Enterprise Security & Cryptography

Secure Encrypted Virtualization encrypts VM memory to protect workloads from hypervisor-level inspection.

An enhanced SEV mode adding stronger memory integrity and attestation protections against tampering.

Arm Confidential Compute Architecture for creating isolated realms with stronger confidentiality guarantees.

A hardware security architecture that separates normal and secure worlds for protected execution and storage.

A signed statement describing enclave or VM identity and measurements for remote trust decisions.

A service that validates hardware evidence and issues trust tokens for workload admission and secret release.

Running model inference in trusted environments to protect proprietary models and sensitive query data.

A security model that protects data in use by isolating workloads in hardware-backed trusted execution environments.

Containerized workloads executed with confidential VM or enclave protections and attested trust boundaries.

Kubernetes deployments that schedule sensitive workloads onto confidential compute nodes with attestation gates.

A virtual machine with hardware memory encryption and attestation to protect data in use from infrastructure operators.

Security controls that protect sensitive data during active processing, not only at rest or in transit.

Hardware protection where RAM contents are encrypted to reduce exposure from physical attacks and privileged software.

A TEE technology using enclaves for application-level confidential execution and attestation.

A confidential VM technology that isolates guest workloads from host and hypervisor access.

A startup process where workload binaries and configuration are measured before trust is granted.

A secure counter used to prevent rollback attacks by detecting stale state replays.

A cloud enclave service offering isolated compute environments with no persistent storage or external networking by default.

Validation of attestation evidence against known-good measurements and issuer trust anchors.

Assurance that protected workload code and memory remain unmodified during execution.

A hardware-derived key used to encrypt enclave data so only the same trusted environment can decrypt it later.

A protected execution region where sensitive operations run with stronger isolation than normal process space.

An isolated execution area in hardware that protects code and data from host OS, hypervisor, and other workloads.

A protected channel ensuring sensitive input and output reach trusted code without exposure to untrusted layers.

A construction that compresses multiple signatures into one proof to reduce bandwidth and verification overhead.

A signature protocol where signer authenticates hidden content, preserving requester privacy during signing.

Digitally signing software artifacts to prove publisher identity and detect unauthorized modification.

A hash property making it computationally infeasible to find two different inputs with the same digest.

A signature stored separately from the signed content, enabling independent transport and verification.

An ECDSA approach where nonce generation is derived deterministically from message and key to reduce randomness failures.

A cryptographic proof that binds message integrity and signer identity using a private key operation.

Applying digital signatures to files such as contracts or records to preserve integrity and auditability.

Elliptic Curve Digital Signature Algorithm offering shorter keys than RSA for similar security levels.

A widely adopted EdDSA instance over Curve25519, known for speed, compact signatures, and robust implementations.

A family of Edwards-curve digital signature algorithms optimized for performance and misuse resistance.

A broad legal concept for indicating intent to sign, which may or may not use cryptographic digital signatures.

A one-way function mapping arbitrary input to fixed-size output, used heavily in signing and integrity workflows.

A standard format for signing JSON-based tokens and payloads, commonly used in APIs and identity systems.

A model where multiple distinct signatures or signers are required to authorize an operation.

A security objective where a signer cannot credibly deny having performed a signed action under controlled key custody.

A hash property making it computationally infeasible to reconstruct input data from a digest output.

A standardized timestamp token format used for long-term signature validation and audit evidence.

A signature proving one member of a set signed a message without revealing which specific member.

A signature generated using RSA private key operations, widely used in legacy and regulated environments.

A modern probabilistic RSA signature padding scheme preferred over older deterministic PKCS#1 v1.5 signatures.

A signature scheme with simple security proofs and linearity properties enabling aggregation and advanced constructions.

A 256-bit hash function in the SHA-2 family, widely used for digital signatures and data integrity.

A NIST-standardized hash family based on Keccak, used as an alternative to SHA-2 designs.

The process of validating that a signature matches a message and public key and has not been tampered with.

A scheme where any t-of-n participants can jointly produce a single valid signature without reconstructing a full key.

A trusted service that issues cryptographic timestamps proving that data existed before a specific time.

A W3C standard for digital signatures on XML documents with support for enveloped and detached signatures.

A protocol property allowing participants to authenticate messages during conversation without transferable proof to third parties.

