- ISSAP
- Information Systems Security Architecture Professional — an ISC2 CISSP concentration for security architects, validating the design of security solutions and enterprise security architecture.
- Security architecture
- A unified design that describes the structure, behavior, and relationships of an organization's security controls so they coherently satisfy business, risk, and compliance requirements.
- Governance, Risk, and Compliance (GRC)
- The integrated discipline of directing security strategy (governance), managing uncertainty (risk), and meeting legal/regulatory obligations (compliance) — Domain 1 of the ISSAP, 21% of the exam.
- Security governance
- The set of responsibilities and practices, exercised by senior leadership, that sets security direction, ensures objectives are achieved, and verifies resources are used responsibly.
- Enterprise architecture framework
- A structured approach (e.g., TOGAF, Zachman, SABSA) for describing an enterprise's structure and aligning IT and security design with business strategy.
- SABSA
- Sherwood Applied Business Security Architecture — a business-driven, risk- and opportunity-focused framework that builds security architecture top-down from business requirements through a layered matrix.
- Zachman Framework
- An enterprise-architecture taxonomy organizing artifacts in a matrix of perspectives (Planner→Subcontractor) against interrogatives (What, How, Where, Who, When, Why).
- TOGAF
- The Open Group Architecture Framework — a method (the ADM) and structure for designing, planning, and governing enterprise architecture across business, data, application, and technology layers.
- SABSA layers
- Contextual, Conceptual, Logical, Physical, Component, and Operational (Management) — the six layers that take security architecture from business view down to operations.
- Risk
- The likelihood that a threat will exploit a vulnerability and the resulting impact on an asset; the architect designs controls to reduce risk to an acceptable level.
- Threat
- Any potential event or actor that could exploit a vulnerability to cause harm to an asset.
- Vulnerability
- A weakness in a system, process, or control that a threat can exploit.
- Single Loss Expectancy (SLE)
- The expected monetary loss from one occurrence of a risk: SLE=AV×EF (Asset Value times Exposure Factor).
- Annualized Loss Expectancy (ALE)
- The expected yearly cost of a risk: ALE=SLE×ARO; used to cost-justify a control.
- Annualized Rate of Occurrence (ARO)
- The expected number of times a specific risk event will occur in one year.
- Exposure Factor (EF)
- The percentage of an asset's value that would be lost if a specific risk event occurred.
- Residual risk
- The risk that remains after controls are applied; senior management formally accepts it.
- Risk treatment options
- Mitigate (reduce with controls), transfer (insurance/third party), avoid (stop the activity), or accept (formally tolerate the residual risk).
- Qualitative risk analysis
- Subjective risk ranking (high/medium/low) based on judgment and scenarios — fast, but not expressed in dollars.
- Quantitative risk analysis
- Objective, money-based risk analysis using SLE, ARO, and ALE to express loss expectancy in currency.
- Control traceability matrix
- An artifact mapping each requirement (regulatory or security) to the specific architectural controls that satisfy it, giving auditors a direct line of evidence.
- Compliance
- Adherence to laws, regulations, standards, and contractual obligations (e.g., GDPR, HIPAA, PCI DSS) that the security architecture must demonstrably support.
- PCI DSS
- Payment Card Industry Data Security Standard — mandatory controls for organizations that store, process, or transmit cardholder data, including network segmentation of the CDE.
- GDPR
- EU General Data Protection Regulation — governs processing of personal data, mandating lawful basis, data-subject rights, privacy by design, and breach notification.
- HIPAA
- U.S. Health Insurance Portability and Accountability Act — its Security Rule requires administrative, physical, and technical safeguards for electronic protected health information (ePHI).
- Privacy by design
- Embedding privacy protections into the architecture from the start (default settings, data minimization, end-to-end security) rather than bolting them on later.
- Data residency / data sovereignty
- Requirements that data be stored and processed within a specific jurisdiction; the architect must design storage and replication to satisfy them.
- ISO/IEC 27001
- The international standard for an Information Security Management System (ISMS) — a risk-based framework of requirements for establishing, operating, and improving security.
- NIST Cybersecurity Framework (CSF)
- A voluntary framework organized around six functions — Govern, Identify, Protect, Detect, Respond, Recover — used to manage and reduce cybersecurity risk.
- NIST Risk Management Framework (RMF)
- The SP 800-37 process — Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor — for managing security and privacy risk in systems.
- Security policy hierarchy
- Policy (high-level intent) → standard (mandatory specifics) → procedure (step-by-step) → guideline (recommended, optional).
