Cloud Native Security Glossary
Quick-reference definitions for cloud-native security, workload identity, Kubernetes security, and Zero Trust terms.
SPIFFE
SPIFFE (Secure Production Identity Framework For Everyone) is a CNCF standard that defines how workloads identify themselves using cryptographic certificates, independent of network location.
SPIRE
SPIRE is the production implementation of the SPIFFE specification — a CNCF graduated project that automatically issues, rotates, and manages cryptographic workload identities.
Zero Trust
Zero Trust is a security architecture where every request is verified cryptographically, regardless of network location. Never trust, always verify.
Workload Identity
Workload identity gives every service a unique cryptographic certificate — replacing shared secrets, API keys, and IP-based trust with automatic, verifiable machine identity.
mTLS (Mutual TLS)
Mutual TLS (mTLS) authenticates both client and server with certificates. It is the transport-layer foundation of Zero Trust service-to-service communication.
SVID (SPIFFE Verifiable Identity Document)
An SVID is a cryptographic document that proves a workload identity. SPIFFE defines two formats: X.509-SVID (for mTLS) and JWT-SVID (for HTTP APIs).
OPA (Open Policy Agent)
OPA is a CNCF graduated policy engine that enables policy-as-code. Use it with Gatekeeper for Kubernetes admission control or with Envoy for runtime authorization.
Falco
Falco is a CNCF graduated runtime security tool that monitors Linux syscalls and alerts on suspicious container behavior — shell execution, sensitive file access, unexpected network connections.
Service Mesh
A service mesh is an infrastructure layer of sidecar proxies that handles service-to-service communication — providing automatic mTLS, load balancing, observability, and traffic management.
Sigstore
Sigstore provides keyless container image signing via OIDC identity. Cosign signs images, Rekor provides transparency logging, and Fulcio issues ephemeral signing certificates.