0-9
- 3rd Party
- Any vendor, partner, reseller or contractor that accesses public, hybrid or on-premise environments to access data or utilize enterprise or public applications.
A
- ACLs
- Access Control Lists (ACLs) indicate the permissions that subjects are granted regarding accessing or changing the objects within a system.
- APIs
- An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build or use such a connection or interface is called an API specification. A computer system that meets this standard is said to implement or expose an API. The term API may refer either to the specification or to the implementation
- AWS API Access Key
- The credentials pair of an AWS user, different to username/password credentials as they are intended for programmatic use with AWS API.
- AWS EC2
- The Amazon Web Services server workloads (elastic compute) service, mostly used for virtual machines run by customers on AWS infrastructure.
- Access Policy
- For every connection established, a network must determine which users (and/or devices) are permitted to access which resources (e.g. services, gateways), and under which circumstances (e.g. from certain locations). SDPs provide policy decision points and policy enforcement points for connections. A cloud service provider (CSP), who elects to protect its resources behind a SDP, must develop a balanced “registered user access control policy”, as an undue restricted policy is likely to result in the denial of access/service. Expected access control policy’s performance attributes should become a part of the service level agreement (SLA).
- Air-Gapped Networks
- An interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control).
- Application Container
- An application container is a construct designed to package and run an application or its components running on a shared operating system. Application containers are isolated from other application containers and share the resources of the underlying operating system, allowing for efficient restart, scale-up, or scale-out of applications across clouds. Application containers typically contain microservices.
- Application Layer
- Layer of the TCP/IP protocol stack that sends and receives data for particular applications such as DNS, HTTP, and SMTP.
- Application Monitoring
- This capability is a collection of application-related events, including logins, access to sensitive data, transactions, administrative activity.
- Application Programming Interface (API)
- A system access point or library function that has a well-defined syntax and is accessible from application programs or user code to provide well-defined functionality.
- Asymmetric Keys
- Also referred to as an asymmetric cipher, the encryption key and the decryption keys are separate. In an asymmetric system, each person has two keys. One key, the public key, is shared publicly. The second key, the private key, should never be shared with anyone.
- Authentication
- Authentication is the process of determining the identity of a client. The details of authentication vary depending on how you are accessing Cloud Storage, but fall into two general types: 1: A server-centric flow allows an application to directly hold the credentials of a service account to complete authentication. 2: A user-centric flow allows an application to obtain credentials from an end user.
- Authentication Services
- The function or API or process of determining if someone or something is who or what it is declared to be.
- Authorization
- Authorization is the process of determining what permissions an authenticated identity has on a set of specified resources. OAuth 2.0 uses scopes to determine if an authenticated identity is authorized. Applications use a credential (obtained from a user-centric or server-centric authentication flow) together with one or more scopes to request an access token from a Google authorization server to access protected resources.
- Authorization Services
- A function, API or process that facilitates access control to restricted areas of the operating system/application/service/data and allows the administrator to restrict a user’s or device’s access to particular features.
- Automated Failover
- A configuration in a High Availability architecture that enables traffic to route to online Nodes in the event of failure of one or more Nodes.
- Availability
- The ability of a configuration item or IT Service to perform its agreed Function when required. Availability is usually calculated as a percentage. This calculation is often based on Agreed Service Time and Downtime. It is best practice to calculate availability using measurements of the Business output of the IT Service.
B
- BGP (border gateway protocol)
- Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. BGP is classified as a path-vector routing protocol, and it makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator.
- Black Box
- Idealized mechanism that accepts inputs and produces outputs, but is designed such that an observer cannot see inside the box or determine exactly what is happening inside that box.
C
- CDN (Content Delivery Network)
- A CDN is a system of servers distributed across a network. CDN servers copy and deliver web content closest to users based on their geographic locations, improving the delivery of content by speeding up page loads and optimizing overall network performance.
- CI/CD
- Continuous integration (CI) and continuous delivery (CD), also known as CI/CD, embodies a culture, operating principles, and a set of practices that application development teams use to deliver code changes more frequently and reliably. By automating integration and delivery, CI/CD lets software development teams focus on meeting business requirements while ensuring code quality and software security.
- Cache
- Caching is a requirement for building scalable microservice applications. Data can be cached in memory or on fast local disks.
- Capacity Planning
- The process for assuring that the capacity (CPU power, network bandwidth, etc.) to deliver a service is continuously in line with the demand for that service.