- Due diligence
- Doing the research and developing the plans and policies needed to protect the organization — the homework before acting.
- Due care
- Acting on due diligence by implementing and maintaining reasonable controls — what a prudent person would do.
- Security requirements traceability
- Linking design and control decisions back to the originating business, risk, and compliance requirements so coverage is demonstrable end to end.
- Third-party / supply-chain risk
- Risk introduced by vendors, partners, and components; managed through assessment, contractual security terms, and architectural isolation.
- Business Impact Analysis (BIA)
- Identifies critical business functions and sets recovery objectives (MTD, RTO, RPO); the foundation of continuity and resilience architecture.
- Recovery Time Objective (RTO)
- The targeted time to restore a system or function after a disruption; must be shorter than the MTD.
- Recovery Point Objective (RPO)
- The maximum acceptable amount of data loss measured backward in time; drives backup and replication frequency.
- Maximum Tolerable Downtime (MTD)
- The longest a business function can be unavailable before the organization suffers unacceptable harm.
- Risk appetite
- The amount and type of risk an organization is willing to pursue or retain in pursuit of its objectives; it bounds architectural risk decisions.
- Risk tolerance
- The acceptable variation around the risk appetite for a specific objective or asset — the practical threshold a control design must meet.
- Control categories (by function)
- Preventive (stop), Detective (find), Corrective (fix), Deterrent (discourage), Recovery (restore), and Compensating (substitute) controls.
- Control types (by nature)
- Administrative (policies, training), Technical/Logical (firewalls, encryption), and Physical (locks, guards) controls.
- Compensating control
- An alternative control that satisfies the intent of a requirement when the primary control is not feasible, providing comparable risk reduction.
- Security architecture stakeholders
- Business owners, risk and compliance leaders, system owners, operations, and auditors — whose requirements the architecture must reconcile and trace.
- Security baseline
- A documented minimum set of security configurations and controls a system must meet, against which deviations are measured.
- Gap analysis
- Comparing the current state against required controls or a target architecture to identify and prioritize remediation.
- Architecture governance board
- A body that reviews and approves architectural decisions, exceptions, and standards to ensure designs align with strategy, risk, and compliance.
- Security architecture roadmap
- A sequenced plan that evolves the current-state architecture toward a target state, balancing risk reduction, cost, and dependencies.
- Cost-benefit / control justification
- A control is justified only when its annual cost is less than the reduction in ALE (or other risk) it provides.
- Security architecture modeling
- Representing security requirements, controls, and trust relationships as models and views so design can be analyzed before build — Domain 2 of the ISSAP, 22%.
- Reference architecture
- A reusable, standardized template of proven patterns and controls that guides consistent solution designs across the enterprise.
- Security model
- A formal or conceptual statement of the rules a system enforces (e.g., Bell-LaPadula, Biba) that turns a policy into enforceable access rules.
- Bell-LaPadula model
- A confidentiality model: Simple Security Property (no read up) and *-Property (no write down) — 'no read up, no write down.'
- Biba model
- An integrity model: Simple Integrity Axiom (no read down) and *-Integrity Axiom (no write up) — 'no read down, no write up.'
- Clark-Wilson model
- An integrity model enforcing well-formed transactions and separation of duties through the access triple (subject-program-object).
- Brewer-Nash (Chinese Wall) model
- A model that dynamically changes access to prevent conflicts of interest, isolating data sets a subject has already accessed.
- Reference monitor
- The abstract concept that mediates all access between subjects and objects; it must be tamperproof, always invoked, and verifiable.
- Security kernel
- The hardware, firmware, and software that implements the reference monitor concept and enforces the system's access rules.
- Trusted Computing Base (TCB)
- The totality of protection mechanisms (hardware, software, firmware) within a system that enforces its security policy.
- Trust boundary
- A line in an architecture across which data or requests change trust level; controls (validation, authentication, encryption) are concentrated here.
- Threat modeling
- Systematically identifying, enumerating, and prioritizing threats against a design so countermeasures can be built in (e.g., using STRIDE or PASTA).
- STRIDE
- A threat taxonomy: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
- PASTA
- Process for Attack Simulation and Threat Analysis — a risk-centric, seven-stage threat-modeling methodology that ties threats to business impact.
- DREAD
- A risk-rating model scoring threats on Damage, Reproducibility, Exploitability, Affected users, and Discoverability.
- Attack surface
- The sum of all points where an attacker can attempt to enter, extract data, or affect a system; good architecture minimizes it.
