🧠 Cybersecurity Architect’s Lexicon
Purpose: This reference is designed for professionals stepping into a Lead Cybersecurity Architect role in a product security function—especially within regulated environments like financial services. Use it to speak fluently with engineers, risk teams, auditors, and executives from day one.
🔐 Core Security Architecture Terms
| Term | Definition | Usage |
|---|---|---|
| Zero Trust | Security model requiring verification of every request, regardless of origin. | “We enforce Zero Trust on DB access using mTLS and JIT credentials.” |
| Defense in Depth | Layered security controls to reduce reliance on any single defense. | “Even if IAM fails, network segmentation and encryption remain in place.” |
| Security-by-Design | Embedding security controls during architecture and development, not post-deployment. | “We included role-based masking during DB schema design.” |
| Secure Baseline | A hardened, pre-approved configuration used as a default template. | “Use the golden Terraform module—our secure RDS baseline.” |
🔎 Threat Modeling & Risk Terms
| Term | Definition | Usage |
|---|---|---|
| STRIDE | Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Privilege Escalation. | “We STRIDE-modeled the customer analytics system.” |
| DREAD | Risk scoring framework: Damage, Reproducibility, Exploitability, Affected Users, Discoverability. | “We prioritized the DB misconfig based on a high DREAD score.” |
| FAIR | Quantitative risk assessment using financial exposure modeling. | “We used FAIR to quantify a $3M data leakage risk.” |
| Residual Risk | Remaining risk after applying mitigating controls. | “Tokenization reduced risk, but residual risk from logs remains.” |
🔐 IAM and Access Control
| Term | Definition | Usage |
|---|---|---|
| RBAC | Role-Based Access Control assigns permissions to user roles. | “Only analysts have read-only RBAC to reporting schemas.” |
| ABAC | Attribute-Based Access Control allows dynamic policy enforcement based on attributes. | “Finance users from Jersey City are allowed RDS access via ABAC rules.” |
| JIT Access | Temporary, time-limited privilege elevation. | “DBA roles are granted JIT via a ticketing workflow with auto-expiry.” |
| Federated Identity | External identity provider manages auth (e.g., Okta, Azure AD). | “SSO to DB tools is federated via SAML.” |
🔐 Data Protection & Privacy
| Term | Definition | Usage |
|---|---|---|
| TDE | Transparent Data Encryption for protecting data at rest in DBs. | “SQL Server TDE keys are rotated every 90 days.” |
| Field-Level Encryption | Encrypting specific columns (e.g., SSNs, credit cards). | “SSNs are encrypted at the field level using CMKs.” |
| Tokenization | Replacing sensitive values with irreversible tokens. | “We tokenize PAN before sending to analytics.” |
| Masking | Static or dynamic obfuscation of data for authorized views. | “Analysts see masked names unless granted PII clearance.” |
| Data Classification | Tagging data based on sensitivity (public, confidential, restricted). | “All restricted data must have access logged and encrypted.” |
☁️ Cloud & Infrastructure Terms
| Term | Definition | Usage |
|---|---|---|
| KMS | Cloud-native key management service for encryption keys. | “All RDS snapshots use customer-managed KMS keys.” |
| VPC Peering / PrivateLink | Private cloud networking for secure service-to-service communication. | “Lambda talks to Aurora via PrivateLink—no public traffic.” |
| Snapshot Encryption | Encrypting backups to maintain data protection across lifecycle. | “Snapshots older than 90 days are archived with encryption intact.” |
| Multi-Tenant Isolation | Separation of data between different tenants (customers or apps). | “Each tenant has a unique schema and service role with scoped policies.” |
🧪 DevSecOps and CI/CD
| Term | Definition | Usage |
|---|---|---|
| IaC | Infrastructure as Code using tools like Terraform or CloudFormation. | “IaC secures DB provisioning and ensures encryption via policies.” |
| Secrets Management | Secure handling and rotation of sensitive keys or passwords. | “We use Vault to generate short-lived DB credentials per session.” |
| SBOM | Inventory of components in software builds (Software Bill of Materials). | “Our SBOM flagged an outdated DB driver with known CVEs.” |
| Shift Left | Incorporating security earlier in the development lifecycle. | “Threat modeling is now done during backlog grooming to shift left.” |
📊 GRC & Compliance Vocabulary
| Term | Definition | Usage |
|---|---|---|
| 3LoD | Three Lines of Defense: Ops, Risk, Audit. | “We act as 1LoD by designing and enforcing control coverage.” |
| Control Objective | The desired result of a control (e.g., “Only approved users can query PII”). | “The control objective is validated with audit logs and IAM policy reviews.” |
| Evidence of Control | Artifacts proving a control is active and effective. | “We submit daily CloudTrail exports as evidence.” |
| KRI | Key Risk Indicator—a metric reflecting risk movement. | “A 4x increase in failed DB logins triggered a KRI alert.” |
| SoD | Segregation of Duties: separating responsibilities to prevent abuse. | “DevOps can deploy, but only InfoSec can approve DB role changes.” |
🛠️ Must-Know Tools and Platforms
- Vault / AWS Secrets Manager / Azure Key Vault – Secrets management and dynamic credentialing.
- Splunk / Sentinel / QRadar – Log ingestion, alerting, and compliance dashboards.
- Terraform / CloudFormation – Infrastructure-as-Code (IaC) for security baselines.
- pgAudit / Oracle FGA / SQL Server Audit – Native database auditing systems.
- BigID / Purview / Varonis – Data classification and governance platforms.
📘 Final Tip: Speak Like a Security Leader
Use phrases like:
- “We enforce SoD in CI/CD by requiring dual-approval on DB schema changes.”
- “KRIs are tracked weekly—encryption coverage, patch age, and access anomalies.”
- “We tokenized card data using Vault to ensure PCI DSS segmentation.”
- “Our secure baseline is enforced through Terraform modules with OPA policy checks.”
Next Step: Bookmark this lexicon or integrate it into your onboarding playbook—so you can walk into your next architecture review or interview speaking the language of a seasoned Lead Cybersecurity Architect.
