Appendix A: Glossary of Terms

AKS

Azure Kubernetes Service. A managed Kubernetes container orchestration service provided by Microsoft Azure. In this assessment, the AiVRIC AKS cluster was scanned for RBAC misconfigurations, pod security issues, and network policy gaps.

API

Application Programming Interface. A set of protocols and tools for building and integrating software applications. APIs define how software components should interact and are a common attack surface for credential exposure and injection attacks.

ARN

Amazon Resource Name. A unique identifier for AWS resources. ARNs are used in IAM policies to specify which resources a policy applies to. Format: arn:aws:service:region:account-id:resource

AWS

Amazon Web Services. A cloud computing platform offering over 200 services including compute, storage, databases, and security. One of the four cloud providers assessed in this report (Account ID: 299839646071).

Azure

Microsoft Azure. Microsoft’s public cloud computing platform providing IaaS, PaaS, and SaaS services. Assessed in this report under subscription ID 9d9c58a5-57e1-... (3HUE Dev-Test).

CCPA

California Consumer Privacy Act. A state-level data privacy law granting California residents rights over their personal information, including the right to know, delete, and opt-out of the sale of personal data.

CIS

Center for Internet Security. A nonprofit organization that publishes security benchmarks and best practices for operating systems, cloud providers, and applications. CIS Benchmarks (AWS v3.0, Azure v2.1, K8s v1.8) were used as primary assessment baselines.

CISSP

Certified Information Systems Security Professional. An advanced-level cybersecurity certification from (ISC)² demonstrating expertise across eight domains of information security.

CMMC

Cybersecurity Maturity Model Certification. A unified standard for implementing cybersecurity across the defense industrial base (DIB). CMMC requires organizations to demonstrate compliance with specific cybersecurity practices at various maturity levels.

Compliance Framework

A structured set of guidelines, controls, and best practices that organizations follow to meet regulatory, legal, or industry-specific security requirements. This report evaluates findings against 61 compliance frameworks including CIS, NIST, PCI-DSS, HIPAA, and SOC 2.

CSPM

Cloud Security Posture Management. A category of security tools that continuously monitor cloud infrastructure configurations for misconfigurations, compliance violations, and security risks. AiVRIC Vision functions as a CSPM platform.

CVE

Common Vulnerabilities and Exposures. A publicly maintained list of known cybersecurity vulnerabilities. Each CVE entry has a unique identifier (e.g., CVE-2024-12345) and is referenced for tracking and remediation.

CVSS

Common Vulnerability Scoring System. An open framework for communicating the characteristics and severity of software vulnerabilities. Scores range from 0.0 to 10.0, with 9.0+ classified as Critical. This report uses CVSS v4.0 scoring methodology.

DevSecOps

Development, Security, and Operations. A practice that integrates security testing and controls throughout the software development lifecycle rather than treating security as a separate phase. Key to shifting security “left” in the CI/CD pipeline.

EBS

Elastic Block Store. An AWS block-level storage service designed for use with EC2 instances. EBS volumes should be encrypted at rest using AWS KMS keys to meet data protection requirements.

EC2

Elastic Compute Cloud. An AWS service providing resizable compute capacity in the cloud. EC2 instances were assessed for IMDSv2 enforcement, security group rules, and user data secret exposure.

Encryption at Rest

The protection of data stored on disk or in persistent storage using cryptographic algorithms. Ensures data remains unreadable without the correct decryption key even if physical media is compromised or accessed by unauthorized parties.

Encryption in Transit

The protection of data as it travels across networks using protocols such as TLS/SSL. Prevents eavesdropping, man-in-the-middle attacks, and data tampering during transmission between services or to end users.

GDPR

General Data Protection Regulation. A European Union regulation on data protection and privacy. GDPR requires organizations to implement appropriate technical and organizational measures to protect personal data, with penalties up to 4% of annual global turnover.

HIPAA

Health Insurance Portability and Accountability Act. A U.S. federal law requiring the protection of sensitive patient health information (PHI). HIPAA mandates administrative, physical, and technical safeguards for electronic health data.

IAM

Identity and Access Management. A framework of policies and technologies ensuring the right individuals have appropriate access to resources. IAM findings constitute the largest category of critical and high-severity issues in this assessment.

IaC

Infrastructure as Code. The practice of managing and provisioning infrastructure through machine-readable definition files rather than manual configuration. Tools include Terraform, CloudFormation, and ARM templates.

IMDSv2

Instance Metadata Service Version 2. An enhanced version of the EC2 instance metadata service that requires session-oriented requests, mitigating SSRF attacks that could extract credentials from the metadata endpoint at 169.254.169.254.

Kubernetes

An open-source container orchestration platform for automating deployment, scaling, and management of containerized applications. The AiVRIC AKS cluster (aivric-aks-cluster) was assessed for RBAC, pod security, and network policies.

MFA

Multi-Factor Authentication. A security mechanism requiring two or more verification factors to gain access to a resource. Hardware MFA (e.g., YubiKey) is recommended over virtual MFA for root and privileged accounts due to stronger phishing resistance.

NIST

National Institute of Standards and Technology. A U.S. government agency that publishes cybersecurity standards and frameworks. NIST 800-53 Rev 5 provides a comprehensive catalog of security and privacy controls used as a baseline in this assessment.

OWASP

Open Web Application Security Project. A nonprofit foundation producing freely-available tools, standards, and documentation for web application security. The OWASP Top 10 is widely referenced for classifying common web vulnerabilities.

PCI-DSS

Payment Card Industry Data Security Standard. A set of security standards mandated by major credit card companies for organizations that handle cardholder data. PCI-DSS v4.0 was assessed across all providers, with particular focus on encryption and access control requirements.

RBAC

Role-Based Access Control. An access control mechanism where permissions are assigned to roles rather than individual users. Kubernetes RBAC was a significant finding area, with 306 findings related to wildcard permissions and overly permissive cluster roles.

RDS

Relational Database Service. An AWS managed database service supporting multiple engines (PostgreSQL, MySQL, etc.). RDS instances were assessed for encryption, public accessibility, and backup configuration.

RLS

Row-Level Security. A database security feature that restricts which rows a user can access in a table. Commonly implemented in PostgreSQL and used in multi-tenant SaaS applications to ensure data isolation between customers.

S3

Simple Storage Service. An AWS object storage service offering industry-leading scalability, availability, and performance. S3 buckets were assessed for public access blocks, encryption settings, versioning, and access logging configuration.

SAS

Shared Access Signature. An Azure mechanism providing secure delegated access to resources in a storage account. SAS tokens grant granular permissions with time-limited access, reducing the risk of permanent credential exposure.

SOC 2

System and Organization Controls 2. An auditing framework developed by the AICPA that evaluates an organization’s information systems based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

VPC

Virtual Private Cloud. A logically isolated section of a cloud provider’s network where resources can be launched with custom IP ranges, subnets, route tables, and network gateways. VPC flow logs and security groups were assessed for proper configuration.

Zero Trust

A security model based on the principle of “never trust, always verify.” Zero Trust architecture requires strict identity verification for every person and device attempting to access resources, regardless of whether they are inside or outside the network perimeter. Key tenets include least-privilege access, micro-segmentation, and continuous verification.