Glossary A

ABAC makes access decisions based on attributes of users, resources, and environmental context rather than predefined roles alone. Policies express conditions like 'allow access if user.department == resource.department AND environment.time is business-hours'. ABAC provides finer-grained control than RBAC and is more adaptable to complex organizational structures and dynamic access requirements.

An ACL is a list of permissions attached to a resource that specifies which users, groups, or system processes are granted or denied access, and what operations they may perform. ACLs can be applied to files, network packets, API endpoints, or database objects. While flexible, large ACL-based systems can become difficult to manage — modern systems often supplement or replace ACLs with role-based access control (RBAC) for administrative clarity.

An account factory automates the provisioning of new cloud accounts with standardized security baselines, networking, logging, and governance controls applied consistently at creation time. AWS Control Tower's Account Factory for Terraform (AFT) and Azure Landing Zone vending machines are common implementations. Account factories enforce the principle that new cloud accounts start secure rather than requiring post-creation remediation.

ACID describes the four properties that guarantee reliable database transaction processing. Atomicity ensures all operations in a transaction succeed or all fail. Consistency ensures transactions bring the database from one valid state to another. Isolation ensures concurrent transactions execute as if serial. Durability ensures committed transactions survive system failures. ACID is the cornerstone of relational database reliability.

Active-active is a high-availability architecture where multiple instances or regions simultaneously serve live traffic. Unlike active-passive, there is no idle standby — all nodes share the load. Active-active improves throughput and reduces latency through geographic distribution, but requires data synchronization between all active nodes, which increases complexity.

Active-passive is a failover architecture where a primary instance handles all traffic while a standby instance remains idle but synchronized. When the primary fails, traffic is routed to the standby — trading instantaneous failover for lower operational cost compared to active-active. The standby's warmup time determines how closely RTO targets can be met.

An adapter is a small, trainable module inserted into a frozen pre-trained model to enable parameter-efficient fine-tuning. Only the adapter weights are updated during training, leaving the base model unchanged. Adapters reduce compute and memory costs compared to full fine-tuning while achieving competitive task-specific performance.

Kubernetes admission controllers intercept API server requests before object persistence, enabling validation and mutation of resources to enforce security policies. Security-focused admission controllers reject workloads that request privileged access, require specific image registries, or violate namespace isolation policies. Policy-as-code tools like OPA Gatekeeper and Kyverno implement custom admission controller logic.

An AI agent is a system that uses a language model as its reasoning core to autonomously plan, take actions, and iterate toward a goal. Agents combine tool use, memory, and multi-step planning to accomplish tasks that require more than a single model call. Examples include coding assistants that run tests, web-browsing agents, and autonomous research pipelines.

Agentic AI refers to AI systems that operate with a high degree of autonomy, proactively taking sequences of actions to achieve long-horizon goals with minimal human intervention. Unlike chatbots that respond to a single prompt, agentic systems loop through perceive-plan-act cycles, use tools, and self-correct. Reliability, safety, and human oversight are key engineering challenges in agentic systems.

Agentless scanning discovers and assesses cloud workload security posture by analyzing disk snapshots, cloud APIs, and metadata rather than deploying software agents inside every virtual machine or container. This approach reduces operational overhead, works on ephemeral workloads, and covers resources where agent deployment is impractical. Cloud providers expose snapshot APIs (EBS, managed disk) that agentless scanners use to inspect running workloads without execution risk.

Azure Kubernetes Service (AKS) is Microsoft's managed Kubernetes offering that automates cluster provisioning, patching, scaling, and upgrades. AKS integrates deeply with Azure Active Directory, Azure Monitor, Azure Policy, and Azure Container Registry, making it the natural choice for organizations with existing Microsoft cloud investments.

Alignment is the research and engineering discipline focused on ensuring AI systems behave in accordance with human values, intentions, and safety requirements. Misaligned models may optimize for proxy objectives, produce harmful outputs, or deceive users. Techniques such as RLHF, DPO, and Constitutional AI are used to steer model behavior toward desired outcomes.

