Architecture Glossary (Alphabetical)

About this article

This article is the terminology reference for the series “Architecture Crash Course for the Generative-AI Era.” Each article also adds 1-line explanations to first-mentioned terms, so no need to return here every time. Use as an index when wanting an overall overview or searching for related articles.

Due to volume, searching via browser search (Ctrl+F / Cmd+F) is efficient.

Overview articles per category

System Architecture Overview — The Skeleton You Decide Firsten.senkohome.com/arch-intro-system-overview/

Software Architecture Overviewen.senkohome.com/arch-intro-software-overview/

Application Architecture Overview — The Internal Rulesen.senkohome.com/arch-intro-app-overview/

Frontend Architecture Overview — The Only Layer Users Touchen.senkohome.com/arch-intro-frontend-overview/

Data Architecture Overview — The Foundation for AI in Your Orgen.senkohome.com/arch-intro-data-overview/

Security Architecture Overview — Defense in Depth and Zero Trusten.senkohome.com/arch-intro-security-overview/

DevOps Architecture Overview — One Pipeline for Build, Ship, anden.senkohome.com/arch-intro-devops-overview/

Enterprise Architecture Overviewen.senkohome.com/arch-intro-ea-overview/

Solution Architecture Overviewen.senkohome.com/arch-intro-solution-overview/

Case Studies — Same Question, Different Answer by Scale and Phaseen.senkohome.com/arch-intro-case-overview/

Alphabetical (A-Z)

A

A11y - Abbreviation of Accessibility, written A11y because there are 11 letters between “a” and “y.” Refers to the state where everyone, including users with visual, auditory, or motor-function constraints, can use the Web. Representative elements are screen-reader support, keyboard-only operability, sufficient contrast ratio, and image alt text. Subject to legal regulations like the US ADA and European EAA, requiring consideration from the initial design stage on corporate sites
ABAC - Attribute-Based Access Control. The model dynamically judging authorization by combining multiple attributes like user’s department, role, location, time of day, and resource confidentiality classification. Declaratively writes policies in XACML or OPA (Rego), handling complex conditions hard for RBAC to express (“only referenceable from HQ IP during business hours” etc.). Highly flexible but heavy in policy design and operational load - often narrowing application scope
ACID - Acronym of Atomicity, Consistency, Isolation, Durability. The 4 properties of integrity guarantee provided by RDBs, premise for handling “data that absolutely mustn’t be off” like bank balances and inventory. Means strong guarantees of treating multiple updates as one unit (all succeed or all fail), not affecting each other even with concurrent execution, and not disappearing on crash post-commit
AD - Active Directory. Microsoft’s internal-ID / auth foundation, integrating user / group / PC / Group Policy management of Windows domains. Standardly adopted in many Japanese companies’ on-premises environments, with the recent mainstream being hybrid composition co-using cloud version Azure AD (now Microsoft Entra ID). Becomes the foundation of SSO / MFA / conditional access
ADM - Architecture Development Method. The phased approach of 8 phases A-H defined by TOGAF, the representative EA framework. Proceeds company-wide IT transformation in the order of vision definition → business / data / app / tech architecture design → migration plan → implementation governance. Heavy and large-enterprise-oriented, but the thinking helps mid-size projects too
ADR - Architecture Decision Record. The custom of briefly documenting “why that design was chosen” with one file per decision, generally placed in Git repos as Markdown. To prevent the accident “why is this like this?” half a year later, leaves the decision, background, considered alternatives, and tradeoffs. Lets you trace decision premises on reconsideration
AES - Advanced Encryption Standard. The global standard for symmetric-key encryption, supporting 128/192/256-bit key lengths. Used behind virtually all TLS, disk encryption, and database encryption. Established by NIST as the successor to DES, with a good balance of processing speed and security
ALB - Application Load Balancer. A load balancer distributing traffic at the HTTP/HTTPS level (L7). AWS ALB is the representative, featuring path-based routing, host-based routing, and WebSocket support. Basic infrastructure that distributes load across multiple containers or servers to improve availability
API - Application Programming Interface. The general term for interfaces through which software exchanges data and functionality. Includes methods like REST API, GraphQL, and gRPC, serving as the foundational concept for inter-microservice communication, external service integration, and frontend-backend communication
APM - Application Performance Monitoring. Tools visualizing application response time, throughput, error rate, and where it’s slow on request paths. Representative examples are Datadog APM, New Relic, Dynatrace, AWS X-Ray. Integrally provides distributed tracing, code-level profiling, and exception aggregation, dramatically shortening time to root-cause identification on performance trouble
AuthN / AuthZ - Abbreviations of Authentication (confirming “who you are”) and Authorization (judging “what you may do”). Often confused but separate concepts: authentication confirms identity via password/MFA/passkey etc., authorization judges permissions via RBAC/ABAC. Easier to organize as OAuth = authorization, OIDC = authentication

