 114—116. Jet Propulsion Lab, 1978. DSN Progress Report 44.

Merkle tree

This a data structure named after R. Merkle [Merkle89] that is also known as a hash tree. It is a binary tree whose leaves are blocks of data which are hashed and then combined with other blocks through hashing. This hashing combination is repeated until all blocks have been combined into a single hash. 

Sources

[Merkle89] R. Merkle. A Certified Digital Signature. CRYPTO ’89.

Merkle Tree Signature Scheme

This is a typical example of a hash-based signature proposed by R. Merkle. The scheme’s principle is to use a Merkle tree whose leaves are the public/private keys of a one-time signature. This allows the Lamport one-time signature scheme (or other one-time or few-time signature schemes) to be extended for signing more than one message. The number of messages that can be signed depends on the height of the Merkle tree. The signature scheme requires a collision-resistant hash-function or a pre-image-resistant hash-function. 

Sources

Quantum Safe Security Glossary : CSA

Multivariate-based cryptography

This is a sub-area of quantum-safe cryptography which includes cryptographic schemes whose security is related to PoSSo problem or Multivariate Quadratic (MQ) problems. This problem is also called an MQ problem when the non-linear equations are of degree (at most 2) and remains NP-hard. 

Sources

Quantum Safe Security Glossary : CSA

Multivariate Public-Key Cryptography (MPQC)

This refers to public-key multivariate cryptosystems. 

Sources

Quantum Safe Security Glossary : CSA

Multivariate Quadratic (MQ) problem

This is a restriction of the PoSSo problem to quadratic polynomials. 

Sources

Quantum Safe Security Glossary : CSA

MES (Manufacturing Execution System)

A system that uses network computing to automate production control and process automation. By downloading recipes and work schedules, and uploading production results, a MES bridges the gap between business and plant-floor or process-control systems. NIST Manufacturing Execution Systems (MES) solutions that ensure quality and efficiency are built into the manufacturing process and are proactively and systematically enforced. Manufacturing Execution Systems connect multiple plants, sites, vendors’ live production information, and integrate easily with equipment, controllers and enterprise business applications. The result is complete visibility, control and manufacturing optimization of production and processes across the enterprise. (SIEMENS)

Sources

NIST:https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
Page B 10 SIEMENS: https://www.plm.automation.siemens.com/global/en/ourstory/glossary/manufacturing-execution-systems-mes/38072

MITRE ATT&CK for ICS Matrix™

A knowledge base useful for describing the actions an adversary may take while operating within an ICS network. The knowledge base can be used to better characterize and describe post-compromise adversary behavior. 

An overview of the tactics and techniques described in the ATT&CK for ICS knowledge base. It visually aligns individual techniques under the tactics in which they can be applied.

Sources

https://collaborate.mitre.org/attackics/index.php/Main_Page

MQTT (Message Queuing Telemetry Transport)

A Client-Server publish/subscribe messaging transport protocol. It is lightweight, open, simple, and designed to be easy to implement. These characteristics make it ideal for use in many situations, including constrained environments such as communication in Machine to Machine (M2M) and Internet of Things (IoT) contexts where a small code footprint is required and/or network bandwidth is at a premium. The protocol runs over TCP/IP, or over other network protocols that provide ordered, lossless, bidirectional connections.

Sources

Abstract at bottom, Page 1: https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.pdf

MTUs (Master Terminal Unit or SCADA Server)

A controller that also acts as a server that hosts the control software which communicates with lower-level control devices, such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs), over an ICS network. In a SCADA system, this is often called a SCADA server, MTU, or supervisory controller.

Sources

NIST, page B-3: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Manual Security Code Review

Human process of reading source code to identify security issues.

Sources

The Six Pillars of DevSecOps: Automation : CSA

Microservices

A microservice is a basic element that results from the architectural decomposition of an application’s components into loosely coupled patterns consisting of self-contained services that communicate with each other using a standard communications protocol and a set of well-defined APIs, independent of any vendor, product, or technology. Microservices are built around capabilities as opposed to services, build on SOA, and are implemented using Agile techniques. Microservices are typically deployed inside application containers.

