Server Security Glossary

Server security encompasses a specialized vocabulary drawn from networking standards, cryptographic frameworks, regulatory guidance, and operational practice. This glossary defines the core terms used across server hardening, access control, encryption, compliance, and incident response — providing precise definitions grounded in published standards from bodies including NIST, CIS, and IETF. Professionals navigating server security auditing and compliance or evaluating vendor capabilities benefit from a shared, standards-aligned terminology base.

Definition and scope

A server security glossary covers the technical and regulatory vocabulary specific to protecting server infrastructure — physical, virtual, and cloud-hosted — from unauthorized access, exploitation, and data loss. The scope spans operating-system-level controls, network perimeter mechanisms, cryptographic protocols, identity management, and compliance frameworks.

The NIST Computer Security Resource Center maintains the authoritative Computer Security Resource Center (CSRC) Glossary, which defines over 4,000 terms drawn from Federal Information Processing Standards (FIPS) publications, NIST Special Publications (SP), and Committee on National Security Systems (CNSS) Instruction 4009. Definitions below align with NIST CSRC, IETF RFCs, and CIS Benchmark terminology where those sources provide published definitions.

Scope boundaries: This glossary covers server-specific terminology. Network-layer terms (BGP, OSPF, MPLS) and endpoint-device terms appear only where they intersect directly with server security architecture — for example, where a term governs server network segmentation or DMZ architecture and server placement.

How it works

Glossary terms in server security are structured around 6 functional domains, each corresponding to a distinct protection layer:

1. Identity and access — authentication, authorization, privilege, and credential management
2. Cryptography and transport — encryption algorithms, key management, certificate infrastructure, and protocol configurations
3. Threat detection and response — vulnerability classes, attack vectors, detection mechanisms, and incident handling
4. Hardening and configuration — baseline standards, benchmarks, patch states, and configuration controls
5. Compliance and audit — regulatory frameworks, control families, audit trails, and evidence requirements
6. Architecture and segmentation — network zones, trust boundaries, virtualization layers, and container isolation

Terms within each domain are defined using the most specific authoritative source available — NIST SP 800-53 Rev 5 for control-related terms (NIST SP 800-53 Rev 5), FIPS 140-3 for cryptographic module terms (FIPS 140-3), and CIS Benchmarks for hardening-specific terminology (CIS Benchmarks).

Common scenarios

Authentication and access terms

• Multi-Factor Authentication (MFA): An authentication mechanism requiring the presentation of 2 or more distinct authentication factors — something known, something possessed, or something inherent — before access is granted. Defined under NIST SP 800-63B (NIST SP 800-63B). See multi-factor authentication for servers.
• Principle of Least Privilege (PoLP): A security design principle specifying that every process, user, or system component receives only the minimum access rights necessary to perform its function. Codified in NIST SP 800-53 Rev 5 as control AC-6.
• Privileged Access Workstation (PAW): A dedicated computing environment used exclusively for performing sensitive administrative tasks, isolated from standard user activity.
• Role-Based Access Control (RBAC): An access control model in which permissions are assigned to roles rather than directly to individual users; users acquire permissions by being assigned to roles. Defined in NIST SP 800-53 Rev 5, §AC-2.

Cryptography and transport terms

• Transport Layer Security (TLS): A cryptographic protocol providing authentication, confidentiality, and data integrity for communications over a network. IETF RFC 8446 defines TLS 1.3, the current version (RFC 8446). See TLS/SSL configuration for servers.
• Public Key Infrastructure (PKI): A framework of policies, procedures, hardware, software, and people that creates, manages, distributes, stores, and revokes digital certificates. See server certificate and PKI management.
• Cipher Suite: A named combination of cryptographic algorithms specifying key exchange, bulk encryption, and message authentication methods for a TLS session.
• Symmetric vs. Asymmetric Encryption: Symmetric encryption uses a single shared key for both encryption and decryption (e.g., AES-256); asymmetric encryption uses a mathematically linked key pair — one public, one private (e.g., RSA-2048, ECDSA).

Threat and vulnerability terms

• Common Vulnerabilities and Exposures (CVE): A publicly available catalog of known security vulnerabilities, each assigned a unique identifier (e.g., CVE-2021-44228). Maintained by MITRE Corporation under sponsorship from CISA (CVE Program).
• Common Vulnerability Scoring System (CVSS): A numerical scoring framework (0.0–10.0) for rating the severity of software vulnerabilities. CVSS v3.1 is maintained by FIRST (CVSS v3.1).
• Zero-Day Vulnerability: A software flaw that is unknown to, or unpatched by, the responsible vendor at the time of exploitation. See server vulnerability scanning.
• Server-Side Request Forgery (SSRF): An attack class in which a server is manipulated into making HTTP requests to internal resources on the attacker's behalf, often bypassing firewall controls.
• Lateral Movement: Post-compromise attacker behavior in which access gained on one server is used to extend reach to additional systems within the same network environment.

Hardening and compliance terms

• CIS Benchmark: A configuration baseline published by the Center for Internet Security providing prescriptive, consensus-developed hardening guidance for specific operating systems and server platforms.
• Security Technical Implementation Guide (STIG): Configuration hardening guidance published by the Defense Information Systems Agency (DISA) for use in U.S. Department of Defense environments (DISA STIGs).
• Patch Management: The process of acquiring, testing, and applying software updates to remediate known vulnerabilities. Governed in federal environments under NIST SP 800-40 Rev 4 (NIST SP 800-40 Rev 4).
• Configuration Drift: The gradual divergence of a deployed server's configuration from its approved security baseline, typically resulting from unmanaged changes over time.

Decision boundaries

Selecting the correct term — and the correct definition — depends on the regulatory and operational context in which the term is applied.

NIST vs. ISO 27001 terminology: NIST SP 800-53 uses "security controls" organized into 20 control families; ISO/IEC 27001:2022 uses "controls" within Annex A structured around 4 organizational themes. A "control" under NIST AC-6 (Least Privilege) maps conceptually but not textually to ISO 27001 Annex A control 8.2 (Privileged Access Rights). Practitioners working across both frameworks must resolve these terminological differences explicitly.

Authentication factors — NIST SP 800-63B classification: NIST SP 800-63B defines 3 authenticator types: something you know (memorized secret), something you have (physical or software token), and something you are (biometric). This 3-factor taxonomy differs from older 2-factor framings that collapse token and biometric categories.

Vulnerability vs. threat vs. risk: NIST defines these as distinct concepts. A vulnerability is a weakness in a system (NIST SP 800-30 Rev 1). A threat is any circumstance or event with the potential to exploit a vulnerability. Risk is the combination of likelihood and adverse impact. Conflating these 3 terms produces imprecise control mapping in risk assessments. See server security risk assessment.

Encryption at rest vs. in transit: Encryption at rest protects stored data using mechanisms such as AES-256 full-disk or volume encryption; encryption in transit protects data moving across network connections using protocols such as TLS 1.3. Compliance frameworks including HIPAA (45 CFR §164.312) and PCI DSS v4.0 (PCI Security Standards Council) treat these as distinct technical safeguard categories requiring separate implementation evidence.

Hardening benchmarks — CIS Level 1 vs. Level 2: CIS Benchmarks assign configurations to Level 1 (basic, broadly applicable, minimal operational impact) or Level 2 (defense-in-depth, higher security, potentially higher operational overhead). Applying Level 2 controls to production environments without operational review is a documented source of service disruption. See server hardening fundamentals and [CIS Benchmarks for servers](/cis-bench