A key evolution mechanism that updates message keys continuously to limit impact from key compromise.

A communication model where only endpoint participants can read message content, excluding intermediaries and service providers.

A process by which multiple participants derive shared encryption state for secure group communication.

A Matrix group messaging encryption mechanism optimized for performance, with different tradeoffs than Olm.

A per-message encryption key derived from a ratchet or key schedule for granular confidentiality isolation.

An IETF standard protocol for scalable end-to-end encrypted group messaging with formal security properties.

A number used once to ensure encryption operations remain unique and resistant to reuse attacks.

A Matrix one-to-one encryption protocol using ratcheting for forward secrecy and asynchronous operation.

An XMPP extension for multi-device end-to-end encryption based on Signal-style ratcheting concepts.

A standard for email and data encryption using public keys, signatures, and trust models such as web-of-trust.

A MIME format for carrying OpenPGP encrypted and signed email content across interoperable mail clients.

A property where protocols recover confidentiality after a transient key compromise through ongoing key updates.

A published set of one-time and identity keys that lets senders establish encrypted sessions when receivers are offline.

Controls that detect and reject duplicated or delayed message packets to prevent replay attacks.

A certificate-based standard for email signing and encryption built on PKI trust and X.509 identities.

A human-verifiable fingerprint used by users to confirm they are communicating with the intended cryptographic identity.

A messaging feature that minimizes metadata exposure by hiding sender identity from service infrastructure when possible.

A group messaging optimization where each sender encrypts outgoing messages using a sender-specific symmetric key.

A short-lived symmetric key used to encrypt a specific communication session or message sequence.

A widely used secure messaging protocol combining forward secrecy, asynchronous setup, and post-compromise recovery.

Extended Triple Diffie-Hellman, a key agreement protocol enabling secure asynchronous session establishment.

A managed HSM offering from a cloud provider that gives customers dedicated hardware-backed key control with cloud integration.

An international framework for evaluating and certifying the security properties of IT products and components.

The defined physical or logical perimeter around cryptographic components that are covered by security controls and validations.

A side-channel technique that statistically analyzes power traces from many operations to infer secret key material.

A cryptographically secure pseudorandom generator seeded from strong entropy and used for repeatable random bit generation.

A control requiring two authorized individuals to complete sensitive cryptographic operations or approvals.

An attack that introduces glitches through voltage, clock, laser, or EM disturbance to force incorrect and exploitable behavior.

A U.S. and Canadian standard defining security requirements and validation levels for cryptographic modules.

The process of cryptographically signing firmware images so devices can verify authenticity and integrity before updates.

A tamper-resistant device used to generate, store, and use cryptographic keys without exposing private key material to general-purpose systems.

A highly controlled process for generating, activating, and distributing high-value keys with formal procedures and audit records.

A quorum control that requires at least M approvers out of N authorized parties for protected security actions.

A process that records cryptographic measurements of boot components for later attestation and integrity validation.

An HSM delivered as a shared network appliance that provides cryptographic services to multiple applications over secure APIs.

An HSM installed directly in a server via PCIe, often used for low-latency cryptographic signing and key operations.

A hardware primitive that derives device-unique secrets from manufacturing variations, often used for identity and key derivation.

A mechanism for proving to a remote verifier that a system is running approved software and configuration state.

A minimally trusted hardware or firmware component used as the foundational trust anchor for system security.

The component that performs initial integrity measurements during boot, establishing a verifiable chain of trust.

A boot process that only executes firmware and software signed by trusted keys, preventing unauthorized startup code.

A specialized chip that securely stores keys and runs cryptographic operations in a highly constrained trusted environment.

An attack that extracts secrets by analyzing physical leakage such as timing, power consumption, or electromagnetic emissions.

A side-channel method that directly inspects power traces for operation patterns that leak cryptographic secrets.

A control model where no single person possesses complete secret material, reducing insider and coercion risk.

Automatic defensive behavior triggered by detected tampering, such as zeroizing keys or locking operations.

Hardware construction that reveals visible signs when someone tries to open, alter, or probe the device.

Hardware protections that make physical attacks significantly harder by shielding, sensors, and protective response mechanisms.

A standardized hardware security chip that stores keys, measures platform integrity, and supports attestation workflows.

A generator that derives entropy from physical phenomena to produce unpredictable random values for cryptographic use.