B

B2B / B2C - Business to Business (inter-company transactions) and Business to Consumer (company-to-consumer transactions). B2B emphasizes enterprise requirements like SSO, audit logs, and SLAs, while B2C centers on scalability, UX, and conversion optimization - architecture design directions differ significantly
BA / DA / AA / TA - Business / Data / Application / Technology Architecture’s 4 layers, the standard structuring viewpoints of Enterprise Architecture (EA). The thinking aligning from top to bottom: business processes (BA) → handled data (DA) → realizing apps (AA) → running foundation (TA). Clearly defined in frameworks like TOGAF, becoming common language when drawing the company-wide IT map
BASE - Acronym of Basically Available, Soft state, Eventual consistency. The distributed-NoSQL consistency model opposite to ACID, prioritizing availability and scalability while tolerating temporary inconsistency. The thinking widely adopted in the generation of Amazon DynamoDB and Cassandra
BCP - Business Continuity Plan. The plan pre-deciding which operations to recover in what order to where on operational stops from earthquakes, cyber attacks, or large-scale failures. Define RPO (allowed data loss) and RTO (allowed stoppage) per operation, designing as set with backup strategies, DR-site composition, and alternative procedures
BFF - Backend for Frontend. The thin server layer placed dedicated to frontend, aggregating and shaping data fetched from multiple microservices into screen-optimized form. When mobile apps and Web need different data shapes, placing dedicated BFFs for each optimizes without polluting the main API. Good chemistry with GraphQL and tRPC
Blue/Green deploy - The release method of separately preparing a standby environment (Green) of the same composition as production (Blue), deploying the new version to the Green side and then switching routing all at once. On problems, just return routing for instant rollback, and downtime can theoretically be zero. The cost is needing 2x infrastructure temporarily
Bounded Context - The core concept of DDD (Domain-Driven Design), referring to the boundary where specific terms / models have consistent meaning. For example, treating “customer” as different things in sales vs billing context. Also used as the criterion for microservice-splitting units, becoming a compass preventing inappropriate splitting
BPMN - Business Process Model and Notation. The international-standard notation (formulated by OMG) expressing business processes with symbols of start, end, task, branch, parallel, etc. Widely used in business systems and workflow design as the common language for business and dev sides confirming requirements while seeing the same diagrams

C

Cache - A mechanism that temporarily stores frequently accessed data in a fast location for reuse, speeding up responses. Exists in multiple layers: CDN cache, browser cache, in-memory cache (Redis, etc.), and DB query cache. Cache invalidation is said to be one of the two hard problems in computer science - design is notoriously difficult
CASB - Cloud Access Security Broker. The intermediate layer that centrally performs access control, data protection, threat detection, and compliance monitoring when employees use cloud services (SaaS). Also effective for shadow IT visibility, often incorporated as a function of SASE in zero-trust configurations
CAP theorem - The theorem by Eric Brewer that distributed systems can’t simultaneously satisfy 3 of Consistency, Availability, and Partition-tolerance. Since network partition is unavoidable in real environments, reality is tradeoff selection of “CP-leaning” or “AP-leaning.” Premise knowledge for NoSQL selection and distributed-DB design
CDC - Change Data Capture. The technology real-time-extracting changes (INSERT/UPDATE/DELETE) from DB transaction logs and streaming to other systems. Debezium, AWS DMS, and Fivetran HVR are representatives, used in DWH integration, cache invalidation, and inter-microservice data sync. The strength is propagating changes without changing app side
CDK - Cloud Development Kit. An IaC tool that lets you define cloud infrastructure in programming languages (TypeScript, Python, Java, etc.). AWS CDK is the representative, defining resources with type-safe code instead of hand-writing CloudFormation YAML. High-level constructs (L2/L3) for abstraction are its strength
CDN - Content Delivery Network. The mechanism delivering content from edge servers placed worldwide at points near users, realizing latency reduction and origin-server load reduction. CloudFront, Cloudflare, Akamai, Fastly are representatives. Beyond static files, also used for API caching, WAF, and edge-function execution foundations
CI / CD - Continuous Integration and Continuous Delivery / Deployment. CI is activity of “early-detecting broken state” by auto-running build and tests on every push, CD points to auto-delivery to staging and production beyond that. GitHub Actions, GitLab CI, CircleCI, Jenkins are representative tools - the de facto for modern development
CLI - Command Line Interface. The method of operating programs by typing text-based commands. The opposite of GUI, essential for scripting automation, CI/CD pipeline integration, and remote server operations. AWS CLI, kubectl, and gh (GitHub CLI) are representatives
CIO / CDO / CTO / CISO - Chief Information / Data / Technology / Information Security Officer. Management-level IT-related roles - CIO oversees in-house IT, CDO oversees data strategy, CTO oversees tech strategy / product tech, CISO oversees information security. Boundaries vary by organization: in some companies the CTO holds final architecture responsibility, in others a separate Chief Architect is appointed
Clean Architecture - The architecture pattern proposed by Robert C. Martin (Uncle Bob) controlling dependency direction toward the inner domain layer. Places entities and use cases in inner concentric circles and UI/DB/framework outside, thoroughly enforcing the rule that outside depends on inside. Strong on framework swap and test ease, but easily becomes excessive for the scale at hand - apply where it fits
CNCF - Cloud Native Computing Foundation. Industry organization under Linux Foundation, handling standardization and ecosystem cultivation of cloud-native technologies like Kubernetes, Prometheus, Envoy, etcd, and Helm. Manages projects in stages of Sandbox → Incubating → Graduated, also referenced as a tech-selection-reliability indicator
Conway’s Law - The empirical rule by Melvin Conway: “Organizations designing systems produce designs reflecting the organization’s communication structure as is.” Refers to the phenomenon where 3-team builds produce 3-layer-structure systems - the inverse “reverse Conway strategy” of changing the org to match desired architecture has also been proposed
CPU - Central Processing Unit. The core processor handling computation and control in computers. In server capacity planning, CPU utilization is the basic metric for scaling decisions. Intel Xeon, AMD EPYC, and AWS Graviton (ARM-based) are representatives for server use
CORS - Cross-Origin Resource Sharing. The browser security mechanism preflight-controlling JS requests between different origins (protocol + domain + port). Without server-side explicit permission via headers like Access-Control-Allow-Origin, rejected. One of the representative trip-up troubles in frontend dev
CQRS - Command Query Responsibility Segregation. The design pattern separating models / storage between writes (Command) and reads (Query). By making the read side a denormalized read model, reference performance is optimized - often used combined with Event Sourcing. Complexity increases, so the iron rule is applying only to truly-needed aggregates
CSP - Content Security Policy. The HTTP response header making browsers restrict scripts / styles / image sources. The defense largely suppressing XSS impact, listing allowed sources like script-src 'self'. Misconfiguration blocks legitimate scripts and breaks screens, so phased introduction in report mode is standard
CSR - Client Side Rendering. The method where servers return near-empty HTML and JS bundles, with browser-side JS execution composing screens. SPA in React or Vue is representative - the experiential speed of page transitions is fast, but initial display, SEO, and display-start slowness on low-spec devices are weaknesses
CRUD - Acronym of Create, Read, Update, Delete. Represents the 4 basic operations on data, used as the basic unit for REST API design (POST/GET/PUT/DELETE) and DB operations. Most business logic can be expressed as combinations of CRUD operations, also used for organizing screens and features
CSRF - Cross-Site Request Forgery. The attack of luring logged-in users to trap sites and having them perform unintended operations (transfers, password changes, etc.). Standard countermeasures: embed CSRF tokens, SameSite Cookie, Origin/Referer verification. Required for Web apps with form submissions
Compliance - Adherence to laws, industry regulations, and internal rules. In IT architecture, regulatory requirements like GDPR, HIPAA, PCI DSS, SOX, and FISC directly affect system design, materializing as encryption, audit logs, access control, and data retention policies
CSIRT - Computer Security Incident Response Team. A specialized team handling security incident detection, analysis, response, and reporting. During normal times they collect vulnerability information and conduct internal awareness; during emergencies they handle initial response and recovery. JPCERT/CC is Japan’s national CSIRT
CVE / CVSS - CVE is Common Vulnerabilities and Exposures, the system assigning each vulnerability a global ID like CVE-2024-XXXX. CVSS is Common Vulnerability Scoring System, the evaluation criterion numerically expressing severity from 0.0 to 10.0. Foundational terms widely used in vulnerability-management tools and news