AlloyDB is Google Cloud's fully managed PostgreSQL-compatible database service designed for demanding transactional and analytical workloads. It delivers up to 4x better performance than standard PostgreSQL for OLTP workloads and 100x faster analytical queries through a columnar engine. AlloyDB separates compute and storage for independent scaling of each dimension.

Alpine Linux is a security-oriented, lightweight Linux distribution widely used as a base image for Docker containers. Its minimal footprint (under 5 MB) dramatically reduces container image sizes and attack surface compared to full distributions like Ubuntu or Debian. Alpine uses musl libc and busybox, which occasionally causes compatibility issues with software compiled against glibc.

The Ambassador pattern places a proxy container or process in front of a service to handle cross-cutting networking concerns like retries, timeouts, circuit breaking, and authentication. Unlike a sidecar (which is per-instance), an ambassador can aggregate traffic for multiple clients. Ambassador is also the name of a popular Kubernetes API gateway that implements this pattern.

An API defines how software components communicate with each other through a set of protocols, routines, and data formats. APIs enable developers to build on existing functionality without understanding internal implementation details. Modern APIs typically use REST or gRPC patterns and are the backbone of microservices architectures and third-party integrations.

An API gateway is a reverse proxy that sits in front of backend services, handling cross-cutting concerns like authentication, rate limiting, request routing, SSL termination, and logging. It provides a single entry point for clients, decoupling client-facing APIs from internal service topology. Kong, AWS API Gateway, and Nginx are common implementations. API gateways are a critical component in microservice architectures.

API gateway security encompasses authentication, authorization, rate limiting, input validation, and threat protection applied at the API gateway layer before requests reach backend services. Gateways enforce OAuth/JWT validation, API key management, mutual TLS, and can integrate with WAF rules to block malicious traffic. Centralizing these controls at the gateway reduces the attack surface of individual microservices.

API security encompasses the practices, standards, and tools used to protect APIs from unauthorized access, data exposure, and abuse. The OWASP API Security Top 10 identifies key risks including broken object-level authorization, authentication failures, excessive data exposure, and rate limiting gaps. As APIs have become the primary integration surface for modern applications, they represent a major and growing attack target.

APM tools monitor the performance and availability of software applications, tracking metrics like request latency, error rates, throughput, and resource utilization. They provide distributed tracing to follow requests across service boundaries, helping engineers identify bottlenecks and performance regressions. Datadog, New Relic, and Dynatrace are leading commercial APM platforms.

ArgoCD is a declarative GitOps continuous delivery tool for Kubernetes that continuously monitors Git repositories and synchronizes cluster state to match the desired configuration. It provides a web UI and CLI for visualizing application state, detecting drift, and performing rollbacks. ArgoCD supports Helm, Kustomize, and raw Kubernetes manifests as deployment sources.

An artifact registry is a managed repository service for storing, versioning, and distributing build artifacts such as container images, Helm charts, npm packages, and Maven JARs. Cloud-native registries like Google Artifact Registry, AWS ECR, and GitHub Container Registry provide access controls, vulnerability scanning, and geo-replication. Registries are a critical link in the software supply chain.

Artifact signing applies cryptographic signatures to build outputs — binaries, packages, manifests — to prove their origin and integrity. Signed artifacts allow consumers to verify that software was built by a trusted pipeline and has not been tampered with in transit. Sigstore's keyless signing model has made artifact signing practical by eliminating the need for long-lived private key management.

An AST is a tree representation of the structure of source code where each node represents a construct such as a variable declaration, function call, or expression. ASTs are the intermediate representation that compilers, transpilers, linters, and formatters operate on. Tools like Babel and ESLint expose AST traversal APIs, enabling custom transformations and analysis rules.

ASVS is an OWASP framework that defines security requirements and controls for web applications at three levels of rigor. Level 1 covers opportunistic threats, Level 2 covers most apps handling sensitive data, and Level 3 is for critical applications requiring the highest assurance. Development teams use ASVS as a security checklist during design, development, and testing.

