Skip to content
Kloudle Logo
Glossary

Cloud Security Glossary

Key terms in cloud security, posture management, and infrastructure protection — explained for practitioners.

Agentless Scanning

Agentless cloud security scanning uses cloud APIs to assess security posture without deploying agents on workloads — faster to deploy, no performance overhead.

Attack Surface Management

Attack Surface Management (ASM) continuously discovers and monitors an organization's internet-facing assets to identify exposure before attackers exploit it.

CIEM

CIEM analyzes and manages cloud IAM permissions at scale — finding unused access, over-privileged roles, and cross-account entitlement risks.

CIS Benchmarks

CIS Benchmarks are consensus-based security configuration guides for AWS, GCP, Azure, and Kubernetes used by CSPM tools to evaluate cloud security posture.

Cloud Misconfiguration

Cloud misconfigurations are incorrect or insecure settings in cloud resources — the #1 cause of cloud data breaches.

Cloud Workload Protection

Cloud Workload Protection Platforms (CWPP) provide runtime security for VMs, containers, and serverless functions, detecting threats during execution rather than at configuration time.

CNAPP

CNAPP combines CSPM, CWPP, CIEM, and DSPM into a unified cloud security platform. Learn why most teams get 80% coverage from CSPM alone.

Compliance as Code

Compliance as Code encodes regulatory and security requirements as automated checks that run in CI/CD pipelines and CSPM tools, replacing manual audits with continuous validation.

Container Security

Container security covers the build, deploy, and run phases of containerized applications — from image scanning and admission control to runtime protection and pod security.

CSPM

CSPM continuously monitors cloud infrastructure for misconfigurations, compliance violations, and security risks across AWS, GCP, Azure, and Kubernetes.

Data Residency

Data residency requires organizations to store and process data within specific geographic regions to comply with laws like GDPR, NIS2, and national sovereignty regulations.

Drift Detection

Configuration drift detection identifies when deployed cloud resources diverge from their declared state in Terraform, CloudFormation, or other IaC tools.

EBS Encryption

EBS encryption protects data at rest on AWS Elastic Block Store volumes using KMS keys. Unencrypted volumes are a common compliance finding in cloud security scans.

IAM Security

IAM security ensures that identity and access management policies follow least privilege, enforce MFA, and prevent credential abuse in cloud environments.

IMDSv2

IMDSv2 is AWS's security improvement to the Instance Metadata Service, requiring session tokens to prevent SSRF-based credential theft attacks.

Infrastructure as Code

Infrastructure as Code (IaC) defines and provisions cloud resources using declarative or imperative code, enabling version control, repeatability, and automated security scanning of infrastructure.

KSPM

KSPM continuously monitors Kubernetes clusters for security misconfigurations in RBAC, pod security, network policies, and workload settings.

Lateral Movement

Lateral movement is a post-compromise technique where attackers use legitimate access to move between systems in a cloud environment, escalating privileges and expanding their foothold.

Least Privilege

The principle of least privilege grants users and services only the minimum permissions required to perform their tasks — critical for cloud security at scale.

Policy as Code

Policy as Code defines and enforces security and compliance policies programmatically using tools like OPA, Sentinel, and Kyverno, enabling shift-left prevention and runtime detection.

Secret Sprawl

Secret sprawl occurs when credentials, API keys, and tokens proliferate across code repositories, config files, CI/CD systems, and communication tools, creating untracked security exposure.

Security Groups

Cloud security groups are virtual firewalls controlling inbound and outbound traffic to resources. Common misconfigurations like 0.0.0.0/0 on SSH are a leading breach vector.

Shared Responsibility Model

The shared responsibility model defines the security boundary between cloud providers (security OF the cloud) and customers (security IN the cloud) — and why CSPM exists in this gap.

Sovereign CSPM

Sovereign CSPM runs on your infrastructure — scans execute from your VMs, results stay in your database, and no cloud inventory data leaves your network.

Zero Trust

Zero Trust is a security architecture that eliminates implicit trust, requiring continuous verification of every user, device, and workload regardless of network location.

Start Scanning. Keep Control.

1,800+ checks. 5 providers. First scan free. No credit card required.

Start Free Scan

Or explore Sovereign deployment and Agent tools