Sources

NIST Special Publication (SP) 800-180 (Draft), NIST Definition of Microservices, Application Containers and System Virtual Machines, National Institute of Standards and Technology, Gaithersburg, Maryland, February 2016, 12pp. http://csrc.nist.gov/publications/drafts/800-180/sp800-180_draft.pdf

Microservices Architecture

A microservices architecture usually refers to an application that has been structured to use basic elements called microservices, each running in its own process and communicating with lightweight mechanisms, often an HTTP resource API. These services are built around business capabilities and independently deployable by fully automated deployment machinery. There is a bare minimum of centralized management of these services, which may be written in different programming languages and use different data storage technologies

Sources

Challenges in Securing Application Containers and Microservices : CSA

Microservices Systems Software Development

The process of breaking down an application into components (microservices) via code extraction or rewrite, into a microservices architecture of self-contained services that achieve a business objective.

Sources

Challenges in Securing Application Containers and Microservices : CSA

Microservice Architectural Style

A microservices architecture usually refers to an application that has been structured to use basic elements called microservices, each running in its own process and communicating with lightweight mechanisms, often an HTTP resource API. These services are built around business capabilities and independently deployable by fully automated deployment machinery. There is a bare minimum of centralized management of these services, which may be written in different programming languages and use different data storage technologies.

Sources

Cloud Security Alliance. _Challenges in Securing Application Containers and Microservices Integrating Application Container Security Considerations into the Engineering of Trustworthy Secure Systems _(Cloud Security Alliance: 2019) 42

Letter N

Noise Source

A system the produces non-deterministic random numbers. The noise source contains the non-deterministic, entropy-producing activity [NIST]. 

Sources

[NIST] M. S. Turan, E. Barker, J. Kelsey, K. A. McKay, M. L. Baish and M. Boyle. Recommendation for the Entropy Sources Used for Random Bit Generation (Second DRAFT). NIST Special Publication 800-90B, 2016.

Non-deterministic Polynomial time (NP)

This is a complexity class of decision problems in which affirmations (occurrences where the answer is “yes”) can be verified in deterministic polynomial-time.

Sources

Quantum Safe Security Glossary : CSA

Non-deterministic Polynomial-time Hardness (NP-Hard)

Computational problems can be classified in function of their (intrinsic) hardnesses. NP-hard problems are at least as hard as the hardest problem in Non-deterministic Polynomial time (NP). An efficient algorithm for solving any NP-hard problem would lead to an efficient algorithm for all problems in NP. A fundamental assumption of quantum-resistant cryptography is that no NP-hard problem can be solved in deterministic polynomial-time in the classical and quantum setting. 

Sources

Quantum Safe Security Glossary : CSA

NTRU

This is a patented and open-sourced lattice-based cryptosystem used to encrypt and decrypt data. It was developed by J. Hoffstein, J. Pipher, and J. H. Silverman [HPS98]. The signature scheme pqNTRUsign is based on the same underlying hard problem as NTRU and is also quantum-resistant. 

Sources

[HPS98] J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: A Ring-Based Public Key Cryptosystem. ANTS-998.

Network Segmentation

The processes and procedures that assure that the network structure matches the risk domains established within the infrastructure (e.g., externally facing servers are on a separate segment than internal servers).

A network segment is a portion of a computer network that is separated from the rest of the network by a device such as a repeater, hub, bridge, switch or router. Each segment can contain one or multiple computers or other hosts.

Sources

Enterprise Architecture Reference Guide v2 : CSA: Technology Solution Services (TSS) Domain - Infrastructure Services

Software Defined Perimeter Glossary : CSA

Network Security

Consists of security services that allocate network access, distribute, monitor, and protect network services

Sources

Defined Categories of Service 2011 : CSA

Letter O

OT (Operational Technology)

Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events

Sources

https://www.gartner.com/en/information-technology/glossary/operational-technology-ot

Operator

The individual or organization responsible for the set of processes to deploy and manage IT services. They ensure the smooth functioning of the infrastructure and operational environments that support application deployment to internal and external customers, including the network infrastructure, server and device management, computer operations, IT infrastructure library (ITIL) management, and help desk services.

