Glossary (Acronyms)21 items

Application Programming Interface — a contract for software-to-software interaction.

• See also: REST, GraphQL, gRPC.

Single Sign-On — one identity session to access many apps.

• Often implemented with SAML or OpenID Connect (OIDC).

Authorization framework for delegated access; not an identity protocol.

• RFC 6749

OpenID Connect — identity layer on top of OAuth2 that provides user authentication.

• OpenID Connect Core

JSON Web Token — a compact, signed token format for conveying claims.

• RFC 7519

Mutual TLS — both client and server present certificates.

• Used for service-to-service identity in zero trust architectures.

Bring Your Own Key — vendor uses your key in their KMS.

Hold Your Own Key — your keys never leave your HSM boundary.

Key Management Service — managed cryptographic key lifecycle and usage.

Hardware Security Module — tamper-resistant cryptographic hardware.

Zero Trust Network Access — per-app access with strong identity and device posture.

• NIST SP 800-207

Privileged Access Management — broker and monitor privileged sessions.

Privileged Identity Management — JIT elevation for roles.

SaaS Security Posture Management — continuous config monitoring of SaaS apps.

Cloud Access Security Broker — visibility and control for SaaS usage.

Security Information & Event Management — log aggregation, detection, and response.

Security Orchestration, Automation, and Response — automated enrichment and actions.

Web Application Firewall — blocks common web attacks at the edge or app.

Data Loss Prevention — monitor/block data exfiltration.

Software Bill of Materials — inventory of software components.

Vulnerability Exploitability eXchange — signals exploitability for vulnerabilities.