Advanced 16 terms

Cloud Security

Zero-trust architecture, IAM, CASB, SIEM, DLP, WAF, and the essential security vocabulary for cloud-native IT professionals.

  • Zero Trust /ˈzɪərəʊ trʌst/

    A security model that grants access based on continuous verification of identity, device health, and context — never assuming trust because a request originates inside the network perimeter.

    "After adopting zero trust, every internal API call requires a valid service identity token — being on the corporate VPN no longer grants implicit access to production systems."
  • IAM (Identity and Access Management) /aɪ eɪ em/

    The discipline and tooling for managing digital identities and controlling which authenticated identities can access which cloud resources and perform which actions.

    "The IAM audit revealed 47 over-privileged service accounts with admin rights they had never used — we applied least-privilege policies and reduced the blast radius of a potential breach."
  • CASB (Cloud Access Security Broker) /ˈkæzb/

    A security control point — on-premises or cloud-based — that sits between cloud service users and cloud applications to enforce security policies: visibility, compliance, data security, and threat protection.

    "The CASB detected that employees were uploading sensitive contract documents to personal Dropbox accounts — the policy now blocks uploads to unsanctioned cloud storage and routes to the approved SharePoint."
  • SIEM (Security Information and Event Management) /siːm/

    A platform that aggregates, correlates, and analyses security events from across the environment in real time, enabling threat detection, investigation, and compliance reporting.

    "The SIEM correlated an unusual login from a new geography with a spike in failed API authentication attempts — an alert fired within 90 seconds, enabling the SOC team to isolate the compromised account before data exfiltration occurred."
  • DLP (Data Loss Prevention) /diː el piː/

    Technology that detects and prevents unauthorised transmission of sensitive data — monitoring data in use (endpoint), in motion (network), and at rest (storage) against content-inspection policies.

    "DLP blocked an outbound email containing credit card numbers in the attachment body — the policy automatically quarantined the message and alerted the security team for review."
  • WAF (Web Application Firewall) /wɒf/

    A security layer that filters and monitors HTTP traffic to and from a web application, protecting against OWASP Top 10 attacks: SQL injection, XSS, CSRF, and application-layer DDoS.

    "The WAF rule set blocked a coordinated SQL injection campaign — 12,000 malicious requests were rejected at the edge before they reached the application servers."
  • CSPM (Cloud Security Posture Management) /siː es piː em/

    Tools that continuously audit cloud infrastructure configurations against security benchmarks (CIS, NIST), flagging misconfigurations such as public S3 buckets, open security groups, or unencrypted volumes.

    "CSPM identified an S3 bucket with public read access — a misconfiguration from a developer's test that had drifted into production. The tool opened a JIRA ticket automatically and the bucket was locked within an hour."
  • CWPP (Cloud Workload Protection Platform) /siː dʌbljuː piː piː/

    Security tooling focused on protecting server workloads — VMs, containers, serverless — with vulnerability scanning, runtime threat detection, and micro-segmentation capabilities.

    "The CWPP flagged a container running a crypto-mining process that wasn't in the approved image — the workload was isolated and the incident triggered a supply chain audit of the base images."
  • Shared Responsibility Model /ʃeəd rɪˈspɒnsɪˈbɪlɪti ˈmɒdəl/

    The division of security obligations between the cloud provider (physical infrastructure, hypervisor, managed service internals) and the customer (data, identity, application, OS configuration).

    "After the misconfigured RDS instance was discovered, we reviewed the shared responsibility model with the team: AWS secures the database engine but the customer is responsible for encryption settings, IAM access, and VPC placement."
  • Privileged Access Management (PAM) /pæm/

    Controls and tooling for securing, managing, and auditing access to privileged accounts — admin credentials, root access, service accounts — including just-in-time access and session recording.

    "Engineers no longer have standing admin access to production — PAM enforces just-in-time elevation: access is requested, approved by the on-call manager, granted for four hours, and every command is recorded in an audit log."
  • Security Group / Network ACL /sɪˈkjʊərɪti ɡruːp / ˈnetwɜːk eɪ siː el/

    Security groups (stateful) control inbound/outbound traffic at the instance level in AWS. Network ACLs (stateless) operate at the subnet level, evaluating each packet independently without tracking connection state.

    "The security group allows port 443 inbound from any IP but restricts port 5432 (PostgreSQL) to the private subnet CIDR only — the database is unreachable from the internet even if the app server is compromised."
  • Encryption at Rest / In Transit /ɪnˈkrɪpʃən æt rest / ɪn ˈtrænsɪt/

    Encryption at rest protects stored data using AES-256 or similar algorithms so stolen storage media yields unreadable data. Encryption in transit uses TLS to protect data moving between services.

    "All S3 buckets enforce AES-256 server-side encryption at rest. All inter-service traffic is TLS 1.2+ in transit — plaintext HTTP within the VPC is blocked by network ACL policy."
  • Threat Intelligence Feed /θret ɪnˈtelɪdʒəns fiːd/

    A stream of indicators of compromise (IoCs), threat actor TTPs, and malicious IPs/domains from commercial or open-source providers, consumed by SIEM and WAF to enrich detection rules.

    "Integrating an OSINT threat intelligence feed into the SIEM enabled us to automatically flag connections to known C2 (command-and-control) infrastructure — we caught a compromised workstation before the attacker escalated privileges."
  • CVE / CVSS Score /siː viː iː / siː viː es es/

    CVE (Common Vulnerabilities and Exposures) is a unique identifier for a published security vulnerability. CVSS (Common Vulnerability Scoring System) assigns a severity score (0–10) based on exploitability and impact.

    "The container image scan returned three CVEs: one Critical (CVSS 9.8) in the OpenSSL version, two Medium. Policy requires all Critical CVEs to be patched before the image can be promoted to production."
  • Secrets Management /ˈsiːkrɪts ˈmænɪdʒmənt/

    The secure storage, rotation, and distribution of credentials, API keys, and certificates — using tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault instead of hard-coded values or environment files.

    "After finding a database password in a GitHub commit, we migrated to AWS Secrets Manager — applications retrieve credentials at startup via IAM role, secrets rotate automatically every 30 days, and access is logged."
  • Security Posture /sɪˈkjʊərɪti ˈpəʊstʃər/

    An organisation's overall security readiness: the aggregate of policies, controls, vulnerabilities, and risk exposure across all systems, communicated as a health score or RAG-rated dashboard.

    "The quarterly security posture review showed improvement: critical findings dropped from 23 to 4, patch compliance rose to 96%, and MFA adoption reached 100% — the posture score moved from Red to Amber."