D

DAG - Directed Acyclic Graph. Graph structure where arrows (dependency direction) flow one-way without cycles. Frequent in scenes handling “dependencies with order” like Airflow job workflows, distributed-trace span structures, and build-tool dependency resolution - basic data structure
DFD - Data Flow Diagram. An analysis notation expressing data flows within systems using 4 symbols: “process,” “data store,” “external entity,” and “data flow.” Used in requirements definition and business process visualization, a basic analysis tool alongside BPMN
DLP - Data Loss Prevention. A mechanism to detect and prevent sensitive data (personal information, confidential documents, source code, etc.) from unintentionally leaking externally. Monitors pathways like email attachments, cloud storage, and USB drives, blocking via pattern matching and AI classification. Important as an egress control in zero trust
DAST - Dynamic Application Security Testing. The method actually running apps and sending HTTP requests externally to detect vulnerabilities. OWASP ZAP, Burp Suite, and Nikto are representative tools, complementing runtime issues missed by SAST (static analysis). Basic to periodically run against staging rather than production
DDD - Domain-Driven Design. The design philosophy treating business knowledge (domain) as first-class citizen of code, based on Eric Evans’s same-name book. Combines tactical patterns of Ubiquitous Language (common terminology between business and dev), Bounded Context, Aggregate, Repository. Shows true value in complex business systems
DDoS - Distributed Denial of Service. The attack sending requests en masse from many devices (botnet) to drive services to stoppage. Standard is absorbing via CDN / WAF / dedicated mitigation services (AWS Shield, Cloudflare) - bandwidth / PPS so massive that app-side scaling alone can’t handle
DORA - DevOps Research and Assessment. A quantitative evaluation study of DevOps supported by Google Cloud, proposing 4 metrics (Four Keys): “deploy frequency,” “change lead time,” “change failure rate,” and “service restoration time.” Widely known through the book ‘Accelerate,’ these have become the industry-standard metrics for measuring development organization health
DNS - Domain Name System. The distributed directory service converting domain names to IP addresses. Performs name resolution in hierarchical structure (root → TLD → authoritative server) with TTL caching. The basic knowledge where “DNS changes don’t reflect” is mostly resolved by understanding TTL and cache
DPoP - Demonstration of Proof-of-Possession. An extension specification that binds the sender’s private key to OAuth 2.0/2.1 tokens, preventing stolen tokens from being used by third parties. Gaining attention for AI agent and high-security API authentication, offering higher security than traditional Bearer tokens
Docker - The representative tool generalizing container virtualization, bundling applications and dependent libraries / OS settings into one image for distribution. The revolutionary technology resolving “works in my env but not production,” now the foundation of Kubernetes and modern infrastructure. Dockerfile, Compose, and registries are basic concepts
DR - Disaster Recovery. All efforts to recover data and systems from fatal events like earthquakes, large-scale failures, and data-center loss. While BCP is the whole-business continuity plan, DR focuses on IT. Multi-region composition, periodic failover drills, and RTO/RPO setting are central
DWH - Data Warehouse. The foundation integrating and accumulating data extracted from business systems into analyzable form. Google BigQuery, Snowflake, Amazon Redshift, and Databricks are representatives, accelerating large-scale aggregation via columnar storage and distributed execution. Foundation for BI tools, reports, and data science