Secure erasure of sensitive cryptographic material so it cannot be recovered after compromise or decommissioning.

A modern memory-hard password hashing and key derivation family with tunable resistance to GPU and ASIC cracking.

A mechanism that automatically unseals a protected secret store using an external trusted key provider at startup.

A model where customers generate and control key material externally, then import or reference it in a provider platform.

A key whose policy and lifecycle are directly administered by the customer rather than provider-managed defaults.

Data disposal by destroying encryption keys instead of physically erasing every encrypted data replica.

The ability to replace cryptographic algorithms, keys, and protocols quickly as threats, standards, and requirements evolve.

The approved time span during which a specific cryptographic key is authorized for use.

A governance model emphasizing customer-operated policy and lifecycle control over key generation, usage, and revocation.

A key used directly to encrypt data objects, often generated per file, record, session, or transaction.

Short-lived credentials generated on demand and automatically revoked to reduce standing privilege and secret exposure.

An approach where data is encrypted with a DEK and the DEK is then encrypted by a KEK for scalable key protection.

Encryption applied to specific sensitive data fields to preserve fine-grained confidentiality within larger records.

Encryption that retains original data format characteristics, enabling legacy systems to process encrypted values without schema changes.

An HMAC-based key derivation function that extracts entropy and expands it into context-specific cryptographic keys.

A model where cryptographic keys remain fully outside the service provider boundary and are used through controlled external trust.

Ephemeral credentials issued only when needed for a task and scoped to minimum privileges and short expiration.

A deterministic algorithm that derives one or more cryptographic keys from shared secrets, passwords, or seed material.

A key used to encrypt and protect other keys, separating data encryption workloads from key protection hierarchy.

A state change that temporarily or permanently disables key use without necessarily deleting its metadata or history.

Irreversible elimination of key material so encrypted content becomes computationally infeasible to decrypt with that key.

Storage of key recovery capability with a trusted process or party for lawful access, continuity, or emergency operations.

Administrative invalidation of a key that should no longer be trusted because of compromise, retirement, or policy change.

A transition process from old key material to new key material while preserving service continuity and compatibility.

Periodic replacement of active keys to reduce exposure windows and support cryptographic hygiene and compliance requirements.

The controlled process of decrypting a wrapped key inside an authorized boundary before permitted cryptographic use.

Rules defining what operations a key can perform, by whom, from where, and under what context constraints.

Tracking multiple generations of a key to support decryption of historical data and controlled migration to current versions.

The secure encryption and integrity protection of one cryptographic key using another key designated for protection purposes.

A centralized service for creating, storing, rotating, and auditing cryptographic keys used across applications and infrastructure.

A password-based derivation function using repeated hashing and salt to slow brute-force attacks on password-derived keys.

An additional secret value stored separately from password hashes to increase resistance against offline cracking after database compromise.

The process of decrypting and encrypting data with new keys or algorithms to maintain policy, security, or compliance posture.

A random value added to passwords or secrets before derivation to prevent rainbow-table reuse and hash collisions across users.

A memory-hard password derivation algorithm designed to raise hardware attack cost and improve password storage security.

Time-bound issuance of secrets with automatic expiration and renewal logic tied to service health or policy controls.

The initial bootstrap credential problem of securely establishing first trust without already having a trusted secret.

The discipline of securely storing, distributing, rotating, and auditing secrets such as API keys, passwords, and certificates.

An unseal process requiring multiple secret shares, typically using Shamir's scheme, to recover operational master key material.

Database-level encryption that protects data files at rest without requiring major application code changes.

Replacing sensitive values with non-sensitive tokens while storing the reversible mapping in a secured token vault.

A special case of MPC where two parties compute jointly while preserving each party's private data.

An MPC model involving three participants, often used in practical threshold signing and custody architectures.

Preprocessed random multiplication tuples used to accelerate secure multiplications in many MPC protocols.

A cryptographic primitive that lets a party commit to a value now and reveal it later with integrity.

A protocol that creates key shares among parties without any participant ever seeing the full private key.

A secure computation technique where one party encodes a circuit and another evaluates it without learning private inputs.

An assumption that more than half of protocol participants follow the protocol correctly.

A fragment of distributed private key material held by one participant in a threshold cryptographic system.