Sources

Cloud Security Alliance. Challenges in Securing Application Containers and Microservices Integrating Application Container Security Considerations into the Engineering of Trustworthy Secure Systems (Cloud Security Alliance: 2019) 42

On-Premises

Refers to computers and software installed at an organization’s facility rather than at a remote location or in the cloud.

Sources

Disaster Recovery as a Service : CSA

Letter P

PoSSo problem

This is the Non-deterministic Polynomial-time hardness (NP-hard) problem of solving a set of non-linear equations.

Sources

Quantum Safe Security Glossary : CSA

Post-quantum cryptography

This refers to the set of cryptographic schemes which will remain secure even in a world where quantum computers exist. This includes quantum cryptosystems such as Quantum-Key Distribution (QKD); algorithmic-based cryptosystems such as lattice-based, code-based, multivariate-based, hashbased and isogeny-based cryptosystems; and symmetric key cryptographic systems such as AES. Terminology related to post-quantum cryptography appeared in academic literature soon after P.W Shor’s quantum polynomialtime algorithm for solving integer factorizations and discrete logarithm was introduced. Note that there remains some ambiguity around this term, with some organizations not including QKD.

Sources

Quantum Safe Security Glossary : CSA

PAC (Programmable Automation Controllers)

A programmable automation controller (PAC) is a term used to describe any type of automation controller that incorporates higher-level instructions. 

A PAC makes it possible to provide more complex instructions to automated equipment, enabling similar capabilities as that of PCbased controls, in an all-in-one package, like a programmable logic controller (PLC). 

Higher-end PLCs with increased capabilities are often marketed as PAC.

Sources

https://whatis.techtarget.com/definition/programmable-automation-controller-PAC

PCS (Process Control System)

Process control systems (PCS) — sometimes called industrial control systems (ICS) — function as pieces of equipment along the production line during manufacturing that tests the process in a variety of ways, and returns data for monitoring and troubleshooting. Many types of process control systems exist, including supervisory control and data acquisition (SCADA), programmable logic controllers (PLC), or distributed control systems (DCS), and they work to gather and transmit data obtained during the manufacturing process

Sources

https://www.thebalancesmb.com/process-control-systems-pcs-2221184

PERA (Purdue Enterprise Reference Architecture)

PERA is a structure with which to design enterprise architectures. It includes a generalized model of the life cycle of an enterprise, and a methodology for planning the evolution of the enterprise. The PERA methodology is unique, in that it: 1. Specifically addresses the human and organizational aspects of the enterprise. 2. It is designed to address all phases of an enterprise from planning, to operations and renewal. 3. Integrates facility engineering and IT systems development methodologies 4. Addresses both process industries and discrete manufacturing (PERA). This model can be used for a variety of purposes including ICS Kill Chain Analysis (SANS) as well as ICS Network Segmentation Analysis (SEQ).

Sources

http://www.pera.net/ and https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 Page 13 and: https://seqred.pl/en/ot_network_segmentation/

PLC (Programmable Logic Controllers)

A solid-state control system with a user-programmable memory to store instructions for the purpose of implementing specific functions such as I/O control, logic, timing, counting, three mode (PID) control, communication, arithmetic, and data and file processing.

Sources

NIST SP 800-82r2 https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final

Politically Exposed Person

Someone who, through their prominent position or influence, is more susceptible to being involved in bribery or corruption.

Sources

Top Threats to Cloud Computing: Egregious Eleven Deep Dive : CSA

Product Owner

The person who identifies the customer need and the larger business objectives that a product or feature will fulfill, articulates what success looks like for a product, and drives a team to turn product vision into a reality

Sources

Mansour, S. (2020). Product Manager. Atlassian Software. https://www.atlassian.com/agile/ product-management/product-manager.

Agile Alliance. Product Owner. Accessed August 10, 2021 at https://www.agilealliance.org/ glossary/product-owner/.

Propagation

Propagation refers to the propagation of a security context through different services. 

Sources

Microservices Architecture Pattern : CSA

Private cloud

The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off-premises.

Sources

NIST 2011, The NIST Definition of Cloud Computing, https://csrc.nist.gov/publications/detail/ sp/800-145/final

Public Cloud

The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Sources

NIST 2011, The NIST Definition of Cloud Computing, https://csrc.nist.gov/publications/detail/ sp/800-145/final

Letter Q

Quantum annealing

This is a quantum process that solves optimization problems faster than if utilizing a classical computer.