E

E2E - End-to-End (testing). A testing method that verifies the entire system by mimicking user operations. Playwright, Cypress, and Selenium are representative tools, testing through from UI to backend and DB in one pass. Can detect integrated defects missed by unit and integration tests, but execution time and maintenance costs are high
EA - Enterprise Architecture. The activity systematically organizing the company’s IT assets, business processes, data, and tech foundations and aligning with management strategy. Expressed in 4 layers of BA/DA/AA/TA, with TOGAF, Zachman, and FEA as representative frameworks. The foundation for mid-long-term IT investment decisions
EDA - Event-Driven Architecture. The structure of inter-service loose-coupled linkage via event (facts like “order confirmed”) publish/subscribe rather than direct calls. Premise messaging foundations like Kafka, Kinesis, and Pub/Sub. Excellent in scalability and fault tolerance, but debugging and consistency assurance are difficult
Edge Computing - An architecture that processes data at geographically close points (edges) near users rather than in central cloud regions. CDN edge functions (Cloudflare Workers, Lambda@Edge) and IoT gateways are representatives, effective for latency reduction and data sovereignty compliance
Error Budget - The “remaining allowance for failure” permitted by an SLO. A core SRE concept. For example, an SLO of 99.9% means about 43 minutes of downtime per month is the allowable range - when consumed, stop new feature releases and focus on reliability improvement, enabling rule-based decision-making
ERP - Enterprise Resource Planning. A package that integrates core business operations like accounting, HR, procurement, inventory, and production in one system. SAP, Oracle EBS, and Microsoft Dynamics are representatives, forming the core of large enterprise IT infrastructure. Excessive customization and high migration costs are perpetual challenges
EOL - End of Life. The point when support and security-patch delivery for software or hardware ends. Continuing to use EOL products means vulnerabilities go unpatched, causing security risk to spike sharply. Planned version upgrades and migrations are essential
ELT - Extract, Load, Transform. The method loading data into DWH first then transforming - the era’s flow of leveraging cloud-DWH compute power. With dbt (Data Build Tool) spread, SQL-based Transform standardized. The thinking shifted from ETL era’s “organize before loading” to “load first, organize later”
ETL - Extract, Transform, Load. The traditional method integrating in order of extracting from data sources → transforming → loading to DWH. The style of building jobs in dedicated ETL tools (Informatica, Talend, Pentaho), the mainstream of on-prem DWH era. Still active in legacy DB integration
Eval (LLM Eval) - The technique quantitatively/qualitatively evaluating LLM output quality. The LLMOps standard of building into CI to auto-detect output degradation on prompt changes or model swaps. Combines BLEU, ROUGE, LLM-as-a-judge, and manual review, turning regression-detection and continuous-improvement cycles
Event Sourcing - A design pattern that records all events (happenings) in time-series rather than directly overwriting state, deriving current state from their accumulation. Often used in combination with CQRS, enabling complete audit trails and state restoration to any point in time, but implementation and operational complexity are high
Eventual Consistency - The distributed-system consistency model temporarily allowing data inconsistency but always converging given enough time. The realistic answer widely adopted in NoSQL and CDN caches, excellent in scale and availability vs strong consistency. Suited for requirements like “delayed instant reflection of product reviews by seconds is OK”

F

FaaS - Function as a Service. The cloud service uploading code per function, executed only on request and billed on usage. AWS Lambda, Google Cloud Functions, Azure Functions are representatives. No server management needed, suited for low-traffic APIs / event processing / batches, but with cold-start and long-execution constraints
FIPS - Federal Information Processing Standards. US government standards for information processing, with FIPS 140-2/140-3 in particular referenced worldwide as certification criteria for cryptographic modules. Financial, healthcare, and government systems often require FIPS-compliant cryptographic libraries
FISC - Center for Financial Industry Information Systems. A Japanese public-interest foundation that formulates security standards (FISC Security Guidelines) for financial institutions. Compliance with FISC is a de facto requirement for banking, insurance, and securities system development
Feature Flag - The mechanism dynamically toggling features without code deploys. With dedicated services like LaunchDarkly and Split.io, realizes A/B tests, phased rollouts, “preview release to specific customers only” etc. Good chemistry with trunk-based development (direct main commits), enabling operations of merging unfinished features to production without showing users
FIDO2 / WebAuthn - The phishing-resistant public-key-based auth standard formulated by FIDO Alliance and W3C. The mechanism storing private keys inside devices and registering only public keys server-side, becoming the technology foundation of Passkey. Password leaks and man-in-the-middle attacks principally don’t hold
FinOps - Financial Operations. The culture and practice of continuously optimizing cloud cost as operational work, not “aggregating after using up.” Tag-based cost allocation, leveraging Reserved Instance / Savings Plan, and unused-resource inventory - engineers, finance, and management cooperate. FinOps Foundation organizing the body of knowledge