A threat model where participants may deviate arbitrarily from protocol steps and require stronger safeguards.

A cryptographic approach that lets parties jointly compute functions over private inputs without revealing those inputs.

A protocol where a sender transfers one of many secrets without learning which secret the receiver chose.

A security model where periodic share refresh protects against gradual compromise of participants over time.

A proof that a secret value lies within an allowed interval without disclosing the exact value.

Splitting a secret into multiple shares so only authorized combinations can reconstruct or use it.

A method for computing aggregate values from many parties while keeping each participant's individual input private.

A threat model where parties follow protocol but try to infer extra information from observed messages.

A polynomial-based threshold scheme where any t shares reconstruct a secret and fewer than t reveal nothing.

A protocol that rotates key shares without changing the effective public key, improving long-term resilience.

Cryptography where key control is distributed so a quorum can operate securely without any single full key holder.

A protocol set enabling distributed generation of valid ECDSA signatures without reconstructing private keys.

A threshold signature approach for EdDSA curves, distributing signing authority across multiple participants.

A distributed signing or decryption model for RSA operations where multiple parties jointly perform private-key actions.

Secret sharing with cryptographic proofs allowing participants to verify share correctness without revealing the secret.

A succinct zero-knowledge proof system with fast verification and compact proof size.

A transparent zero-knowledge proof system with no trusted setup and strong post-quantum assumptions.

A proof allowing a prover to demonstrate statement validity without disclosing the underlying secret witness.

A protocol for automating certificate issuance, domain validation, renewal, and revocation operations.

An X.509 extension that points to issuer certificate and OCSP service locations.

An X.509 extension identifying the issuing CA key to help clients build and validate certificate chains.

An X.509 extension indicating whether a certificate is a CA certificate and defining path length constraints.

A CA used to connect separate PKI hierarchies without requiring a single shared root CA.

An entity that issues and signs digital certificates binding public keys to identities or service names.

The ordered sequence of certificates linking an end-entity certificate to a trusted root.

The process of finding deployed certificates across servers, devices, and applications to prevent outages and blind spots.

A continuously maintained catalog of certificates, ownership, issuance paths, and expiration timelines.

The end-to-end process of discovering, issuing, renewing, replacing, and retiring certificates at enterprise scale.

A formal statement describing issuance and assurance requirements for certificates in a PKI domain.

A public logging system for issued certificates that helps detect mis-issuance and unauthorized CA activity.

A detailed operational document describing how a CA implements its certificate policy in practice.

A comprehensive protocol for requesting, issuing, revoking, and updating certificates in managed PKI environments.

A legacy subject field once used for hostname matching, now generally superseded by SAN.

A signed list of revoked certificates published by a CA for clients performing revocation checks.

A trust arrangement where one CA signs another CA certificate to bridge trust domains.

A request object that includes subject details and public key, signed by the requester for CA issuance.

A domain-validated certificate proving control of domain names with minimal organizational identity checks.

Enrollment over Secure Transport, a certificate enrollment protocol designed as a modern alternative to SCEP.

An extended-validation certificate issued after stricter identity verification and governance checks.

An X.509 extension that scopes certificates to specific purposes like server auth, client auth, or code signing.

A subordinate CA certificate used to issue end-entity certificates while keeping root keys offline and protected.

An X.509 extension that restricts permitted key operations, such as digital signature or key encipherment.

A public CA that popularized automated, short-lived TLS certificates through ACME workflows.

An extension that limits permissible subject namespaces for certificates issued by a subordinate CA.

A protocol for checking certificate revocation status in near real time from an authoritative responder.

An organization-validated certificate including vetted organizational identity in addition to domain validation.

A CA certificate restriction that limits how many subordinate CA levels may exist beneath it.

The people, policies, hardware, software, and procedures used to issue, manage, and trust digital certificates and keys.

An internally operated PKI used for enterprise devices, services, users, and private trust domains.

The internet-trusted CA ecosystem used for public TLS, code signing, and broad third-party trust.

A PKI role that verifies applicant identity and approves certificate requests on behalf of a CA.

The top-level trust anchor certificate in a PKI hierarchy, typically self-signed and tightly protected.

An X.509 extension listing additional identities such as DNS names, IPs, emails, or URIs for a certificate.

