Security Goals

Confidentiality

The property that data is kept secret from parties not authorized to see it.

Integrity

The property that unauthorized modification of data can be detected.

Authentication

The process of establishing who is on the other end of a connection or who created a message.

Authorization

The process of deciding what an authenticated principal is allowed to do.

Principal

Any entity that can be identified and granted access: a user, a service, a device, or a background process.

Non-repudiation

The property that a principal cannot credibly deny having created or approved a piece of data; typically achieved through digital signatures and audit logs.

Threats and Attack Patterns

Eavesdropping

An attack in which an adversary captures unencrypted traffic to read its contents.

Tampering

An attack in which an adversary modifies messages in transit.

Replay attack

An attack in which an adversary captures a valid message and retransmits it later; a simple integrity check does not detect it because the original message was genuine.

Freshness mechanism

A technique that prevents replay attacks by ensuring a received message is recent; examples include nonces, timestamps, sequence numbers, and expiration times.

Nonce

A random value generated fresh for each session or exchange; the receiver expects a specific nonce for the current session and rejects any message that carries the wrong one, so replaying a message from a previous session fails even if its signature is valid.

Service impersonation

An attack in which an adversary convinces one service that it is communicating with a legitimate peer.

Confused deputy

An attack in which a service with broad permissions is tricked into using those permissions on behalf of an attacker.

Lateral movement

The technique by which an attacker who has compromised one component moves through a system using the credentials and access that component holds.

Broken object-level authorization

A failure in which a service authenticates a caller correctly but does not check whether that caller is permitted to access a specific resource; the attacker exploits it by changing a resource identifier in the request.

Blast radius

The extent of damage that results from a single compromised credential or misconfigured service.

Cryptographic Building Blocks

Symmetric encryption

Encryption that uses the same secret key for both encryption and decryption; fast and suited for bulk data, but requires both parties to share a key in advance.

Asymmetric cryptography

Cryptography that uses a key pair: a public key that can be shared openly and a private key that must stay secret; makes key establishment practical without pre-shared secrets and enables digital signatures.

Hash function

A function that maps data of arbitrary length to a fixed-size digest; the same input always produces the same digest, and it is computationally infeasible to reverse the process or find two inputs with the same digest.

Message authentication code (MAC)

An integrity and origin authentication mechanism that computes a digest from a message combined with a shared secret key; a receiver with the same key can confirm the message was not modified and came from a party that knows the key.

HMAC (Hash-based Message Authentication Code)

The standard MAC construction; applies a hash function with a shared secret key and can be built on any secure hash algorithm.

Digital signature

An integrity and origin authentication mechanism that operates on a hash of the message using the sender’s private key; any party with the corresponding public key can verify the signature without a pre-shared secret, and signatures support non-repudiation.

Secure Channels and Certificates

Transport Layer Security (TLS)

The standard protocol for securing a communication channel over an untrusted network; combines asymmetric key exchange, symmetric bulk encryption, and integrity checks to provide confidentiality, integrity, and server authentication.

TLS termination

Decrypting an incoming TLS connection at a network boundary so that downstream services receive plain requests.

Mutual TLS (mTLS)

A TLS configuration in which both sides of a connection present and verify certificates, giving each party a cryptographically verified identity for the other rather than relying on network location.

Certificate

A signed statement asserting that a particular public key belongs to a particular subject; issued by a certificate authority and used to bind cryptographic keys to identities.

Certificate authority (CA)

An entity that issues and signs certificates; the basis for chain-of-trust validation.

Public key infrastructure (PKI)

The system of CAs, certificates, and validation policies that allows large deployments to manage trust without every party needing to directly trust every other party.

Authentication, Authorization, and Tokens

Identity provider (IdP)

A dedicated service that authenticates users and issues credentials confirming their identity; examples include Google, Microsoft Entra, Okta, and Auth0.

OAuth

An authorization framework that lets a client obtain limited, delegated access to a protected resource on behalf of a user or for machine-to-machine communication; produces an access token, not a user identity.

Access token

A credential issued by an OAuth authorization server that a client presents to a resource to prove what access has been delegated to it.

Refresh token

A longer-lived credential a client presents to the authorization server when an access token expires, to obtain a new access token without requiring the user to authenticate again.

OpenID Connect (OIDC)

An identity layer built on top of OAuth that allows a client to verify the identity of an authenticated user; produces an ID token describing who the user is.

ID token

A credential issued by an OIDC identity provider that describes the authenticated user’s identity.

JSON Web Token (JWT)

A compact, signed token format used to carry OAuth access tokens and OIDC ID tokens; a format, not a protocol.

Claim

A piece of information asserted about a subject and encoded in a token; examples include user ID, expiration time, and granted scopes.

Identity at Scale

Workload identity

A cryptographically verifiable identity assigned to a service, container, or batch job rather than a human user; allows authorization decisions to be based on which workload is calling rather than where the call originates.

SPIFFE (Secure Production Identity Framework for Everyone)

A widely adopted standard for assigning cryptographically verifiable identities to workloads; defines the identity format and credential structure used in mTLS connections and authorization policies.

Cloud IAM (Identity and Access Management)

A cloud provider’s system for binding identities (users, service accounts, workloads) to permissions on specific cloud resources such as storage buckets, queues, and databases.

Service account

A non-human identity used by a service or application to authenticate to cloud resources and APIs.

Workload identity federation

A pattern in which a workload presents a verified identity credential to a cloud provider and receives a short-lived access token tied to specific cloud permissions in return, replacing long-lived static service account keys.

Architecture and Design Patterns

Zero Trust

An architectural principle stating that network location should not by itself imply trust; every request must be authenticated and authorized regardless of whether it originates inside or outside the system.

Least privilege

The principle that a service or user should be granted only the permissions required to perform its specific function and nothing more.

Micro-segmentation

The practice of dividing a system into fine-grained trust domains and explicitly controlling which services may communicate with which others, limiting the blast radius of a compromise.

API gateway

A service at the system boundary that handles north-south traffic from external clients; common functions include TLS termination, access token validation, rate limiting, request routing, and coarse-grained authorization.

Service mesh

An infrastructure layer that handles east-west service-to-service communication by inserting a sidecar proxy alongside each service; provides mTLS, workload identity, authorization policy enforcement, and traffic telemetry without requiring application code changes.

Sidecar proxy

A small proxy process that runs alongside a service, intercepts its inbound and outbound network traffic, and enforces security policies on the service’s behalf.

North-south traffic

Network traffic flowing between external clients and the system boundary.

East-west traffic

Network traffic flowing between services inside the system.

Secret Management

Secret

A sensitive credential such as an API key, database password, signing key, or TLS private key that must be distributed, rotated, revoked, and audited carefully.

Secret management system

A dedicated service that stores secrets with access controls, auditing, and support for rotation; examples include HashiCorp Vault, AWS Secrets Manager, Google Cloud Secret Manager, and Azure Key Vault.

Key rotation

The practice of replacing cryptographic keys on a regular schedule or after a suspected compromise; a system that makes rotation routine rather than exceptional is more resilient.

Certificate rotation

The replacement of expiring or compromised certificates with newly issued ones; should be automated to avoid manual errors and downtime.