G

Governance - The general term for frameworks by which organizations control IT assets, data, security, and compliance. Systematized by domain: data governance (data quality, access control, lifecycle management) and IT governance (investment management, standardization, risk management)
GPU - Graphics Processing Unit. Originally for 3D graphics processing, but its strength in massive parallel computation has made it the primary compute platform for machine learning and AI inference. NVIDIA H100 and A100 are representative for AI use, available as GPU instances with hourly billing in the cloud
GDPR - General Data Protection Regulation. The regulation defining obligations when handling personal data of EU residents, applying to companies outside EU too (extra-territorial application). Key points: consent acquisition, data-export restrictions, right to be forgotten, 72-hour breach notification - violations carry fines up to 4% of global annual revenue. Required for Japanese companies’ EU-targeted services
Grafana - Grafana Labs’s OSS dashboard, connecting to many data sources like Prometheus, Loki, Tempo, CloudWatch, and Datadog, integrally visualizing metrics, logs, and traces. Sits at the core of monitoring operations with alert features, template variables, and dashboard sharing - the de facto standard at SRE/DevOps sites
GraphQL - The query-language-based API standard from Facebook (Meta), letting client side specify and fetch only needed fields in 1 request. Resolves REST’s “over-fetching / under-fetching” issue, while N+1 queries and cache-design difficulty are unique challenges. Apollo, Relay, Hasura, Hot Chocolate ecosystems are rich
gRPC - Google’s high-performance RPC protocol communicating in binary format (Protobuf) over HTTP/2. Multi-language auto-code-generation, streaming, and bidirectional communication supported, widely adopted for inter-microservice internal communication. Direct browser calls go via grpc-web

H

HIPAA - Health Insurance Portability and Accountability Act. A US law imposing strict regulations on handling medical data (PHI), requiring encryption, access control, audit logs, BAA (Business Associate Agreement), etc. A mandatory compliance requirement alongside GDPR for healthcare SaaS and medical systems
HSM - Hardware Security Module. A device that performs cryptographic key generation, storage, and computation within physically protected dedicated hardware. Designed so keys never leave the device, with many products certified at FIPS 140-2 Level 3 or above. Cloud options include AWS CloudHSM and Azure Dedicated HSM
Helm - The package manager templating Kubernetes application definitions (YAML group) and distributing / installing / version-managing as packages (Charts). The Kubernetes equivalent of “apt on Linux” - deploys complex composition standard packages with helm install. Value override and rollback features become essential in production
HSTS - HTTP Strict Transport Security. The HTTP response header declaring to browsers “henceforth always connect to this domain via HTTPS.” Once received, HTTP access is browser-side auto-HTTPS-ized during cache period, reducing man-in-the-middle attack risk. But misconfiguration blocks all access - safe to phase in with short max-age
HTTP / HTTPS - Hypertext Transfer Protocol. Web communication standard protocol - HTTPS is HTTP encrypted with TLS. Evolved HTTP/1.1 → HTTP/2 (multiplexing) → HTTP/3 (QUIC-based, UDP), each with different performance characteristics. Modern era effectively requires HTTPS
Hydration - The processing where browser-side JS execution promotes static HTML sent via SSR to “interactive state.” Used in SSR frameworks like React, Vue, and Svelte - slow JS load / execution causes “visible but unpressable” time. To mitigate, techniques like Partial Hydration, Islands Architecture, and RSC have emerged

I

IaaS - Infrastructure as a Service. The cloud service providing infrastructure resources like virtual machines, storage, and network via API. AWS EC2, Google Compute Engine, Azure Virtual Machines are representatives. With OS upward as user responsibility, max flexibility but also large operational load
IaC - Infrastructure as Code. The technique defining infrastructure composition as code (declarative or procedural), Git-managing and review-/auto-applying. Terraform, AWS CloudFormation, Pulumi, Ansible are representatives, the standard approach escaping “manual built, no one can reproduce.” Disaster-recovery / environment-replication accuracy improves dramatically
IAM - Identity and Access Management. The whole mechanism centrally managing IDs / permissions in organizations. In cloud context, points to foundations defining who (principal) can perform what operations (action) on what (resource) like AWS IAM, Azure RBAC, GCP IAM
IDaaS - Identity as a Service. The service providing auth/authorization foundation as SaaS - Auth0, Okta, Microsoft Entra ID, Firebase Authentication are representatives. SSO, MFA, social login, SCIM provisioning etc. usable without self-implementation - “don’t self-build auth foundations” is the modern iron rule
IDS / IPS - Intrusion Detection / Prevention System. The network security devices detecting (IDS) or detecting + blocking (IPS) unauthorized intrusions. Operating signature-based, anomaly-detection-based etc., with the recent mainstream being SIEM linkage integrated with EDR/XDR. In cloud, replacing with managed types like AWS GuardDuty and Azure Defender
Incident - The general term for events deviating from normal operations, such as service quality degradation, outages, and security breaches. In SRE, severity levels (SEV1-4 etc.) are defined, with organized response through on-call systems, escalation rules, and postmortems
IdP - Identity Provider. The central service handling auth singularly, passing auth results to each service (Service Provider) via SAML or OIDC. The core of SSO, with Microsoft Entra ID and Google Workspace often used internally, Google and Apple in consumer
Idempotency - The property where the same operation, executed any number of times, settles to the same state. In HTTP, PUT/DELETE are idempotent, POST is not. In modern times where distributed systems and network resends are premised, the safe step is to make idempotency keys required in API design - Stripe API’s Idempotency-Key header is the prime example
ISMS - Information Security Management System. A framework for systematically managing organizational information security based on ISO/IEC 27001. Runs a PDCA cycle of risk assessment, control implementation, internal audit, and continuous improvement. For Japanese companies, ISMS certification directly builds trust with business partners
ISO - International Organization for Standardization. The body that formulates international standards for information security (ISO 27001), quality management (ISO 9001), environment (ISO 14001), etc. In IT architecture, ISO 27001 (ISMS), ISO 27017 (cloud security), and ISO 22301 (business continuity) appear frequently
IPA - Information-technology Promotion Agency. The Japanese Ministry of Economy, Trade and Industry-affiliated public agency, operating information-processing-engineer exams, formulating non-functional-requirement grades and secure-development guides, and collecting vulnerability info (JVN). Hub of Japan’s IT policy / standardization
ISR - Incremental Static Regeneration. The Next.js-originated rendering method, regenerating SSG-generated static HTML on request or after time elapse in background. Realizes SSG-SSR best-of-both for use cases of “build-time generating all pages is heavy but pages are many”