Simple Certificate Enrollment Protocol, used to automate certificate enrollment for network and endpoint devices.

Proof that a certificate was submitted to a Certificate Transparency log, used during client validation.

A certificate signed by its own private key, often used internally or for bootstrapping trust.

An X.509 extension uniquely identifying the public key contained in a certificate.

Any CA operating under another CA in the certificate chain with delegated issuance authority.

A root public key or certificate explicitly trusted as the starting point for certificate path validation.

A certificate covering multiple subdomains through wildcard SAN entries such as *.example.com.

The dominant certificate format containing subject identity, public key, validity window, and signed extensions.

A network access control framework that authenticates devices before granting access to wired or wireless networks.

Authenticated encryption with associated data, combining confidentiality and integrity protection in one primitive.

A widely used AEAD mode based on AES encryption with Galois/Counter Mode authentication.

Application-Layer Protocol Negotiation, used in TLS to agree on protocols like HTTP/1.1, HTTP/2, or HTTP/3.

A trust model that restricts accepted certificates or public keys to expected values for a given service.

An AEAD construction combining ChaCha20 stream encryption and Poly1305 authentication, effective on varied hardware.

A defined set of cryptographic algorithms used together for key exchange, authentication, encryption, and integrity.

DNS-based Authentication of Named Entities, using DNSSEC records to bind certificates or keys to domain names.

DNS resolution carried over HTTPS to protect DNS queries from interception and tampering in transit.

DNS resolution over dedicated TLS sessions, providing encrypted and authenticated DNS transport.

Datagram Transport Layer Security, a TLS adaptation for UDP-based protocols that need encryption and authentication.

An 802.1X authentication method that uses client and server certificates for strong mutual authentication.

A mechanism that encrypts TLS ClientHello metadata to reduce hostname and configuration leakage during handshake.

The HTTP mapping over QUIC, improving performance and resilience compared to TCP-based HTTP versions.

Internet Key Exchange version 2, a protocol for negotiating and maintaining IPsec security associations.

A suite of protocols that secures IP traffic using authenticated encryption, commonly used for VPN tunnels.

Layer 2 link encryption for Ethernet traffic to protect data confidentiality and integrity on local network segments.

TLS with certificate-based authentication for both client and server, enabling strong machine-to-machine trust.

A TLS optimization where servers include certificate revocation status from OCSP responders during handshake.

A property where compromise of long-term keys does not expose past session keys or previously captured traffic.

A transport protocol over UDP with built-in encryption and low-latency connection establishment.

Using TLS to protect SIP signaling traffic in VoIP and unified communications deployments.

A TLS extension that indicates the intended hostname so a server can present the correct certificate.

A profile of RTP that adds confidentiality, message authentication, and replay protection for voice and video streams.

A secure protocol for encrypted remote login, command execution, and tunneling over untrusted networks.

A protocol providing confidentiality, integrity, and endpoint authentication for network communications.

The current major TLS version with simplified handshakes, stronger defaults, and removal of obsolete insecure ciphers.

A modern VPN protocol focused on simplicity, strong cryptography, and high performance.

Policy enforcement that dynamically adjusts permissions and step-up requirements as context changes.

A traffic control layer that centralizes authentication, authorization, rate limiting, and API policy enforcement.

A control point between users and cloud services that enforces data, access, and threat protection policies.

Access control that evaluates dynamic conditions like device health, location, risk, and behavior.

Controls that detect and prevent unauthorized movement or exposure of sensitive data across systems and channels.

A proxy that gates access based on authenticated identity and context before forwarding requests to applications.

A standard JSON format for publishing public keys used to verify JWT and JWS signatures.

Verification of token signature, issuer, audience, expiration, and claims before granting API or service access.

A general-purpose policy engine used to decouple authorization and compliance logic from application code.

The interface and control plane used to author, manage, and publish security policies.

The component that evaluates access requests against policy and returns allow or deny decisions.

The component that intercepts requests and enforces policy decisions in runtime request paths.

A context source providing attributes such as risk, identity, device posture, or geolocation for policy evaluation.

Application-integrated runtime defenses that detect and block attacks by observing in-process behavior.

The declarative policy language used by Open Policy Agent for expressing authorization and governance rules.

Authentication flows that adapt verification requirements based on detected risk signals and anomalies.