- Attack tree
- A diagram that decomposes a goal of an attacker into the steps and conditions required, used to analyze and prioritize defenses.
- Data flow diagram (DFD)
- A model showing how data moves between processes, stores, and external entities across trust boundaries — the basis for STRIDE threat modeling.
- Defense in depth
- Layering multiple, overlapping controls so that if one fails, others still protect the asset.
- Zero trust architecture
- A model that assumes no implicit trust by network location; every access request is continuously verified by identity, device, and context (NIST SP 800-207).
- Zero trust core tenets
- Verify explicitly, use least-privilege access, and assume breach — enforced per-request through a policy engine and policy enforcement points.
- Policy Decision Point (PDP)
- In zero trust / access architecture, the component (policy engine + administrator) that decides whether to grant access based on policy and context.
- Policy Enforcement Point (PEP)
- The component that enforces the PDP's decision, allowing or blocking the subject's connection to the resource.
- Microsegmentation
- Dividing a network into granular, individually policed zones (often per-workload) so lateral movement is contained — a core zero-trust pattern.
- Least privilege
- Granting users, processes, and systems only the minimum access needed to perform their function, and nothing more.
- Separation of duties
- Splitting a sensitive task so no single person can complete it alone, reducing fraud and error.
- Fail-secure vs. fail-safe
- Fail-secure (fail-closed) denies access on failure to protect data; fail-safe (fail-open) permits access on failure to protect life/safety. Choose by what you must preserve.
- Open design (Kerckhoffs's principle)
- Security should not depend on the secrecy of the design or mechanism, only on the secrecy of the key — avoid 'security through obscurity.'
- Economy of mechanism
- Keep designs as small and simple as possible; simpler architectures have fewer flaws and are easier to verify.
- Complete mediation
- Every access to every object must be checked for authority — no caching of permission decisions that could bypass the reference monitor.
- Secure defaults
- Systems should default to the most restrictive, denied state; access is granted explicitly rather than removed.
- Security pattern
- A reusable, documented solution to a recurring security design problem (e.g., a secure proxy, a single access point) applied within an architecture.
- Logical vs. physical architecture view
- The logical view models functions and relationships independent of technology; the physical view maps them to specific products, hosts, and locations.
- Security viewpoint
- A way of describing the architecture that highlights security concerns (trust, data flows, controls) for a given set of stakeholders.
- Common Criteria (ISO/IEC 15408)
- An international standard for evaluating product security against a Protection Profile, expressed as Evaluation Assurance Levels (EAL1–EAL7).
- Protection Profile (PP)
- An implementation-independent set of security requirements for a category of products, used as the target in a Common Criteria evaluation.
- Security Target (ST)
- The document describing the security claims and requirements for a specific product (the Target of Evaluation) under Common Criteria.
- Evaluation Assurance Level (EAL)
- A Common Criteria scale (EAL1 lowest to EAL7 highest) indicating the depth and rigor of a product's security evaluation.
- Trusted path
- A protected communication channel between a user and a trusted component that cannot be intercepted or spoofed by untrusted software.
- Covert channel
- An unintended communication path that violates the security policy — a storage channel (shared resource) or a timing channel.
- Inference
- Deducing sensitive information from data the subject is authorized to see; mitigated by polyinstantiation and query controls.
- Aggregation
- Combining individually harmless pieces of data into a sensitive whole; addressed by classifying the aggregate appropriately.
- Security control framework selection
- Choosing an appropriate control set (e.g., NIST SP 800-53, ISO 27002, CIS Controls) to instantiate the model into concrete requirements.
- Resilience by design
- Architecting for redundancy, graceful degradation, and recovery so the system continues to meet security objectives during failure or attack.
- Single point of failure (SPOF)
- A component whose failure would stop the whole system; the architect eliminates SPOFs through redundancy and clustering.
- Abuse case
- A use case written from an attacker's perspective, modeling how a feature could be misused so defenses are designed against it.
- Security requirements engineering
- Eliciting, analyzing, and specifying security requirements (confidentiality, integrity, availability, non-repudiation) as testable design constraints.
- Tailoring
- Adjusting a baseline control set to the system's risk, environment, and mission — adding, removing, or scoping controls with justification.
- Architecture trade-off analysis
- Evaluating how design choices affect security, performance, cost, and usability to select the option that best meets the requirements.
- Secure design review
- A structured review of an architecture against security principles, threat models, and requirements before it is built or deployed.
