Cloud Security Glossary of Terms

The terminology used across cloud security disciplines spans regulatory frameworks, architectural models, threat categories, and operational practices — each term carrying precise technical and legal meaning. This page defines the core vocabulary used by security professionals, compliance officers, auditors, and architects operating in cloud environments. Accurate terminology is foundational to cloud security compliance frameworks, vendor evaluation, and incident documentation. Misapplied terms in policy language, audit reports, or contracts create measurable compliance gaps.

Definition and scope

Cloud security terminology encompasses the vocabulary used to describe controls, risks, architectures, and obligations specific to computing infrastructure delivered as a service. Unlike general cybersecurity vocabulary, cloud security terms frequently carry platform-specific meaning that varies across Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) deployment models.

The National Institute of Standards and Technology (NIST) defines cloud computing in SP 800-145 across 5 essential characteristics, 3 service models, and 4 deployment models — a taxonomy that underpins regulatory and contractual language used throughout federal and commercial cloud procurement. Terms that appear in NIST SP 800-145, ISO/IEC 27017, and the Cloud Security Alliance (CSA) Cloud Controls Matrix carry definitional authority in audit and compliance contexts.

Scope boundaries matter: terms used in the context of cloud identity and access management carry different operational definitions than identical words used in cloud network security. This glossary organizes terms by functional domain rather than alphabetically to reflect how professionals actually apply them.

How it works

Cloud security vocabulary is structured around 6 functional domains, each with its own terminology cluster:

1. Identity and Access — covers authentication, authorization, privilege, federation, and credential lifecycle. Key terms include: Identity Provider (IdP), Service Account, Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Privileged Access Workstation (PAW).

2. Data Protection — addresses classification, encryption states, key governance, and data residency. Terms include: Customer-Managed Keys (CMK), Bring Your Own Key (BYOK), Hold Your Own Key (HYOK), Data Loss Prevention (DLP), and tokenization.

3. Network Security — defines perimeter, segmentation, and traffic inspection concepts. Terms include: Virtual Private Cloud (VPC), Security Group, Network Access Control List (NACL), East-West Traffic, and Micro-Segmentation.

4. Workload and Runtime Security — covers compute-layer protection at the instance, container, and function level. Terms include: Cloud Workload Protection Platform (CWPP), eBPF-based monitoring, Drift Detection, and Immutable Infrastructure.

5. Posture and Compliance — governs configuration state and audit readiness. Terms include: Cloud Security Posture Management (CSPM), Misconfiguration, Benchmark, Control Baseline, and Continuous Compliance.

6. Threat and Incident Management — covers detection, response, and forensic terminology. Terms include: Indicator of Compromise (IoC), Lateral Movement, Cloud SIEM, TTPs (Tactics, Techniques, and Procedures), and Mean Time to Detect (MTTD).

NIST SP 800-207 (Zero Trust Architecture) and NIST SP 800-53 Rev 5 (Security and Privacy Controls) provide authoritative definitions for terms spanning identity, access, and control domains. The FedRAMP program maintains a separate glossary that governs terminology used in federal cloud authorization packages.

Common scenarios

Regulatory audit preparation — Auditors conducting SOC 2 Type II assessments or FedRAMP authorization reviews require precise term alignment between policy documents, technical controls, and evidence packages. A control described as "encryption at rest" must match the cryptographic mechanism documented in the System Security Plan (SSP); terminology drift between the two is a finding category.

Vendor contract review — Service agreements reference terms such as "Shared Responsibility Model," "data sovereignty," and "logical isolation" with definitions that may differ from NIST or CSA standards. The shared responsibility model divides security obligations between cloud provider and customer differently across IaaS, PaaS, and SaaS — a distinction with direct liability implications.

Incident response communications — During active incidents, precise use of terms like "tenant isolation breach," "credential compromise," or "data exfiltration" determines regulatory notification obligations under frameworks including HIPAA (45 CFR §164.400–414) and state breach notification statutes. Cloud security incident response procedures depend on agreed-upon definitions established before an event occurs.

Tool procurement — Differentiating a Cloud Access Security Broker (CASB) from a CSPM platform or a Cloud-Native Application Protection Platform (CNAPP) requires understanding the functional scope each term describes. CNAPP is a compound category defined by Gartner that combines CWPP and CSPM capabilities under a single platform model — a market term that does not appear in NIST or CSA taxonomies.

Decision boundaries

Term selection carries decisional weight in 4 specific contexts:

NIST-defined vs. market-defined terms — NIST SP 800-145 and NIST SP 800-207 definitions are authoritative for federal procurement and FedRAMP packages. Vendor marketing terms (CNAPP, XDR, SSPM) are market constructs with no regulatory standing. Conflating the two in policy documents introduces audit risk.

Platform-specific vs. vendor-neutral terms — AWS uses "Security Groups" and "IAM Roles"; Azure uses "Network Security Groups" and "Managed Identities"; Google Cloud uses "Firewall Rules" and "Service Accounts." These platform-specific terms map to vendor-neutral concepts but are not interchangeable in technical documentation or infrastructure as code security configurations.

Contractual vs. technical definitions — "Availability" in a Service Level Agreement (SLA) is a contractual term with a percentage threshold (e.g., 99.9% uptime). "Availability" in the CIA Triad (Confidentiality, Integrity, Availability) is a security property. Using the contractual definition in a security policy misframes the control objective.

Operational vs. architectural terms — Cloud misconfiguration risks are an operational category describing runtime state; "misconfiguration" as a vulnerability class in the MITRE ATT&CK Cloud matrix (Enterprise Matrix, Cloud platforms) is an architectural concern mapped to specific adversary techniques. The distinction determines whether remediation is an operations ticket or a design change.

References

• NIST SP 800-145: The NIST Definition of Cloud Computing
• NIST SP 800-207: Zero Trust Architecture
• NIST SP 800-53 Rev 5: Security and Privacy Controls for Information Systems
• Cloud Security Alliance (CSA): Cloud Controls Matrix
• FedRAMP: Program Documents and Glossary
• MITRE ATT&CK: Cloud Platforms Matrix
• ISO/IEC 27017: Code of Practice for Information Security Controls for Cloud Services
• HHS: HIPAA Breach Notification Rule, 45 CFR §164.400–414