- Certificate Authority (CA)
- A trusted entity that issues and revokes public key certificates. SDP architectures rely on a CA, which the controllers use as a root of trust, and for generation of the TLS certificate. SDPs can also leverage U2F or UAF for user or device authentication without additional CA requirements, separate rom the CA utilized for mutual TLS.
- Change Logs
- From a security standpoint, monitoring the change logs and comparing it to configuration management changes could detect an unauthorized change in the environment.
- Change Management
- The process of managing the life cycle of changes in the IT environment. Change is a major pattern that acts as an intermediary between request, release and configuration/provisioning. Change management allows for management of scope, impact analysis, as well as scheduling of change. Change management provides one of the primary inputs into configuration management from a data maintenance perspective to keep application data up to date.
- Cloud Access Security Broker (CASB)
- On-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement.
- Cloud Monitoring
- Collection of events associated with the usage of the services provided by cloud solutions at all layers of the application stack.
- Cloud Security Posture Management (CSPM)
- Security technology that can discover, assess, and resolve cloud infrastructure misconfigurations vulnerable to attack.
- Cloud-delivered
- Any application or service delivered from a public cloud environment. These applications or services frequently experience great levels of availability and performance when compared to applications delivered from data centers or private cloud environments.
- Cloud-native
- An application or service built to leverage specific public cloud features, frequently PaaS features, that enable advanced scalability or speed of innovation difficult to achieve out of public cloud environments. Frequently these applications or services suffer from vendor lock-in with a single provider but receive substantial benefit as a trade-off.
- Configuration Management
- The process and procedures for managing the configuration of assets (servers, storage arrays, network equipment, etc.) to assure that their configuration as deployed matches that specified by policy, standards and guidelines
- Container
- A container is a packaging of software that includes all dependencies and libraries. Unlike virtual machines they do not contain the operating system and rely on the host OS in a similar fashion as VMs rely on a hypervisor.
- Container Management Platform
- A container management platform is an application designed to manage containers and their various operations, including but not limited to deployment, configuration, scheduling, and destruction.
- Container Orchestration
- Container orchestration is the automation of much of the operational effort required to run containerized workloads and services. This includes a wide range of things software teams need to manage a container’s lifecycle, including provisioning, deployment, scaling (up and down), networking, load balancing and more.
- Container Repo
- A container repository is a collection of related container images used to provide different versions of an application. A container typically consists of a container image, which is a file that has anything that a piece of software may need to run — this includes multiple layers of code, resources and tools.
- Containers
- Software containers are a convenient way to run your apps in multiple isolated user-space instances. You can run containers on Linux or Windows Server public VM images, or on a Container-Optimized OS image. Containers let your apps run with fewer dependencies on the host virtual machine (VM) and run independently from other containerized apps that you deploy to the same VM instance. These characteristics make containerized apps more portable, easier to deploy, and easier to maintain at scale.
- Control Plane
- Refers to communications between applications, network nodes, services, or other components explicitly for the purpose of passing configuration or other metadata. Also known as the Management Plane.
- Customer environment
- Any environment in the cloud, at a branch office, in a home from which a customer accesses applications or services provided by a third party such as a SaaS application provider. These environments are managed by the customer’s IT team and vary wildly in configuration standards, security, and architecture. They are outside the control of the application or service provider.
D
- DMZ (Demilitarized Zone)
- In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an internal network and an external network. The purpose of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network – hosts in the DMZ may not connect to the internal network. This allows the DMZ’s hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.
- DNS
- The Domain Name System (DNS) is the hierarchical and decentralized naming system used to identify computers reachable through the Internet or other Internet Protocol (IP) networks. The resource records contained in the DNS associate domain names with other forms of information.
- Data Plane
- Refers to communication between applications, network nodes, services, or other components explicitly for the purpose of passing payload data which may contain anything not configuration or metadata related such as personal health information (PHI), payments, or other user traffic.
- Data Plane
- Used for communication between software components. This communication channel may not be possible before the path has been established via the control plane. Software-defined network architectures separate the control of connections from the actual connections used to transfer data called the ‘data plane’. The data plane consists of two-way encrypted connections typically using mutual TLS or another mutual authentication mechanism.
- Data Privacy
- Legislation has been past in many jurisdictions around the world to ensure the right of privacy to individuals. As enterprise data sets typically involve sprawl across dozens or hundreds of locations, cataloging the data is essential to be able to honor “right to be forgotten” requests which are required by many states.