- Infrastructure security architecture
- Designing the secure structure of networks, hosts, storage, and cloud — Domain 3 of the ISSAP, the largest at 32%.
- Network segmentation
- Dividing a network into zones (e.g., by VLANs or subnets) so a compromise in one zone cannot freely reach others.
- DMZ (demilitarized zone)
- A screened subnet between the internet and the internal network that hosts public-facing services, isolating them from internal assets.
- Firewall types
- Packet-filter (stateless), stateful inspection, application/proxy, and next-generation firewalls (NGFW) that add app awareness, IPS, and identity.
- Next-generation firewall (NGFW)
- A firewall integrating deep packet inspection, application awareness, intrusion prevention, and user identity to enforce granular policy.
- Web application firewall (WAF)
- A firewall that inspects HTTP/HTTPS traffic to block application-layer attacks such as SQL injection and cross-site scripting.
- IDS vs. IPS
- An Intrusion Detection System detects and alerts on malicious activity (out of band); an Intrusion Prevention System sits inline and can block it.
- Network access control (NAC)
- Technology that authenticates and posture-checks devices before granting network access, often via 802.1X.
- 802.1X
- A port-based network access control standard that authenticates a device or user (via EAP/RADIUS) before opening the switch port or WLAN.
- VPN
- A Virtual Private Network creates an encrypted tunnel over an untrusted network; common types are IPsec (site-to-site/remote) and TLS/SSL VPNs.
- IPsec
- A Layer 3 protocol suite securing IP traffic; AH provides integrity/authentication, ESP adds confidentiality, with tunnel or transport mode.
- TLS
- Transport Layer Security — protects application traffic (e.g., HTTPS) with authentication, confidentiality, and integrity; TLS 1.3 is current.
- OSI model
- A seven-layer reference model — Physical, Data Link, Network, Transport, Session, Presentation, Application — used to map devices, protocols, and controls.
- Symmetric encryption
- Encryption using one shared secret key for both encrypting and decrypting (e.g., AES); fast, but key distribution is the challenge.
- Asymmetric encryption
- Encryption using a public/private key pair (e.g., RSA, ECC); solves key exchange and enables digital signatures.
- Hashing
- A one-way function producing a fixed-length digest used to verify integrity (e.g., SHA-256); it is not reversible.
- Digital signature
- A hash of a message encrypted with the sender's private key, providing integrity, authenticity, and non-repudiation.
- Public Key Infrastructure (PKI)
- The framework of certificate authorities, certificates, registration authorities, and policies that manages public keys and trust.
- Certificate Authority (CA)
- A trusted entity that issues and signs digital certificates binding a public key to an identity within a PKI.
- Certificate Revocation List (CRL)
- A signed list of certificates revoked before expiry; OCSP is the real-time alternative for checking certificate status.
- OCSP
- Online Certificate Status Protocol — checks the revocation status of a single certificate in real time, often via OCSP stapling.
- Key management lifecycle
- Generation, distribution, storage, use, rotation, archival, and destruction of cryptographic keys — the architect designs each stage securely.
- Hardware Security Module (HSM)
- A tamper-resistant hardware device that generates, stores, and uses cryptographic keys, keeping private keys off general-purpose systems.
- Perfect forward secrecy (PFS)
- A property where each session uses a unique ephemeral key, so compromise of a long-term key does not expose past session traffic.
- Data at rest protection
- Securing stored data with full-disk, database, or file-level encryption plus access controls and key management.
- Data in transit protection
- Securing data on the move with TLS, IPsec, or VPN tunnels so it cannot be read or altered en route.
- Data in use protection
- Protecting data being processed in memory — the hardest state — via techniques such as enclaves and confidential computing.
- Endpoint security architecture
- Layered host protection — hardening, EDR, host firewall, disk encryption, and patching — designed to detect and contain compromise.
- EDR
- Endpoint Detection and Response — continuously monitors endpoints for malicious behavior and enables investigation and remediation.
- System hardening
- Reducing a system's attack surface by removing unneeded services, applying secure baselines, and patching to a known-good configuration.
- Virtualization security
- Protecting the hypervisor and guest VMs — securing the management plane, isolating tenants, and preventing VM escape and sprawl.
- Hypervisor
- Software that creates and runs virtual machines; Type 1 runs on bare metal, Type 2 runs on a host OS. Its compromise affects all guests.
- Container security
- Securing containerized workloads via trusted images, registry scanning, runtime isolation, and orchestration (e.g., Kubernetes) hardening.