J

JSON - JavaScript Object Notation. A lightweight text format expressing data as key-value pairs. The de facto standard format for REST API requests/responses, configuration files, and log output (structured logs). Being readable by both humans and machines is the biggest factor behind its adoption
JVM - Java Virtual Machine. The runtime environment executing Java bytecode, serving as the common platform for JVM languages like Java, Kotlin, Scala, and Groovy. Absorbs OS differences with the “Write Once, Run Anywhere” philosophy, the primary runtime for enterprise systems
JWT - JSON Web Token. The token format concatenating header / payload / signature in 3 parts with ., widely used in stateless auth without server-side session info. Authenticity verifiable just by signature verification, but with the property that issued tokens can’t be revoked (hard to invalidate) - standard to keep expiration short and combine with refresh tokens

K

KMS - Key Management Service. A managed cloud service providing cryptographic key generation, storage, rotation, and auditing. AWS KMS, Azure Key Vault, and GCP Cloud KMS are representatives - the standard means of avoiding the danger of self-implementing key management for data encryption
KPI - Key Performance Indicator. Quantitative metrics for measuring goal achievement, used broadly from business level (revenue, churn rate) to system level (SLO, deploy frequency, Toil ratio). A basic tool for management and operations that ensures objectivity in decision-making
Kafka - LinkedIn-originated high-throughput distributed messaging foundation. With append-only log structure for topics, stably processes millions of messages per second. Widely adopted as the core of event-driven architecture, streaming processing, and data integration, with managed services like Confluent and AWS MSK
Kubernetes / K8s - The orchestration platform for running containers at scale (Google OSS-ed from Borg). Auto-mates placement, scaling, self-healing, and service discovery, managing all in declarative composition (YAML). CNCF Graduated project, the de facto standard for cloud-native
KVS - Key-Value Store. The basic NoSQL form specialized for fast value retrieval from keys. Redis, Memcached, Amazon DynamoDB, etcd are representatives - wide uses including cache, session management, real-time aggregation, and distributed locks. Bad at complex queries, normally used alongside RDB

L

Latency - The delay time from issuing a request to receiving a response. The sum of network delay, processing time, and queue wait time, directly impacting user experience. Measuring at P95/P99 is the modern standard, with CDN, cache, and edge computing as the main improvement measures
LCP / INP / CLS - Google-defined Core Web Vitals 3 metrics. LCP (Largest Contentful Paint) is largest-element display time, INP (Interaction to Next Paint) is responsiveness to user operations (FID successor), CLS (Cumulative Layout Shift) is layout stability. Built into SEO ranking factors too, the evaluation axis for frontend optimization
Legacy - The common term for systems built with old technology or design that have become difficult to maintain and extend. COBOL, mainframes, and monolithic ERP are typical, but “old = legacy” is not the essence - “difficult to change = legacy” is. Modernization (phased renewal) is the remedy
LLM - Large Language Model. Neural networks trained on massive text - Claude, GPT, Gemini, Llama are representatives. Foundation tech realizing general-purpose natural-language processing of chat response, summarization, code generation, function calls etc. - center of generative-AI-era architecture
LLMOps - Process / tool group for operating LLMs. Includes prompt management, versioning, evaluation (Eval), monitoring, cost management, prompt-injection countermeasures, etc. Evolution of MLOps, with tools like LangSmith, Helicone, and PromptLayer rising
Loose Coupling - A design state where component interdependencies are minimized, making changes to one unlikely to propagate to others. The opposite of tight coupling, achieved through APIs, message queues, and event-driven patterns. A design principle of microservices and modular monoliths, serving as the foundation of changeability and fault tolerance
LTS - Long Term Support. A release channel guaranteeing longer-period security patches and bug fixes than regular versions. Node.js (even-numbered versions), Ubuntu (every 2 years), and Java (every 3 years) are representatives - choosing LTS for production environments is the iron rule. Non-LTS versions have short support periods and early EOL