Secure Access Service Edge, an architecture converging networking and cloud-delivered security controls.

Supplying secrets to applications at runtime through controlled channels instead of embedding them in code or images.

Infrastructure components that enforce security controls consistently between applications, services, and networks.

An infrastructure layer handling service-to-service communication with policy, mTLS, telemetry, and traffic control.

A per-workload proxy that implements network security controls outside of application code.

A cloud security stack focused on access control, threat prevention, and data protection for users and applications.

A service that enforces web security policy for outbound traffic, including URL filtering and malware protection.

An authorization server endpoint that returns metadata about access token activity and validity state.

A centralized service that offers encryption and signing APIs so apps can use cryptography without direct key access.

A filtering layer that inspects and blocks malicious HTTP traffic targeting web application vulnerabilities.

An XML-based standard and architecture for attribute-based access control policies and decisions.

An access model that verifies user, device, and context continuously rather than trusting network location.

Managed governance workflows for access reviews, entitlement certification, and policy compliance.

The formal retirement of weak or obsolete cryptographic algorithms with controlled compatibility and remediation timelines.

Automated certificate reissuance and deployment workflows to prevent expirations and service outages.

Capabilities that analyze and reduce excessive cloud permissions and identity entitlement risk.

Encoding compliance requirements as testable policies and automated checks integrated into delivery pipelines.

Automated, ongoing validation that security controls remain effective and compliant over time.

Reusing validated platform-level controls so consuming teams can meet compliance obligations more efficiently.

The process of locating where and how cryptography is implemented to expose unmanaged risk and migration scope.

A cross-functional body that sets enterprise cryptography policy, risk appetite, and migration priorities.

A catalog of cryptographic assets, algorithms, key lengths, and dependencies across enterprise systems.

A managed API model for encryption, decryption, signing, and key management without direct key material handling by apps.

A lattice-based digital signature algorithm selected by NIST as a primary post-quantum signature scheme.

A lattice-based key encapsulation mechanism selected by NIST for post-quantum key establishment.

Tools and processes that detect cloud misconfigurations and policy drift against best-practice baselines.

Discovery and governance of sensitive data stores with risk scoring and policy enforcement recommendations.

Automated collection and mapping of audit evidence to controls to reduce manual compliance overhead.

On-demand access to dedicated or multi-tenant HSM-backed cryptographic operations through managed cloud interfaces.

Combining classical and post-quantum key exchange mechanisms to hedge migration risk during transition periods.

Cloud-delivered identity platform providing authentication, SSO, lifecycle, and policy controls.

Operational and governance controls for protecting key ownership, approval workflows, and emergency recovery.

Traceable evidence of where and how a key was generated, modified, transported, and used across its lifecycle.

Analysis of key operation patterns to detect anomalies, optimize lifecycle controls, and support audits.

A managed service that combines threat monitoring, analysis, and active response to security incidents.

A provider that operates day-to-day security controls and monitoring on behalf of customer organizations.

Structured transition planning and execution to adopt NIST-selected post-quantum algorithms in production systems.

Managed certificate authority and lifecycle services delivered as a hosted platform for enterprise PKI needs.

Managing security and governance rules in version-controlled code with automated validation and deployment.

Continuous assessment and improvement of security configuration state across cloud and on-prem environments.

Cryptographic algorithms designed to remain secure against attacks from large-scale quantum computers.

Preparation activities for migrating vulnerable cryptographic systems ahead of practical quantum threats.

Managed secret storage and distribution services providing controlled access, rotation, and audit trails.

An operating model that delivers security capabilities as reusable, centrally managed services across the enterprise.

The centralized management layer that defines policy and orchestrates security controls across distributed environments.

A centralized repository for high-volume security telemetry used for detection engineering and forensic analysis.

A delineation of security duties between service provider and customer, varying by service and deployment model.

Security Information and Event Management platform for collecting, correlating, and alerting on security-relevant events.

Security orchestration, automation, and response capabilities used to streamline incident triage and remediation workflows.

An organization providing managed security capabilities such as monitoring, incident response, and governance support.

Security posture monitoring focused on SaaS configurations, access controls, and third-party integrations.

A system for ingesting, enriching, scoring, and operationalizing threat intelligence indicators and context.

A detection and response model that correlates telemetry across endpoints, identity, cloud, email, and network domains.