Sources

Quantum Safe Security Glossary : CSA

Quantum bit or Qubit
This is the quantum analogue of a classic computer bit. It is a quantum system consisting of two levels, usually denoted by 0> and 1>. 
Sources

Quantum Safe Security Glossary : CSA

Quantum computer

A variant of quantum-resistant cryptography used recently by the International Organization for Standardization (ISO). 

Sources

Quantum Safe Security Glossary : CSA

Quantum cryptography

This refers to cryptosystems whose security is guaranteed by the physical law of quantum mechanics. It differs from classical public-key cryptography, whose security relies on the difficulty of solving certain mathematical problems.

Sources

Quantum Safe Security Glossary : CSA

Quantum-Key Distribution (QKD)

Quantum-Key Distribution is an example of quantum cryptography that allows the information-theoretically secure distribution of keys between two spatially separate parties who are also connected by an insecure optical channel. There are two complementary approaches to QKD: (1) discrete variable quantum key distribution (DVQKD) uses single-photons or weak coherent states and single photon detectors; and (2) continuous variable quantum key distribution (CVQKD), which uses coherent or squeezed states of light and homodyne detectors. Both continuous and discrete approaches have been experimentally demonstrated; just as importantly, both have been proven to be information-theoretically secure. 

Sources

Quantum Safe Security Glossary : CSA

Quantum Random Number Generator (QRNG)

This refers to quantum-based noise source that derives random numbers from measurements conducted on a quantum process or quantum system. The uniqueness and randomness of these measurements/outcomes are of quantum origin, as described by quantum mechanics. Examples of QRNGs include several commercial systems that generate random numbers from measurements made on optical quantum states of light. 

Sources

Quantum Safe Security Glossary : CSA

Quantum-resistant cryptography

This term also refers to the set of cryptographic schemes which will remain secure even in a world where quantum computers exist. This terminology was used by the United States National Security Agency in their announcement regarding their, “preliminary plans for transitioning to quantum resistant algorithms.” This term is not completely equivalent to post-quantum cryptography, as it only refers to algorithmic techniques. Additionally, it does not appear to include physical technology such as Quantum-Key Distribution (QKD). 

Sources

Quantum Safe Security Glossary : CSA

Quantum-safe cryptography

This refers to the set of cryptographic schemes which will remain secure even in a world where quantum computers exist. The term was recently coined, but is often used interchangeably with the term “post-quantum cryptography.” Furthermore, it has been used by working groups in the European Telecommunications Standards Institute (ETSI) and the Cloud Security Alliance (CSA).

Sources

Quantum Safe Security Glossary : CSA

Letter R

Ring-LWE (RLWE) problem

This is a variant of the Learning with Errors (LWE) problem in which the (noisy) linear system to be solved is structured [LPR]. 

Sources

[LPR] V. Lyubashevsky, C. Peikert and Oded Regev. On Ideal Lattices and Learning with Errors over Rings. J. ACM, 2013.

REST (Representational State Transfer)

REST (REpresentational State Transfer) is an architectural style that defines a set of constraints to be used for developing web services that use the Hypertext Transfer Protocol (HTTP/S). A RESTful interface provides interoperability between computer systems on the Internet and allows the requesting system to access and manipulate data by a uniform set of stateless operations. 
Data in devices not yet IoT enabled can be utilized by any application that can make RESTful HTTPS requests to read and write data from devices such as controllers.

Sources

https://www.controldesign.com/articles/2016/it-invades-controller-programming/ and https://en.wikipedia.org/wiki/Representational_state_transfer

RTUs (Remote Terminal Units)

Remote Terminal Units (RTU) are also referred to as Remote Telemetry Units. An RTU is an electronic device which is controlled by a microprocessor. The main function of an RTU is to interface the SCADA or Distributed Control System (DCS) to physically present objects. The functionality of RTUs and PLCs has started to overlap due to cheaper hardware, thus encouraging the industry to standardize the language for programs on which RTUs run.

