Security to be expressed so Execs and Techs can Understand
| Component / Layer | Non-Technical Description π | Technical Description βοΈ | Example π― | Glossary π |
|---|---|---|---|---|
| ππ‘οΈ DNS & DDoS Protection | Stops attackers from taking down your site and makes sure users find the right server. | AWS Route 53 / Azure DNS for domain resolution. AWS Shield Advanced / Azure DDoS Protection for volumetric and protocol-level DDoS defence. | Customer connects to myapp.example.com which resolves via Route 53; large botnet attack is absorbed by Shield/Azure DDoS before reaching your app. | DDoS β Distributed Denial of Service. DNS β Domain Name System. |
| π§ Web Application Firewall (WAF) | Blocks dodgy requests before they reach your application. | AWS WAF / Azure WAF filters HTTP(S) traffic using OWASP CRS, geo/IP restrictions, and bot mitigation. | SQL injection attempt blocked at WAF before it hits API Gateway. | WAF β Firewall for web traffic. OWASP CRS β Common attack ruleset. |
| ποΈ API Gateway / Reverse Proxy | Acts as a doorman for your app, checking tickets and routing requests. | Amazon API Gateway / Azure API Management with HTTPS (TLS 1.2+), optional mTLS, JWT validation, rate limiting. | API Gateway verifies JWT from Entra ID, allows only authenticated traffic to app services. | API Gateway β API routing/security. mTLS β Mutual TLS. JWT β JSON Web Token. |
| π Identity & Access Management | Controls who gets in and what they can do. | Amazon Cognito / IAM Identity Center; Microsoft Entra ID; OIDC/OAuth2/SAML; Conditional Access + MFA. | Contractor logs in with MFA, gets temporary role to run reports. | OIDC/OAuth2 β Authentication/authorisation standards. MFA β Multi-Factor Authentication. |
| π₯οΈ Application Tier (Private) | The βmiddle floorβ between the internet and the database β no public access. | AWS: ALB, ECS/EKS/Lambda in private subnets, SG rules; Azure: App Gateway (private), AKS/App Service in private subnet, NSGs. | App containers in EKS talk to DB via PrivateLink; no direct internet. | ALB β Application Load Balancer. NSG β Network Security Group. |
| π Private Connectivity to DB | A private tunnel to your database β invisible from the internet. | AWS: VPC Endpoints (PrivateLink) to RDS/Aurora; Azure: Private Endpoints to SQL/MI/Cosmos DB; no public IP exposure. | App queries DB over TLS via Private Endpoint; no route from internet. | PrivateLink/Private Endpoint β Private IP access to services. |
| ποΈ Secrets & Key Management | Stores keys/passwords safely and hands them out only to trusted apps. | AWS Secrets Manager + KMS; Azure Key Vault + Managed HSM; scoped RBAC. | App retrieves DB creds from Secrets Manager just before connecting. | KMS β Key Management Service. HSM β Hardware Security Module. |
| ποΈ Database (Private) | The data store itself, locked away behind layers of security. | AWS RDS/Aurora/Redshift; Azure SQL DB/Managed Instance; encryption at rest (TDE), TLS in transit, private endpoints, DB-level RBAC. | Azure SQL DB allows only app_role via Managed Identity. | TDE β Transparent Data Encryption. RBAC β Role-Based Access Control. |
| π§βπ» Admin Access (JIT) | Short-term, controlled access for maintenance β no permanent keys. | AWS SSM Session Manager / Azure Bastion with PIM; zero inbound SSH/RDP; session recording; elevated DB roles time-boxed. | DBA elevates via PIM for 1 hour, connects through Bastion, changes schema, role revoked automatically. | PIM β Privileged Identity Management. JIT β Just-In-Time access. |
| π‘οΈ Firewalls (Cloud) | Guard posts that only allow approved traffic through. | AWS Network Firewall; Azure Firewall; deny-by-default, allow only specific ports/IPs/FQDNs; layer 4/7 filtering. | Azure Firewall only allows outbound 443 to Key Vault, DB Private Endpoint, update servers. | Layer 4/7 β OSI model layers. |
| π Monitoring & SIEM | Keeps watch and raises the alarm if something odd happens. | AWS CloudWatch/CloudTrail/GuardDuty; Azure Monitor/Defender; logs sent to Microsoft Sentinel or Splunk; automated runbooks for response. | Sentinel detects multiple failed DB logins, triggers Lambda runbook to disable account. | SIEM β Security Information & Event Management. Runbook β Automated procedure. |
| π Protocol & Cipher Hygiene | Makes sure all traffic is encrypted with modern standards. | TLS 1.2/1.3 enforced; mTLS for service-to-service; DB SSL mode verify identity; SSH Ed25519 keys if unavoidable. | API Gateway enforces TLS 1.3, blocks weak ciphers. | Cipher suite β Set of algorithms for encrypting traffic. |