- Data Residency
- Data residency refers to where a business, industry body or government specifies that their data is stored in a geographical location of their choice, usually for regulatory or policy reasons.
- Data Segregation
- Data segregation is the process and controls that ensure data is segregated in a multi-tenant environment, so each tenant has access to his and only his data
- Denial of Service (DoS)
- The act of making a system, feature or resource unavailable for intended users. In cloud testing, denial of service often takes the form of destruction or encryption of cloud resources, disablement of accounts, credentials or users.
- DevOps
- DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary with Agile software development; several DevOps aspects came from the Agile way of working.
- DevOpsSec:
- SecDevOps (also known as DevSecOps and DevOpsSec) is the process of integrating secure development best practices and methodologies into development and deployment processes which DevOps makes possible.
- Disaster Recovery
- A configuration that enables traffic to route between to online sites in the event of failure of one or more Sites.
- Distributed application
- An application whose components (services, hosts, containers, APIs, etc) are deployed across a hybrid or distributed environment.
- Docker
- is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers. The service has both free and premium tiers. The software that hosts the containers is called Docker Engine. It was first started in 2013 and is developed by Docker, Inc.
E
- ETL
- Extract, transform, load (ETL) is a three-phase process where data is extracted, transformed (cleaned, sanitized, scrubbed) and loaded into an output data container. The data can be collated from one or more sources and it can also be outputted to one or more destinations. ETL processing is typically executed using software applications but it can also be done manually by system operators. ETL software typically automates the entire process and can be run manually or on reoccurring schedules either as single jobs or aggregated into a batch of jobs.
- Edge
- The edge, or network edge, is the further deployed software or systems away from the centralized management and control tools. For ISPs and application providers the edge can be retail stores, offices or home offices. For CDNs it is local points of presence (PoPs) by region. For public cloud edge usually refers to their availability zones (AZs).
- Edge Computing
- Deploying software as containers, VMs, or scripts to operate at the edge, usually on an appliance. The software is frequently integrated into centralized orchestration tools to patch, update and support.
- Endpoint
- Endpoints are the devices that users interact with when using an IT solution. They are called Endpoints because they are at the edge of the solution or architecture where technology meets humans.
- Enterprise Application
- Any application hosted by an enterprise for use by internal employees or third parties.
- Extranet-as-a-service (EaaS)
- A NaaS designed and implemented specifically to connect an organization or provider to customers, vendors, or other 3rd parties. Legacy solutions typically relied on IPSec VPN or MPLS connectivity. Modern solutions include software defined networking, IdP integration, zero trust network access (ZTNA), multi-tenant network overlays, and NAT management at scale.
F
- Firewall
- An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a network. Typically firewalls are used to define zone borders. Firewalls generally have rules restricting which ports are open.
G
- Gateway
- Provides authorized users and devices with access to protected processes and services. The gateway can also enact monitoring, logging, and reporting on these connections. A gateway is an appliance or process that, once a user or device is authorized, allows access to protected processes or services.
H
- High Availability (HA)
- High availability means that an IT system, component, or application can operate at a high level, continuously, without intervention, for a given time period. High-availability infrastructure is configured to deliver quality performance and handle different loads or failures with minimal or zero downtime. HA architectures deploy two or more Nodes in order to facilitate continued operation in the event one or more of the Nodes fails.
- Hub-and-Spoke Architecture
- A network architecture where each node communicates to other nodes only through a centralized gateway or node that routes traffic to the appropriate node on the network.
- Hybrid (distributed) environment
- An environment that spans public/private cloud, data center, branch office, home office or other on-premise locations. These environments are frequently connective via encrypted tunnels or direct connections. One or many applications may operate across the individual environments.
- Hybrid Cloud
- The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
- Hypertext Transport Protocol Secure (HTTPS)
- A secure network communication method, technically not a protocol in itself, HTTPS is the result of layering the hypertext transfer protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications
I
- IPv4
- Internet Protocol Version 4 is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It still routes most Internet traffic today, despite the ongoing deployment of a successor protocol, IPv6.
- IPv6
- Internet Protocol Version 6 is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion.
- Identity Provider (IdP)
- A provider of authentication services that also includes 2FA/MFA, password management policies, geographical restrictions and other advanced authentication services. These products integrate with applications, cloud providers, and services such as ZTNA to enable a single user account to access all services that policy allows.
- Identity and Access Management (IAM)
- The set of technology, policies, and processes that are used to manage access to resources.
- Incident Response Plan
- A clear set of instructions that helps an organization prepare, detect, analyze and recover from an incident.
