The Cybersecurity Architect’s Lexicon

🧠 Cybersecurity Architect’s Lexicon

Purpose: This reference is designed for professionals stepping into a Lead Cybersecurity Architect role in a product security function—especially within regulated environments like financial services. Use it to speak fluently with engineers, risk teams, auditors, and executives from day one.


🔐 Core Security Architecture Terms

Term Definition Usage
Zero Trust Security model requiring verification of every request, regardless of origin. “We enforce Zero Trust on DB access using mTLS and JIT credentials.”
Defense in Depth Layered security controls to reduce reliance on any single defense. “Even if IAM fails, network segmentation and encryption remain in place.”
Security-by-Design Embedding security controls during architecture and development, not post-deployment. “We included role-based masking during DB schema design.”
Secure Baseline A hardened, pre-approved configuration used as a default template. “Use the golden Terraform module—our secure RDS baseline.”

🔎 Threat Modeling & Risk Terms

Term Definition Usage
STRIDE Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Privilege Escalation. “We STRIDE-modeled the customer analytics system.”
DREAD Risk scoring framework: Damage, Reproducibility, Exploitability, Affected Users, Discoverability. “We prioritized the DB misconfig based on a high DREAD score.”
FAIR Quantitative risk assessment using financial exposure modeling. “We used FAIR to quantify a $3M data leakage risk.”
Residual Risk Remaining risk after applying mitigating controls. “Tokenization reduced risk, but residual risk from logs remains.”

🔐 IAM and Access Control

Term Definition Usage
RBAC Role-Based Access Control assigns permissions to user roles. “Only analysts have read-only RBAC to reporting schemas.”
ABAC Attribute-Based Access Control allows dynamic policy enforcement based on attributes. “Finance users from Jersey City are allowed RDS access via ABAC rules.”
JIT Access Temporary, time-limited privilege elevation. “DBA roles are granted JIT via a ticketing workflow with auto-expiry.”
Federated Identity External identity provider manages auth (e.g., Okta, Azure AD). “SSO to DB tools is federated via SAML.”

🔐 Data Protection & Privacy

Term Definition Usage
TDE Transparent Data Encryption for protecting data at rest in DBs. “SQL Server TDE keys are rotated every 90 days.”
Field-Level Encryption Encrypting specific columns (e.g., SSNs, credit cards). “SSNs are encrypted at the field level using CMKs.”
Tokenization Replacing sensitive values with irreversible tokens. “We tokenize PAN before sending to analytics.”
Masking Static or dynamic obfuscation of data for authorized views. “Analysts see masked names unless granted PII clearance.”
Data Classification Tagging data based on sensitivity (public, confidential, restricted). “All restricted data must have access logged and encrypted.”

☁️ Cloud & Infrastructure Terms

Term Definition Usage
KMS Cloud-native key management service for encryption keys. “All RDS snapshots use customer-managed KMS keys.”
VPC Peering / PrivateLink Private cloud networking for secure service-to-service communication. “Lambda talks to Aurora via PrivateLink—no public traffic.”
Snapshot Encryption Encrypting backups to maintain data protection across lifecycle. “Snapshots older than 90 days are archived with encryption intact.”
Multi-Tenant Isolation Separation of data between different tenants (customers or apps). “Each tenant has a unique schema and service role with scoped policies.”

🧪 DevSecOps and CI/CD

Term Definition Usage
IaC Infrastructure as Code using tools like Terraform or CloudFormation. “IaC secures DB provisioning and ensures encryption via policies.”
Secrets Management Secure handling and rotation of sensitive keys or passwords. “We use Vault to generate short-lived DB credentials per session.”
SBOM Inventory of components in software builds (Software Bill of Materials). “Our SBOM flagged an outdated DB driver with known CVEs.”
Shift Left Incorporating security earlier in the development lifecycle. “Threat modeling is now done during backlog grooming to shift left.”

📊 GRC & Compliance Vocabulary

Term Definition Usage
3LoD Three Lines of Defense: Ops, Risk, Audit. “We act as 1LoD by designing and enforcing control coverage.”
Control Objective The desired result of a control (e.g., “Only approved users can query PII”). “The control objective is validated with audit logs and IAM policy reviews.”
Evidence of Control Artifacts proving a control is active and effective. “We submit daily CloudTrail exports as evidence.”
KRI Key Risk Indicator—a metric reflecting risk movement. “A 4x increase in failed DB logins triggered a KRI alert.”
SoD Segregation of Duties: separating responsibilities to prevent abuse. “DevOps can deploy, but only InfoSec can approve DB role changes.”

🛠️ Must-Know Tools and Platforms

  • Vault / AWS Secrets Manager / Azure Key Vault – Secrets management and dynamic credentialing.
  • Splunk / Sentinel / QRadar – Log ingestion, alerting, and compliance dashboards.
  • Terraform / CloudFormation – Infrastructure-as-Code (IaC) for security baselines.
  • pgAudit / Oracle FGA / SQL Server Audit – Native database auditing systems.
  • BigID / Purview / Varonis – Data classification and governance platforms.

📘 Final Tip: Speak Like a Security Leader

Use phrases like:

  • “We enforce SoD in CI/CD by requiring dual-approval on DB schema changes.”
  • “KRIs are tracked weekly—encryption coverage, patch age, and access anomalies.”
  • “We tokenized card data using Vault to ensure PCI DSS segmentation.”
  • “Our secure baseline is enforced through Terraform modules with OPA policy checks.”

Next Step: Bookmark this lexicon or integrate it into your onboarding playbook—so you can walk into your next architecture review or interview speaking the language of a seasoned Lead Cybersecurity Architect.

Scroll to Top