- Cloud shared responsibility model
- A division where the provider secures the cloud (infrastructure) and the customer secures what they put in the cloud — scope shifts across IaaS, PaaS, and SaaS.
- IaaS / PaaS / SaaS
- Service models defining how much the provider manages: Infrastructure (you manage OS up), Platform (you manage apps/data), and Software (provider manages most).
- CASB
- Cloud Access Security Broker — a control point between users and cloud services enforcing visibility, compliance, DLP, and threat protection.
- SASE
- Secure Access Service Edge — converges SD-WAN networking with cloud-delivered security (SWG, CASB, ZTNA, FWaaS) at the edge.
- Secure Web Gateway (SWG)
- A control that inspects and filters web traffic, enforcing URL/content policy and blocking malware between users and the internet.
- Data Loss Prevention (DLP)
- Technology that detects and blocks unauthorized movement of sensitive data based on content inspection and policy.
- Storage security
- Protecting SAN/NAS/object storage with encryption, access controls, secure deletion, and replication that meets data-residency rules.
- Data remanence
- Residual data that remains on media after deletion or formatting and may be recoverable; defeated by clearing, purging, or destruction.
- Media sanitization (NIST SP 800-88)
- Removing data from media via Clear (overwrite for reuse), Purge (degauss/cryptographic erase to release externally), or Destroy.
- High availability architecture
- Designing redundancy (clustering, load balancing, failover) so services remain available despite component failures.
- Load balancing
- Distributing traffic across multiple servers to improve availability and scalability and to remove single points of failure.
- Redundancy (RAID, clustering)
- Duplicating components so failure of one does not cause outage — RAID for disks, clustering for servers, multi-path for networks.
- Backup strategies
- Full (everything), incremental (changes since last backup, slow restore), and differential (changes since last full, faster restore).
- Recovery sites
- Hot (fully equipped, near-real-time failover), warm (hardware ready, data restored on demand), and cold (space only) — trading cost against speed.
- SIEM
- Security Information and Event Management — aggregates and correlates logs across the infrastructure for detection, analysis, and reporting.
- Logging and monitoring architecture
- Centralized, tamper-resistant collection of security-relevant events with time synchronization to support detection and forensics.
- Network time synchronization (NTP)
- Keeping clocks aligned across systems so log correlation, certificate validation, and authentication tickets work reliably.
- Wireless security (WPA3)
- The current Wi-Fi security standard providing stronger encryption and protection against offline dictionary attacks; avoid legacy WEP/WPA.
- DNS security (DNSSEC)
- Extensions that authenticate DNS responses with digital signatures, protecting against cache poisoning and spoofing.
- Email security architecture
- Layered protection using SPF, DKIM, and DMARC for sender authentication plus gateway filtering and encryption.
- SPF / DKIM / DMARC
- Email-authentication mechanisms: SPF authorizes sending IPs, DKIM signs messages, and DMARC sets policy and reporting using SPF/DKIM alignment.
- Network architecture documentation
- Accurate topology diagrams, data-flow maps, and asset inventories that the architect maintains to reason about and audit security.
- Out-of-band management
- A separate, isolated management network/path for administering infrastructure so management traffic is not exposed to production threats.
- Bastion host / jump server
- A hardened, monitored host that mediates administrative access into a protected zone, concentrating and logging privileged access.
- Secure remote access
- Designing remote connectivity with strong authentication (MFA), encrypted tunnels, posture checks, and least-privilege scoping.
- ZTNA
- Zero Trust Network Access — grants access to specific applications (not the whole network) after verifying identity and device, replacing broad VPN access.
- Quantum-resistant cryptography
- Post-quantum (PQC) algorithms designed to resist attacks by quantum computers; architects plan crypto-agility to migrate to NIST PQC standards.
- Crypto-agility
- Designing systems so cryptographic algorithms and keys can be replaced quickly as standards evolve or weaknesses emerge.
- Tokenization
- Replacing sensitive data (e.g., a card number) with a non-sensitive token, keeping the real value in a secured vault — reduces compliance scope.
- Physical security controls
- Layered facility protection — perimeter, mantraps, badges, CCTV, and environmental controls — that the architecture must account for.
- Environmental controls
- HVAC, fire suppression, power conditioning, and humidity control that preserve availability and integrity of infrastructure.
- Secure baseline configuration
- A hardened, documented standard configuration applied to systems and enforced through configuration management and drift detection.
- Patch and vulnerability management
- Architecting timely identification, testing, and deployment of patches to reduce exploitable exposure across the infrastructure.