M

MPA - Multi-Page Application. A traditional web app structure where each page transition fetches new HTML from the server. The opposite of SPA, with server-side frameworks like Rails, Django, and Laravel being typical. Strong in SEO and fast initial display, but screen transition flicker is a weakness. MPA frameworks like Astro have also emerged
MTTA - Mean Time To Acknowledge. The average time from alert firing to human recognition and response initiation. A pre-stage of MTTR (recovery time), valued in SRE as an improvement metric for on-call systems and alert design
MVP - Minimum Viable Product. An initial product composed of only the minimum features needed for hypothesis validation. A core concept of Lean Startup for “seeing user reactions before building out,” also serving as the rationale for architecture design decisions of “don’t aim for perfection from the start, iterate on validation”
MDM - Master Data Management. The technique or product integrally managing master data scattered in multiple systems like customers, products, and orgs. Improves company-wide data quality with deduplication, name unification, and unified ID assignment, organizing premises for BI analytics and operational efficiency. Informatica MDM, Reltio, SAP MDG are representatives
Metadata - Data about data. Column definitions of tables, data owners, update timestamps, and access permissions are examples of metadata. Data catalogs are the mechanism for organizing metadata to be searchable, forming the foundation of data governance
MFA - Multi-Factor Authentication. The auth method combining 2+ of “knowledge (password),” “possession (phone, token),” “biometric (fingerprint, face).” Means like SMS, TOTP apps, WebAuthn - SMS weak to SIM-swap attacks, so WebAuthn family recommended
Microservices - The structure where independent apps per function communicate over the network, with each service independently deployable and scalable. Strong for organizational scale (many teams developing in parallel), but operational complexity, distributed transactions, and network failure difficulty increase significantly. A representative example where Conway’s Law applies
Middleware - The software layer positioned between OS and application, providing common functions. Web servers (Nginx, Apache), message brokers (Kafka, RabbitMQ), DBs, and application servers are examples. Appears in architecture diagrams as “XX middleware” in infrastructure components
Migration - Moving systems, data, or environments to a different location or format. Meaning varies by context: DB migration (schema changes), cloud migration (on-premises to cloud), language migration (old to new language). Data integrity assurance and phased migration planning determine success or failure
Monorepo - A configuration managing multiple projects and services in one Git repository. Known for adoption by Google and Meta, with advantages in code sharing, atomic changes, and unified CI configuration. Turborepo, Nx, and Bazel are representative tools, with the choice between monorepo and polyrepo (split repositories) depending on team size and dependencies
mTLS - Mutual TLS. The communication method where client and server present certificates mutually to authenticate each other - upper concept of one-way TLS (server cert only). Widely used in service mesh (Istio, Linkerd) and zero-trust internal communication, enabling designs not premising “safe because internal network”
MTBF / MTTR - Mean Time Between Failures and Mean Time To Repair / Recovery. The former represents “how long until next failure,” the latter “how long to come back after breaking” - reliability metrics. With relation availability ≈ MTBF / (MTBF + MTTR), the basic formula of SLA design
MVC / MVVM - Classic patterns separating UI and business logic. MVC (Model-View-Controller) used in Web frameworks generally, MVVM (Model-View-ViewModel) in data-binding family like WPF, SwiftUI, Vue. In modern React / SPA, replaced by Flux/Redux family one-way data flow

N

NIST - National Institute of Standards and Technology. Formulates security standards like SP 800 series - especially NIST SP 800-207 (zero trust), SP 800-53 (controls), and Cybersecurity Framework are referenced worldwide. The industry bible called “when in doubt, NIST”
NoSQL - Generic for non-relational DBs - 4 representative families: KVS, document (MongoDB), wide-column (Cassandra), graph (Neo4j). Strong at large-scale horizontal scaling and flexible schemas RDB struggles with, weak at transactions / JOIN. Realistic answer is using with RDB per use case
NFR (Non-Functional Requirements) - Group of requirements for “how it should run” beyond features - performance, availability, scalability, security, operability, maintainability. IPA’s “non-functional requirement grades” is the representative framework - agreement at requirements-definition stage is key to quality stability
NAT - Network Address Translation. The mechanism converting between private IP addresses (internal, LAN) and public IP addresses, widely used from home routers to cloud NAT Gateway. Spread as countermeasure for IPv4 address depletion, also with internal-host-hiding effect

O

OAuth 2.0 - The protocol for authorization, the mechanism allowing third-party apps to access resources on behalf of users (behind “link with Google account” etc.). Key understanding: token types (access token, refresh token) and flows (Authorization Code, PKCE etc.). The most important point is “not authentication”
OPA - Open Policy Agent. A CNCF project that declaratively writes policies in the Rego language, uniformly evaluating authorization, admission control, and network policies. Widely used in Kubernetes Admission Webhooks, Envoy authorization filters, and Terraform policy checks
OIDC - OpenID Connect. Extension protocol layering “authentication” feature on OAuth 2.0, providing user identity-confirmation info via ID token (JWT). Easier to organize as “OAuth is authorization, OIDC is authentication,” the modern social-login and SSO standard
OLAP / OLTP - 2 major DB-use classifications. OLTP (Online Transaction Processing) is business-system, handling “many small updates in short time” of orders, inventory etc. (PostgreSQL, MySQL). OLAP (Online Analytical Processing) is analytics, handling “aggregation queries on massive data” (BigQuery, Snowflake, Redshift). Optimization directions completely opposite
On-premises - The form of installing hardware in the company’s own data center or server room and operating it in-house. The opposite of cloud, abbreviated “on-prem.” Cost structure (upfront investment vs. pay-as-you-go), operational responsibility scope, and scaling characteristics differ significantly from cloud
One-way Door - The decision-classification term spread by Amazon’s Jeff Bezos, meaning “doors you can’t return through once passed.” Recommends carefully proceeding irreversible decisions like database selection, public-API design, and data models as One-way Doors, while reversible decisions (Two-way Door) try fast - the use case
ORM - Object-Relational Mapping. The technology automatically mapping programming-language objects to RDB tables. Hibernate (Java), Entity Framework (.NET), Prisma (TypeScript), and SQLAlchemy (Python) are representatives. Enables DB operations without writing SQL directly, but performance issues easily arise with complex queries - discernment on when to use is important
OSS - Open Source Software. Software whose source code is publicly available and can be freely used, modified, and redistributed by anyone. Linux, Kubernetes, PostgreSQL, React, etc. - most of modern IT infrastructure is built on OSS. Understanding licenses (MIT, Apache 2.0, GPL, etc.) and vulnerability management (SBOM) are operational essentials
OpenTelemetry - The CNCF project standardizing collection / send of metrics, logs, and traces with vendor-neutral specs and SDKs. Abbreviated OTel - benefit is swapping backends (Datadog, Honeycomb, Grafana etc.) without rewriting instrumentation code. Effective for observability-tool-selection lock-in avoidance
Outbox pattern - The design pattern aligning DB writes and message sends in 1 transaction. Holds event-record table (Outbox) in same DB, executing business updates and Outbox writes simultaneously in DB transaction first, then separate process reads Outbox and sends messages. The realistic answer avoiding distributed transactions
OWASP - Open Web Application Security Project. The OSS community on Web security, with “OWASP Top 10” (most-important-vulnerability ranking) the global bible. Rich free, high-quality resources like ZAP (vulnerability scanner), ASVS (verification standard), SAMM (maturity model)