- Infrastructure as a Service (IaaS)
- Offers access to a resource pool of fundamental6 computing infrastructure, such as compute, network, or storage.
- Internet Protocol Security (IPSec)
- Provide(s) interoperable, high quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, detection and rejection of replays (a form of partial sequence integrity), confidentiality (via encryption), and limited traffic flow confidentiality.
J
K
- Kubernetes
- Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.
L
- Least-Privileged Access
- Least-privileged access is the idea that any given user should be granted the minimum level of access necessary to perform their assigned function. Least-privileged access attempts to reduce exposure by curtailing unauthorized access to applications or resources and restricting lateral movement across the network.
M
- Mesh Architecture
- A network architecture where each node on the network may communicate directly with other nodes on the network, bypassing centralized gateways.
- Micro-segmentation
- Is the technique of creating secure zones within a data center and cloud deployments that allow the organization to separate and secure each workload. This makes network security more granular and effective. These secure zones are created based on business services, and rules are defined to secure information workflow.
- Microservices
- A microservice is a basic element that results from the architectural decomposition of an application’s components into loosely coupled patterns consisting of self-contained services that communicate with each other using a standard communications protocol and a set of well-defined APIs, independent of any vendor, product, or technology. Microservices are built around capabilities as opposed to services, build on SOA, and are implemented using Agile techniques. Microservices are typically deployed inside application containers.
- Microservices Architecture
- A microservices architecture usually refers to an application that has been structured to use basic elements called microservices, each running in its own process and communicating with lightweight mechanisms, often an HTTP resource API. These services are built around business capabilities and independently deployable by fully automated deployment machinery. There is a bare minimum of centralized management of these services, which may be written in different programming languages and use different data storage technologies
- Multi Factor Authentication (MFA)
- A form of authentication that relies on two or more ‘factors’ where a factor is ‘something you have’ such as a smartcard, ‘something you know’ such as a password or pin, and ‘something you are’ such as a physical fingerprint or a behavioral keyboard cadence.
- Multi-cloud
- Multicloud (also spelled multi-cloud or multi cloud) is a company’s use of multiple cloud computing and storage services from different vendors in a single heterogeneous architecture to improve cloud infrastructure capabilities and cost. It also refers to the distribution of cloud assets, software, applications, etc. across several cloud-hosting environments. With a typical multicloud architecture utilizing two or more public clouds as well as multiple private clouds, a multicloud environment aims to eliminate the reliance on any single cloud provider.
- Multi-tenanted
- Any environment, network, application or service designed to serve multiple customers from a single instance or deployment. In networking this is frequently facilitated with the use of VLANs or VRFS in a process known as segmentation to prevent one customer’s data from being accessed by another.
- Multiprotocol Label Switching (MPLS)
- An Internet Engineering Task Force (IETF)-specified framework that provides for the efficient designation, routing, forwarding, and switching of traffic flows through the network. MPLS performs the following functions: specifies mechanisms to manage traffic flows of various granularities, remains independent of the Layer-2 and Layber-3 protocols, provides a means to map IP addresses to simple, fixed-length labels used by different packet-forwarding and packet-switching technologies, interfaces to existing routing protocols, and supports the IP, ATM, and frame-relay Layer-2 protocols.
- Mutual Transport Layer Security (mTLS)
- An approach where each microservice can identify who it talks to, in addition to achieving confidentiality and integrity of the transmitted data. Each microservice in the deployment has to carry a public/private key pair and uses that key pair to authenticate to the recipient microservices via mTLS.
N
- Network Address Translation (NAT)
- The process of mapping unique IP or network addresses to other unique IP or network addresses for the purpose of routing traffic in environments where all IP addresses may not be routable, public, or unique.
- Network Segmentation
- Splitting a network into sub-networks, for example, by creating separate areas on the network which are protected by firewalls configured to reject unnecessary traffic. Network segmentation minimizes the harm of malware and other threats by isolating it to a limited part of the network.
- Network overlay
- Network overlays are a method of using software virtualization to create additional layers of network abstraction (or software-based network overlays) that can be run on top of the physical network, often providing new applications or security benefits.
- Network-as-a-Service (NaaS)
- Any network provided and managed by a third party on the LAN, WAN, datacenter or in the cloud. This removes the responsibility to manage hardware, security and most support responsibilies. Customers typically must still manage configuration and integration to applications and non-native security services.