Sources

http://www.differencebetween.net/technology/industrial/difference-between-plc-and-rtu/

Reflexive Security

Reflexive Security is an approach for information security management built upon the principles of Agile and DevOps. It is a non-prescriptive framework that is purely needs-based, emphasizes collective responsibility, and considers information security and its responses to be a holistic function of the organization. 

Reflexive Security emphasizes security across organizational roles that reacts to external and internal threats in an agile and dynamic way. It aims to be a new information security management strategy that is dynamic, interactive, effective and holistic.

Sources

As defined in ISO 27000 and Information Security Management through Reflexive Security : CSA.

Runtime Application Security Protection (RASP)

Security technology deployed within the target application in production for detecting, alerting, and blocking attacks.
Note 1 to entry: Similar to a WAF but instrumented within the application

Sources

The Six Pillars of DevSecOps: Automation : CSA

Repudiation

Creating a situation of dispute, lack or compromise of the authenticity of a record or data. In cloud testing repudiation often takes the form of deleting or turning off cloud logs or leveraging cloud services and mechanisms to mask an action or occurrence.

Sources

Cloud Penetration Testing : CSA

Reportable Incidents

Incidents deemed to have a significant enough impact that they need to be reported outside the entity according to laws or regulations.

Sources

Cloud Penetration Testing : CSA

Ransomware

Ransomware is malicious software that gains access to an organization’s systems and data and then encrypts these systems and data rendering them inaccessible without the encryption key. The attacker supplies the decrypt key only if the victim pays a fee (ransom). Ransomware can gain access to systems through such avenues as users interacting with phishing emails or infected websites.

Sources

Disaster Recovery as a Service : CSA

Risk

A subset of “business risks” and, as such, should be talked about in business terms. Instead of defining risk in technical terms, cybersecurity professionals—when speaking to executives—can adopt the definition of risk used by almost every business manager and board of directors: the potential for monetary loss. In this context, “risk” is the possibility that an event will lead to reduced profitability. Therefore, a cyber event causing damage to an organization’s brand or reputation can be quantified.

Sources

Information Technology Governance, Risk and Compliance in Healthcare : CSA

Risk Appetite

The tolerance level organizations have for risk. One aspect of this is understanding how much risk an organization is willing to tolerate, while another is thinking about how much an organization is willing to invest or spend to manage the risk.

Sources

Information Technology Governance, Risk and Compliance in Healthcare : CSA

Risk Tolerance

The level of risk or degree of uncertainty acceptable to organizations. An organization’s risk tolerance level is the amount of data and systems that can be risked to an acceptable level.

Sources

Information Technology Governance, Risk and Compliance in Healthcare : CSA

Letter S

Shor’s algorithm

This refers to the P.W. Shor algorithm [Shor], published in 1994, which allows integers to be factored and to find discrete logarithms in polynomial-time on a quantum computer. By using Shor’s algorithm, most of today’s commonly used asymmetric cryptosystems can be broken. 

Sources

Quantum Safe Security Glossary : CSA

SVP

This stands for the Shortest Vector Problem, which requires the shortest vector in a lattice to be found. The problem is Non-deterministic Polynomialtime hardness (NP-hard) under randomized reduction for the Euclidean norm. This is a hard problem that occurs in lattice-based cryptography. 

Sources

Quantum Safe Security Glossary : CSA

Syndrome decoding

This is a Non-deterministic Polynomial-time hardness (NP-hard) problem that occurs in code-based cryptography. The goal is to find a constrained solution of a linear system; that solution must have a small number of nonzero components. 

Sources

Quantum Safe Security Glossary : CSA

SCADA (Supervisory Control And Data Acquisition)

SCADA systems are used to control dispersed assets where centralized data acquisition is as important as control. These systems are used in various industrial systems. SCADA systems integrate data acquisition systems with data transmission systems and HMI software to provide a centralized monitoring and control system for numerous process inputs and outputs. SCADA systems are designed to collect field information, transfer it to a central computer facility, and display the information to the operator graphically or textually, thereby allowing the operator to monitor or control an entire system from a central location in near realtime. Based on the sophistication and setup of the individual system, control of any individual system, operation, or task can be automatic, or it can be performed by operator commands.