The attack surface is the sum of all points where an attacker could attempt to enter or extract data from an application or system. It encompasses exposed APIs, open ports, user input fields, authentication endpoints, and third-party integrations. Reducing the attack surface — by disabling unused features, minimizing exposed interfaces, and applying least privilege — is a core security engineering principle.

The attention mechanism allows neural networks to dynamically weight the importance of different input positions when producing each output token. It computes compatibility scores between a query and a set of keys, uses those scores to create a weighted sum of values, and feeds the result to subsequent layers. Attention is the core innovation that enabled transformers to surpass recurrent architectures on sequence modeling tasks.

Remote attestation is a mechanism by which a computing environment provides cryptographic proof of its configuration and integrity to a remote verifier. In confidential computing, attestation allows a client to verify that their code is running in a genuine hardware-protected Trusted Execution Environment with specific security properties before sending sensitive data. Attestation is foundational to establishing trust in cloud-hosted sensitive workloads.

An audit trail is a chronological record of system activities, user actions, and data changes that provides evidence of security-relevant events for forensic analysis and compliance purposes. Effective audit trails capture who performed an action, what was changed, when it occurred, and from where. Immutable, tamper-evident audit logs are required by compliance frameworks including PCI DSS, HIPAA, and SOC 2.

Amazon Aurora is AWS's cloud-native relational database engine compatible with MySQL and PostgreSQL. Aurora separates compute and storage, replicating data six ways across three availability zones for durability. Aurora Serverless automatically scales capacity to match demand, making it suitable for variable workloads that don't justify provisioned capacity.

Authentication bypass vulnerabilities allow attackers to access protected resources without providing valid credentials, by exploiting flaws in authentication logic, session handling, or cryptographic verification. Common techniques include manipulating JWT signatures (setting algorithm to `none`), exploiting SQL injection in login forms, or abusing flawed password reset flows. Authentication bypass typically leads directly to account takeover and data exposure.

Auto-scaling automatically adjusts the number of running compute instances based on observed load metrics like CPU utilization, request queue depth, or custom metrics. Horizontal scaling adds or removes instances; vertical scaling changes instance size. Cloud auto-scaling groups (AWS ASG, GCP MIG) handle the provisioning lifecycle, enabling systems to handle traffic spikes without over-provisioning for baseline load.

Automation in DevOps refers to replacing manual, repetitive operational tasks with scripts, tools, and workflows that execute reliably and consistently. Automation covers build pipelines, infrastructure provisioning, testing, deployment, monitoring, and incident response. Reducing toil through automation is a core SRE principle that frees engineers for higher-value work.

Autoregressive models generate sequences one token at a time, conditioning each new token on all previously generated tokens. GPT-style language models are autoregressive — they predict the next token given the full left context. This sequential generation allows flexible open-ended text production but makes parallel decoding difficult.

An availability zone (AZ) is a physically isolated data center or group of data centers within a cloud region that has independent power, cooling, and networking. Distributing resources across multiple AZs provides fault tolerance — an AZ failure doesn't take down all replicas. AZs are the fundamental unit of high availability design in AWS, Azure, and GCP.

AWQ is a post-training quantization method that identifies and protects the small fraction of model weights most important for accuracy, quantizing the rest to lower precision. It achieves near-lossless 4-bit quantization by scaling weights based on activation magnitudes observed during calibration. AWQ enables fast, memory-efficient deployment of large models on consumer GPUs.

Azure Blob Storage is Microsoft Azure's object storage service for unstructured data — documents, images, videos, backups, and logs. Blobs are organized into containers within storage accounts and support access tiers (Hot, Cool, Archive) for cost optimization. Azure Blob integrates with Azure CDN, Azure Data Factory, and other Azure services for data pipeline and analytics workflows.

Microsoft Defender for Cloud (formerly Azure Defender and Azure Security Center) is Microsoft's integrated cloud security posture management and workload protection platform. It provides CSPM capabilities across Azure, AWS, and GCP, detects threats against VMs, containers, databases, and storage, and enforces security policies through Azure Policy. Its Defender plans offer advanced threat protection for specific resource types including Kubernetes, SQL, and storage.