- Next Generation Firewall (NGFW)
- Deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall. An NGFW should not be confused with a stand-alone network intrusion prevention system (IPS), which includes a commodity or non enterprise firewall, or a firewall and IPS in the same appliance that are not closely integrated.
- Node
- A single instance on a network capable of routing or processing traffic.
O
- On-premise
- Any location that may house users, machines, devices, hosts or systems that operate outside of public or private cloud environments.
- OpenID
- OpenID is a standard embraced by Identity Providers to enable easy integration of applications and services to IdPs.
P
- PKI
- Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates to support the use of public key cryptography for all participants in the business community. Components include registration authorities and certificate authorities. The PKI is typically a hierarchical model that consists of the root certificate authorities, registration authorities, and certificate authorities.
- Penetration Testing
- A method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization’s systems) and malicious insiders (who have some level of authorized access), also referred as pentest.
- Public Application
- Any application hosted by an application provider for use by customers.
- Public Cloud
- Any cloud infrastructure provided ‘as a Service’ or utilization based that delivers infrastructure in a multi-tenant architecture. These environments can be categorized as IaaS (infrastructure as a service), PaaS (platform as a service), or SaaS (software as a service).
- Public Key Infrastructure (PKI)
- The framework and services that provide for the generation, production, distribution, control, accounting, and destruction of public key certificates. Components include the personnel, policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, recover, and revoke public key certificates.
Q
R
- Remote Survivability
- The ability for software deployed on the edge (edge computing) to continue to operate when connectivity is lost to the internet or centralized applications components. This is especially critical in areas such as healthcare where the software may be partly responsible for life and death outcomes but can be found in every major market.
- Role Based Access Control (RBAC)
- Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals.
S
- SLAs
- A Service-Level Agreement (SLA) is a negotiated agreement between two parties, where one is the customer (or end-user), and the other is the service provider. This can be a legally binding formal or an informal ‘contract’ (for example, internal department relationships). The SLA records a common understanding about services, priorities, responsibilities, guarantees, and warranties. The SLA may specify the levels of availability, serviceability, performance, operation, or other attributes of the service, such as billing. The ‘level of service’ can also be specified as ‘target’ and ‘minimum,’ which allows customers to be informed what to expect (the minimum) while providing a measurable (average) target value that shows the level of organization performance. In some contracts, penalties may be agreed upon in the case of non-compliance with the SLA (but see ‘internal’ customers below). It is important to note that the ‘agreement’ relates to the services the customer receives, and not how the service provider delivers that service. SLAs commonly include segments to address: a definition of services, performance measurement, problem management, customer duties, warranties, disaster recovery and termination of the agreement.
- Secure Access Service Edge (SASE)
- Secure access service edge, or SASE (pronounced “sassy,”), is a framework defined by Gartner in 2019 as a way to securely connect entities, such as users and machines, to applications and services—from anywhere. SASE combines wide-area networking (WAN) capabilities with security functions, such as SWG, CASB, FWaaS, and ZTNA, into a single cloud-based solution that’s delivered as a service. Services are delivered at the “edge” of a distributed cloud architecture, pushing them as close as possible to users for a fast experience with the fewest hops. SASE assists organizations in making a secure, seamless transition to the cloud from legacy hardware in data centers, while securing access to cloud applications and reducing costs.
- Secure Web Gateway
- A secure web gateway provides threat protection and policy enforcement for users accessing the web. It prevents users from accessing infected websites and prevents infected or otherwise unwanted traffic from entering an organization’s internal network. It is used by enterprises to protect their employees from accessing and being infected by malicious web traffic, websites, and viruses/malware.
- Security Service Edge (SSE)
- The security service edge (SSE), as defined by Gartner, is a convergence of network security services—namely SWG, CASB, and ZTNA—delivered from a purpose-built cloud platform. Where SASE focuses on access services, as the name implies, you could consider SSE a subset of SASE focused squarely on security services.
- Site
- A physical location containing one or more environments.
- Software Lifecycle Management
- It is a process that aims to develop software with the lowest cost, highest quality, and in the shortest time. It also includes detailed documentation for how to develop, extend, and maintain the software system. A Software Development Life Cycle involves several different stages, including requirements gathering, planning/designing, building, testing, and finally deployment.
- Software-Defined Network (SDN)
- An approach to computer networking that allows network administrators to manage network services through abstractions of higher-level functionality. SDNs manage the networking infrastructure. This is done by decoupling the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forward traffic to the selected destination (the data plane).