Sources

NIST SP 800-82r2 https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final

Sensors

A Sensor is a device that identifies the progressions in electrical or physical or other quantities and in a way to deliver a yield as an affirmation of progress in the quantity. In simple terms, Industrial Automation and Control Sensors are input devices that provide an output (signal) with respect to a specific physical quantity (input). Examples of sensor types include temperature, pressure, vacuum, motion, and torque. 

Sources

https://www.plantautomation-technology.com/articles/types-of-sensors-used-in-industrial-automation

SIS (Safety Instrumented System)

Safety Instrumented Systems are used to monitor the condition of values and parameters of a plant within the operational limits and, when risk conditions occur, they trigger alarms and place the plant in a safe condition or even at the shutdown condition. The main objective is to avoid accidents inside and outside plants.

Sources

http://www.smar.com/en/technical-article/sis-safety-instrumented-syst02

SecDevOps

Application of DevOps culture, practices, and workflows for the achievement of information security and compliance management.

Sources

As defined in ISO 27000 and Information Security Management through Reflexive Security : CSA.

Software Composition Analysis (SCA)

Security testing that analyzes application source code or compiled code for software components with known vulnerabilities.

Note 1 to entry: software components in software composition analysis may include open source, libraries and common code.
Note 2 to entry: known vulnerabilities may be discovered via vulnerability databases such as CVE.

Sources

The Six Pillars of DevSecOps: Automation : CSA

Static Application Security Testing (SAST)

Security testing that analyzes application source code for software vulnerabilities and gaps against best practices.
Note 1 to entry: Static analysis can be performed in multiple environments including the developer’s IDE, source code, and binaries.
Note 2 to entry: Also called “white box testing” 

Sources

The Six Pillars of DevSecOps: Automation : CSA

Software Delivery Pipeline

Set of automated processes used for delivering software from conception to deployment.

Sources

The Six Pillars of DevSecOps: Automation : CSA

Spoofing

Impersonating, masquerading or otherwise falsely assuming an identity, characteristic or claim about oneself. In cloud testing, spoofing often takes the form of stealing cloud environment credentials to leverage their identity’s privileges.

Sources

Cloud Penetration Testing : CSA

Service Registry

The registry contains the locations of available instances of services. Service instances are registered with the service registry on startup and deregistered on shutdown. Client of the service and/or routers query the service registry to find the available instances of a service.

Sources

Best Practices in Implementing a Secure Microservices Architecture

Server-Side Discovery

The Server requests the load balancer for the network locations of available services from the service registry.

Sources

Best Practices in Implementing a Secure Microservices Architecture

Software

A collection of data or computer instructions that tell the computer how to work. Physical hardware, from which the system is built, performs the work.

Sources

Cambridge Dictionary. (2021, August 11). Software. https://dictionary.cambridge.org/dictionary/ english/software.

Software Architecture

The structure or structures of the system, which comprise software elements, the externally visible properties of those elements, and the relationships among them.

Sources

Bass, L., Clements, P. C., & Kazman, R. (2012, September). Software Architecture in Practice, Third Edition. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=30264.

Software Design Pattern

A general, reusable solution to a commonly occurring problem within a given context in software design. It is not a finished design that can be transformed directly into source or machine code. Rather, it is a description or template for how to solve a problem that can be used in many different situations.

Sources

Wikipedia contributors. (2021a, June 14). Software design pattern. Wikipedia. https://en.wikipedia. org/wiki/Software_design_pattern

Solution

A solution is the application of architecture, patterns, and design effort to solve a specific industry need or business problem. A solution intends to provide ongoing customer and business owner value.

Sources

Microservices Architecture Pattern : CSA

Security Policy

A high-level document representing an enterprise’s information security philosophy and commitment.

Sources

ISACA. Interactive Glossary & Term Translations. Retrieved August 11, 2021, from https://www. isaca.org/resources/glossary.

Security Procedure

The formal documentation of operational steps and processes that specify how security goals and objectives set forward in the security policy and standards are to be achieved.

Sources

ISACA. Interactive Glossary & Term Translations. Retrieved August 11, 2021, from https://www. isaca.org/resources/glossary.

Security Standard

Practices, directives, guidelines, principles or baselines that state what needs to be done and focus areas of current relevance and concern; they are a translation of issues already mentioned in the security policy.