- Identity and Access Management (IAM) architecture
- Designing how identities are established, authenticated, authorized, and governed — Domain 4 of the ISSAP, 25%.
- Identity lifecycle
- Provisioning, modification, and de-provisioning of identities (joiner-mover-leaver), ensuring access matches current role and is promptly revoked.
- Identification
- A subject claiming an identity (e.g., a username) — the first step of access control.
- Authentication
- Proving a claimed identity with a credential from one or more factors: something you know, have, or are.
- Authorization
- Determining what an authenticated identity is permitted to access and do.
- Accountability
- Tying actions back to a specific identity through logging and monitoring — non-repudiation at the operational level.
- Multi-factor authentication (MFA)
- Using two or more factors from different categories — something you know, have, and are — so a single stolen credential is not enough.
- Authentication factors
- Knowledge (password/PIN), possession (token/phone/smart card), and inherence (biometric); sometimes location and behavior are added.
- Biometric error rates (FAR/FRR/CER)
- False Accept Rate (impostor accepted), False Reject Rate (valid user rejected), and the Crossover Error Rate where FAR equals FRR — lower CER is better.
- Discretionary access control (DAC)
- Access decided by the data owner (e.g., file permissions, ACLs); flexible but error-prone.
- Mandatory access control (MAC)
- Access enforced by the system from labels and clearances; rigid and high-security, used for classified data.
- Role-based access control (RBAC)
- Access granted by job role rather than the individual; scales well and simplifies administration in enterprises.
- Attribute-based access control (ABAC)
- Access decided by attributes and policy (user, resource, action, time, location); the most granular and context-aware model.
- Rule-based access control
- Access governed by global rules applied to everyone (e.g., a firewall ruleset or time-of-day restriction), independent of identity.
- Single sign-on (SSO)
- One authentication that grants access to multiple systems, improving usability while centralizing authentication control.
- Federated identity
- Trust established across organizations so a user authenticated by their home identity provider can access a partner's resources.
- Identity provider (IdP)
- The system that authenticates users and asserts their identity to relying parties/service providers in a federation.
- SAML
- Security Assertion Markup Language — an XML standard for exchanging authentication and authorization assertions, widely used for web SSO and federation.
- OAuth 2.0
- An authorization framework that lets an application obtain delegated, scoped access to a resource on a user's behalf using access tokens — not an authentication protocol.
- OpenID Connect (OIDC)
- An identity layer on top of OAuth 2.0 that adds authentication via an ID token, enabling federated login for apps and APIs.
- Kerberos
- A symmetric-key SSO authentication protocol using tickets and a Key Distribution Center (KDC); vulnerable to replay if clocks drift, so it requires time sync.
- RADIUS
- A centralized AAA protocol commonly used for network access (VPN, 802.1X), providing authentication, authorization, and accounting.
- TACACS+
- A Cisco AAA protocol that separates authentication, authorization, and accounting and encrypts the full payload — often used for device administration.
- LDAP
- Lightweight Directory Access Protocol — queries and manages directory services (e.g., Active Directory) that store identities and attributes.
- Privileged Access Management (PAM)
- Controls that secure, monitor, and rotate privileged/administrative credentials, often with vaulting, session recording, and just-in-time access.
- Just-in-time (JIT) access
- Granting elevated privileges only for the moment and duration they are needed, then automatically revoking them to limit standing privilege.
- Identity governance and administration (IGA)
- The processes and tooling for access requests, approvals, certification (recertification), and segregation-of-duties enforcement across identities.
- Access recertification
- Periodic review where managers attest that each user's access is still appropriate, removing excess privilege (access creep).
- Provisioning / SCIM
- Automated creation and synchronization of accounts across systems; SCIM is the standard protocol for cross-domain identity provisioning.
- Session management
- Securely establishing, maintaining, and terminating authenticated sessions (timeouts, re-authentication, secure tokens) to prevent hijacking.
- Credential management
- Designing secure issuance, storage (hashing/salting), rotation, and recovery of credentials, plus passwordless and FIDO2 options.
- FIDO2 / passwordless
- Standards using public-key credentials (passkeys, security keys) for phishing-resistant authentication without shared secrets.
- Directory services
- Centralized repositories (e.g., Active Directory, LDAP directories) that store identities, groups, and attributes used for authentication and authorization.
- Trust relationship
- An agreed authentication trust between domains or systems (e.g., domain trusts, federation trusts) that the architect designs and constrains by least privilege.