- Software-Defined Perimeter (SDP)
- A network security architecture that is implemented to provide security at Layers 1-7 of the OSI network stack. An SDP implementation hides assets and uses a single packet to establish trust via a separate control and data plane prior to allowing connections to hidden assets. A secure perimeter that is created based on policies to isolate services from unsecured networks. It’s designed to provide an on-demand, dynamically provisioned air-gapped network, by first authenticating users and devices prior to authorizing the user/device combination to securely connect to the isolated services. Unauthorized users and devices are unable to connect to the protected resources. SDPs make extensive use of encryption, including mutual TLS for inter-component communications, and an HMAC within the single-packet authorization packet.
- Software-Defined Wide Area Network (SD WAN)
- Provides a replacement for traditional WAN routers and are agnostic to WAN transport technologies. SD-WAN provides dynamic, policy-based, application path selection across multiple WAN connections and supports service chaining for additional services such as WAN optimization and firewalls.
T
- TCP / IP Ports
- In computer science, ports are of two types – physical ports (which is a physical docking point where other devices connect) and logical ports (which is a well-programmed docking point through which data flows over the internet). Security and its consequences lie in a logical port.
- Transmission Control Protocol/ Internet Protocol (TCP/IP)
- A set of protocols covering (approximately) the network and transport layers of the seven-layer OSI network model. Software defined network communications between Client, Controller, and Gateway use the TCP / IP ports.
- Transport Layer Security (TLS)
- A cryptographic protocol, successor to SSL, that provides security for communications over a computer or IP network. SDPs utilize a mutual TLS (mTLS) connection between pairs of components, in which both components validate the authenticity of the other component while establishing a secure connection.
- Trusted Platform Module (TPM)
- A cryptographic microprocessor designed to secure hardware by integrating cryptographic keys and services. A TPM functions as a root of trust for storage, measurement, and reporting. TPMs are currently included in many computing devices.
U
- User Datagram Protocol (UDP)
- A lightweight data transport protocol that works on top of IP. UDP provides a mechanism to detect corrupt data in packets, but it does not attempt to solve other problems that arise with packets, such as lost or out of order packets. That’s why UDP is sometimes known as the Unreliable Data Protocol. UDP is simple but fast, at least in comparison to other protocols that work over IP. It’s often used for time-sensitive applications (such as real-time video streaming) where speed is more important than accuracy.
V
- VLAN (Virtual LAN)
- A logical overlay network that groups together a subset of devices that share a physical LAN, isolating the traffic for each group. In a VLAN hosts (on premise, in the cloud, between clouds or hybrid) communicate as if they were attached to the same broadcast domain, regardless of their physical location.
- Virtual Appliance
- A virtual appliance is a pre-configured virtual machine image, ready to run on a hypervisor; virtual appliances are a subset of the broader class of software appliances. Installation of a software appliance on a virtual machine and packaging that into an image creates a virtual appliance. Like software appliances, virtual appliances are intended to eliminate the installation, configuration and maintenance costs associated with running complex stacks of software.
- Virtual Private Network (VPN)
- A virtual network built on top of existing physical networks that can provide a secure communications mechanism for data and IP information transmitted between networks or between different nodes on the same network.
- Virtual Trusted Platform Module (vTPM)
- A vTPM is a software-based representation of a physical Trusted Platform Module 2.0 chip.
W
- Web Application Firewall (WAF)
- Application firewall that monitors, alerts, and blocks attacks by inspecting HTTP traffic.
X
- x86
- The term x86 is generally used to refer to any 32-bit processor compatible with the x86 instruction set. An x86 microprocessor is capable of running almost any type of computer from laptops, servers, desktops, notebooks to supercomputers.
Y
Z
- Zero Trust
- Zero Trust is a security architecture that implements an implicit deny to all network traffic that is not authenticated and authorized to access specific applications, services, or hosts. Zero trust does not grant any access privileges to any specific location or source of traffic. By its nature it acts as multi-tenanted architecture with each user or service being segmented into a unique network unless otherwise defined.
- Zero Trust Network Access (ZTNA)
- A modern product type that replaces legacy VPN solutions to provide access to enterprise and public applications. ZTNA products typically integrate to an IdP to authenticate users or services and enable access to specific applications, services or hosts. These systems incorporate Zero Trust security principles. Some ZTNA products operate completely agentless using only a web portal for application access. Others may include an agent that allows access to applications not suitable for web-only or HTML5 access. Some ZTNA solutions may support only HTTP/HTTPS and others may support enterprise applications as well.