Sources

ISACA. Interactive Glossary & Term Translations. Retrieved August 11, 2021, from https://www. isaca.org/resources/glossary.

Security Testing

Ensuring that the modified or new system includes appropriate controls and does not introduce any security holes that might compromise other systems or misuses of the system or its’ information.

Sources

ISACA. Interactive Glossary & Term Translations. Retrieved August 11, 2021, from https://www. isaca.org/resources/glossary.

Security Architecture

Represents the portion of the enterprise architecture that specifically addresses information system resilience and provides architectural information for the implementation of capabilities to meet security requirements.

Sources

Gantz, S. D., & Philpott, D. R. (2013). FISMA and the Risk Management Framework. ScienceDirect.

Security Controls Overlay

An overlay is a fully-specified set of controls, control enhancements, and supplemental guidance derived from the application of tailoring guidance to control baselines. For more information about Control Overlays, NIST Special Publication NIST SP 800-53 Rev 4., Section 3.3 Creating Overlays, and Appendix I, Overlay Template.

Sources

NIST Information Technology Laboratory: Computer Security Resource Center (CRSC). (2009, June 12). FISMA Implementation Project. https://www.nist.gov/programs-projects/federal-informationsecurity-management-act-fisma-implementation-project.

Strangle

A “Strangler” is a reference model that is used to describe the process of modernizing a monolithic application into a microservices architecture, by adding new microservices to the application over time, while decommissioning certain features of the monolith over time. It is a dissect and transition as you develop on the go model.

Sources

Microservices Architecture Pattern : CSA

Service boundaries

Service boundaries are defined by the declarative description of the functionality provided by the service. A service - within its boundary - owns, encapsulates and protects its private data and only chooses to expose certain (business) functions outside the boundary. 

Sources

How to Design a Secure Serverless Architecture

Security information and event management (SIEM)

This technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards and reporting).

Sources

https://www.gartner.com/en/information-technology/glossary/security-information-and-event-management-siem

Separation (Segregation of Duties)

Segregation of Duties - is a basic building block of sustainable risk management and internal controls for a business. The principle of SOD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department.

Sources

https://www.aicpa.org/interestareas/informationtechnology/resources/value-strategy-through-segregation-of-duties.html

Shared Responsibility

The customer security team maintains some responsibilities for security as you move applications, data, containers, and workloads to the cloud. At the same time, the provider takes some responsibility, but not all. Defining the line between customer responsibilities and providers is imperative for reducing the risk of introducing vulnerabilities into your public, hybrid, and multi-cloud environments.

Sources

https://cloudsecurityalliance.org/blog/2020/08/26/shared-responsibility-model-explained/

Software as a Service (SaaS)

Is a full application that is managed and hosted by the provider. Consumers access it with a web browser, mobile app, or a lightweight client app.

Sources

Disaster Recovery as a Service : CSA

Shared Responsibility

Refers to the concept that the CSC and CSP have varying responsibilities depending on the cloud service level in effect. The CSC has the most responsibility when IaaS is used and the least when SaaS is used.

Sources

Disaster Recovery as a Service : CSA

Security Information and Event Management (SIEM)

SIEM systems accept log and event information, correlation and incident data and provide real time analysis and correlation.

Sources

Defined Categories of Service 2011 : CSA

Security Assessment

Third party audits of cloud services based on industry standards.

Sources

Defined Categories of Service 2011 : CSA

Letter T

Threat Modeling

Methodology to identify and understand threats impacting a resource or set of resources.

Note to entry: Common methodologies of threat modeling include STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) and OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation).

Sources

The Six Pillars of DevSecOps: Automation : CSA

Tampering

Sabotage, modification or forgery of records, process or product in a harmful way, or otherwise in a fashion that serves an attacker’s other objective or attack chain. In cloud testing tampering often takes the form of altering cloud logs, changing hosted images, and tampering with API, repositories or data.

Sources

Cloud Penetration Testing : CSA

Threat

A threat is any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service.

Sources

NIST SP 800-32 under Threat NSTISSI 4009

Technical Debt

A design or construction approach that’s expedient in the short term but that creates a technical context in which the same work will cost more to do later than it would cost to do now (including increased cost over time).

