When navigating the complexities of the public cloud, it’s easy to get lost in the endless acronyms, industry jargon, and vendor-specific terms so it’s best to have a map. From K8s to IaC to Shift Left, it can be helpful to have a map to navigate the nuances of this emerging segment of the market. Even at Rapid7, not everyone started with a full knowledge of cloud security.
So, a few team members within the Cloud Security practice in Rapid7 created a list of terms that cover the basics—ideas to help educate and add context as you continue your journey into cloud security and DevSecOps. Here are the most common ones.
Application Program Interface [API]: A set of functions and procedures allowing for the creation of applications that can access the features or data of an operating system, application, or other service.
Amazon Web Services [AWS]: Amazon’s popular cloud-service provider.
Administrator [Admin]: A user with the highest level of privileges or authorizations.
Cloud Access Security Broker [CASB]: A CASB provides a security tool that helps organizations set policy, monitor behavior, and manage risk in the cloud. It sits between cloud-service users and cloud applications to enforce security policies.
Cloud Computing: The on-demand availability of computer system resources without direct active management by the user. The term describes data centers that are available to many users over the Internet.
Cloud Control Plane: The part of the network that carries information necessary to establish and control the network. It controls how data is sent from one place to another.
Cloud Cost Containment: The organizational planning that allows an enterprise to understand and manage the costs and needs associated with its cloud technology. This includes finding cost-effective ways to maximize cloud usage and efficiency.
Cloud-Native Application Protection Platform [CNAPP]: CNAPPs bring application and data context in the convergence of the CSPM and CWPP archetypes to protect hosts and workloads, including VMs, containers, and serverless functions. A CNAPP is also sometimes known as a Cloud-Native Security Platform (CNSP).
Cloud Security Posture Management [CSPM]: CSPM solutions continuously manage cloud-security risk. They detect, log, report, and provide automation to address issues. These issues can range from cloud service configurations to security settings and are typically related to governance, compliance, and security for cloud resources.
Cloud Service Provider [CSP]: A third-party company that offers a cloud-based platform, infrastructure, application, or storage services. The most popular CSPs are AWS, Azure, Alibaba, and GCP.
Container Security: A container represents a software application and may contain all necessary code, run-time, system tools, and libraries needed to run the application. Container hosts may be packed with risk, so properly securing them means maintaining visibility into vulnerabilities and risks associated with their components and layers.
Effective Access: The net resulting permissions that each identity has to access cloud resources based on the combination of all SCPs, resource-based policies, permission boundaries and identity-based policies.
Effective Permissions: The net-permission set for a cloud asset or user across all policy sets.
Entitlements: Entitlements, or Permissions Entitlements, give domain users control over basic users' and organization admins' permissions to access certain parts of a tool.
Google Cloud Platform [GCP]: A suite of cloud-computing services that runs on the same infrastructure Google uses internally for its end-user products, such as Google Search, Gmail, file storage, and YouTube.
Governance: A carefully designed set of rules and protocols put in place by businesses that operate in a cloud environment to enhance data security, manage risks, and keep things running smoothly.
Identity Access Management [IAM]: A framework of policies and technologies for ensuring the right users have the appropriate access to technology resources. It is also known as Cloud Infrastructure Entitlement Management (CIEM), which is designated for technologies that provide identity and access governance controls with the goal of reducing excessive cloud-infrastructure entitlements and streamlining least-privileged access (LPA) controls across dynamic, distributed cloud environments.
Image Scanning: Scans the base operating system of a container or virtual machine to ensure the software contained within is free from known vulnerabilities.
Infrastructure: With respect to cloud computing, infrastructure refers to an enterprise's entire cloud-based or local collection of resources and services. This term is used synonymously with “cloud footprint.”
Infrastructure as Code [IaC]: The process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. With IaC, configuration files are created that contain your infrastructure specifications, making it easier to edit and distribute configurations.
Infrastructure as a Service [IaaS]: A form of cloud computing that provides virtualized resources (storage, networking) over the Internet. IaaS gives an administrator the power to manage applications, data, runtime, and middleware while the service provider manages all other aspects. AWS and Google are common examples of IaaS providers.
Integration: External systems with which InsightCloudSec is designed to interface for both inbound (data aggregation, data collection) and outbound (notifications, ticketing) actions.
Kubernetes: A portable, extensible open-source platform for deploying, managing and orchestrating containerized workloads and services at scale.
Least-Privileged Access [LPA]: Users who have the minimum amount of access or permissions based on function for their particular jobs.
Platform as a Service [PaaS]: A form of cloud computing that provides virtualized resources over the Internet. PaaS is usually inclusive of IaaS, but also incorporates the complete software development lifecycle (SDLC). Google App Engine and Windows Azure are common examples of PaaS providers.
Resources: A virtual (cloud-hosted) service, utility, or function; cloud accounts are made up of resources. While different providers use different names in referring to their specific offerings, InsightCloudSec uses normalized names throughout the tool for these resources. For example, AWS S3 Bucket, GCP Cloud Storage, Azure Blob Storage Container, and Alibaba Object Storage Bucket all refer to storage resources.
Risk Prioritization: An analysis that stipulates which vulnerabilities need to be prioritized and where your riskiest assets lie.
Runtime Analysis: This process leverages tools that watch an application at runtime (when it is in production) to block potentially malicious activity. Analysis includes behavior as well as context in which the behavior occurs.
Serverless Computing: A cloud-computing execution model in which the cloud provider allocates machine resources on demand, providing servers on behalf of customers. Users can then write and deploy code without needing to maintain the underlying infrastructure.
Service Mesh: A dedicated infrastructure layer for facilitating service-to-service communications — via proxy — between microservices. Put simply, it’s a way to control how the different parts of an application share data with one another.
Shared Responsibility Model: A framework in cloud computing that defines who is responsible for the security and compliance of each component of the cloud architecture. With on-premise data centers, the responsibility is solely on your organization to manage and maintain security for the entire technology stack, from the physical hardware to the applications to the data. Since public cloud computing purposefully abstracts layers of that tech stack, this model acts as an agreement between the cloud service provider (CSP) and their customer as to who takes on the responsibility of managing and maintaining proper hygiene and security of the cloud infrastructure. This is a gradual model, with IaaS leaving the most responsibility on your organization, PaaS putting a moderate amount of responsibility on your organization, and SaaS putting the least amount of responsibility on your organization.
Shift Left: A concept that refers to building security into an earlier stage of the development cycle. Traditionally, security checks occured at the end of the cycle. However, by shifting left organizations can ensure their applications are more secure from the start — and at a much lower cost.
Software as a Service [SaaS]: A form of cloud computing that provides virtualized software on demand, over the Internet. With SaaS, a service provider installs and maintains software on behalf of its customers. Salesforce and Dropbox are common examples of SaaS providers.
Threat Detection: The practice of analyzing the entirety of a security ecosystem to identify any malicious activity that could compromise the network.
Vulnerability Assessment: The process of identifying, quantifying, and prioritizing the vulnerabilities in a system.