Sources

McConnell, S. (2013). “Managing Technical Debt (slides),” in Workshop on Managing Technical Debt (part of ICSE 2013): IEEE, 2013.

Transform

Transformation of data implies extracting data from a source, transforming it or converting it to one format or another, and loading it into a target system.

Sources

Microservices Architecture Pattern : CSA

Translate

An adapter microservice wraps and translates (usually function based) services into an entity-based REST interface. This allows an interface of an existing class to be used as another interface.

Sources

Microservices Architecture Pattern : CSA

Third-Party Security Service Provider (TSSP)

 A common, alternative term for TPSSP is managed security service provider (MSSP). Gartner states that an MSSP provides outsourced monitoring and management of security devices and systems to cloud customers. Typical services include managed firewalls, intrusion detection, virtual private networks, vulnerability scanning, and antivirus services. The MSSPs use high availability security operation centers (either from their facilities or other data center providers) to provide 24/7 services that reduce the number of operational security personnel an enterprise needs to hire, train and retain to maintain an appropriate security maturity.

Sources

https://www.gartner.com/en/information-technology/glossary/mssp-managed-security-service-provider
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Telehealth

Telehealth encompasses clinical health care as well as a wide range of other services. Telehealth uses innovative technologies, such as kiosks, website monitoring applications, mobile phone applications, wearable devices, and videoconferencing, to remotely connect health care providers to patients.

Sources

Marcoux Rita M., and Vogenberg F. Randy, 2016. _Telehealth: Applications from a Legal and Regulatory Perspective, Pharmacy and Therapeutics _Vol 41 (9): P. 567–570. Retrieved from https://www.ncbi. nlm.nih.gov/pmc/articles/PMC5010268/

Threats

A threat is any circumstance or event with the potential to adversely impact organizational operations, assets, individuals, or other organizations through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. 

Sources

Information Technology Governance, Risk and Compliance in Healthcare : CSA

Letter U

Unbalanced Oil and Vinegar (UOV)

This is a multivariate signature scheme which was proposed in 1999 by A. Kipnis, L. Goubin and J. Patarin [KPG99]. 

Sources

[KPG99] A. Kipnis, J. Patarin, and L. Goubin. Unbalanced Oil and Vinegar Signature Schemes. EUROCRYPT’99, LNCS 1592, pages 206–222. Springer, 1999.

Unknown Threat Actor

Unauthorized access was confirmed, but the identity of the attacker, nor any information on the attacker was not made available. It is doubtful whether much is known at all.

Sources

Top Threats to Cloud Computing: Egregious Eleven Deep Dive : CSA

Universal Naming Convention (UNC)

Provided by Windows as an early method of identifying systems within an enterprise environment.

Sources

Top Threats to Cloud Computing: Egregious Eleven Deep Dive : CSA

Utility

Sidecar mesh abstracts the underlying infrastructure through a proxy of services below the application. The proxy handles traffic flow, inter-microservice communication, connection, management, load balancing, availability and telemetry data. The sidecar mesh paradigm provides orchestration and architectural independence from underlying cloud architectures, across multiple clouds.

Sources

Microservices Architecture Pattern : CSA

Letter V

Vulnerability Scanning

Scans the target infrastructure or systems for security vulnerabilities via a public network.

Sources

Defined Categories of Service 2011 : CSA

Vulnerability

A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation exploitable by a threat source.

Examples of different vulnerabilities include:

  1. Physical: unlocked rooms containing switches
  2. Environmental: flooding
  3. External relationships: telecommunications outage
Sources

National Institute of Standards and Technology. (2012). Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments, National Institute of Standards and Technology, Gaithersburg, MD. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Letter W

Web Application Firewall (WAF)

Application firewall that monitors, alerts, and blocks attacks by inspecting HTTP traffic.

Sources

The Six Pillars of DevSecOps: Automation : CSA

Web Security

Offers real-time protection of public facing application services generally offered by proxying web traffic through the cloud service provider.

Sources

Defined Categories of Service 2011 : CSA

Letter Z

Zoombombing

The practice of hijacking video conversations by uninvited parties to disrupt the usual proceedings.

Sources

Top Threats to Cloud Computing: Egregious Eleven Deep Dive : CSA