P

P95 / P99 - The metrics measuring response time at 95 / 99 percentile. Means “95% / 99% of requests returned within this time,” capturing user experience of the “slow few” hidden in averages. The modern standard for SLO definition and performance benchmarks is seeing P95/P99 over averages
PaaS - Platform as a Service. The form where cloud providers provide app execution environments (OS, middleware, scaling foundations) bundled. Heroku, Google App Engine, Azure App Service, Render, Vercel are representatives - minimum deploy effort but can’t control internal details
Passkey - Generic for password-less authentication based on FIDO2/WebAuthn. Unlocks device-internal private keys via biometric or PIN, authenticating with server via public-key crypto - principally high in phishing resistance. Apple, Google, Microsoft pushed since 2022, with consumer-Web spread accelerating from 2024
PITR - Point-In-Time Recovery. A recovery method using DB transaction logs to revert data state to any point in time. A lifeline for “accidentally ran the wrong DELETE statement,” provided as a standard feature in managed DBs like RDS, Aurora, and Cloud SQL
PKCE - Proof Key for Code Exchange (pronounced “pixy”). An extension to the OAuth 2.0 Authorization Code flow that prevents authorization-code interception attacks (RFC 7636). Essential for mobile apps and SPAs where client_secret cannot be securely stored, now recommended for all OAuth clients
PWA - Progressive Web App. A web app form that provides near-native-app experiences like offline operation, push notifications, and home-screen installation while built with web technologies. Service Worker is the technology foundation, with no app-store review and URL-shareable as advantages
PCI DSS - Payment Card Industry Data Security Standard. The international security standard businesses handling credit-card-member data must comply with. 12 requirements like network separation, encryption, log management, vulnerability scanning - required for payment-handling EC / SaaS. Violations carry fines / card-brand transaction-stop risk
PII - Personally Identifiable Information. Generic for info identifying individuals - name, address, phone, email, My Number, etc. Subject of GDPR / revised Personal Information Protection Act handling - basic requirements: design not mixing into logs / analytics data, encrypted storage, access auditing
PKI - Public Key Infrastructure. The trust mechanism with CAs (certificate authorities) at apex, issuing / verifying digital certificates. Backbone of HTTPS TLS certificates, code signing, and email encryption (S/MIME). Has chain structure of root CA → intermediate CA signing terminal certs
PoC - Proof of Concept. The small verification for judging “should we proceed to serious development” - confirming tech feasibility, performance, and cost validity in short period. The frequent term especially in generative-AI area, with the iron rule of pre-deciding evaluation metrics and stop conditions at PoC stage
Postmortem - The review document after failure / incident. Records occurrence, impact range, timeline, root cause, and recurrence prevention, sharing org-wide. Aim is mechanism improvement, not individual blame (Blameless Postmortem) - core of SRE culture
Prometheus - The CNCF OSS time-series-metric monitoring system, integrating Pull-style collection, PromQL query language, alert manager, and service discovery. The de facto for Kubernetes envs, standardly combined with Grafana. Long-term retention extended via Thanos, Cortex, Mimir
Pub/Sub - Publisher-Subscriber. The async messaging pattern where publishers publish messages to topics without consciousness of specific subscribers, and subscribers subscribe to topics of interest. Benefit of loose-coupling sender / receiver - Kafka, Google Pub/Sub, AWS SNS, Redis Pub/Sub are representatives
Pulumi - An IaC tool that defines cloud infrastructure in general-purpose programming languages like TypeScript, Python, and Go. Unlike Terraform which uses its proprietary language (HCL), Pulumi uses existing languages directly, lowering the learning curve for app developers. Similar positioning to AWS CDK, but with stronger multi-cloud support
pgvector - An extension module adding vector search capability to PostgreSQL. Stores text and images converted to numerical vectors (embeddings) for similarity search. Used as a foundation for RAG and similar-item recommendation, with low operational overhead since it just adds to existing PostgreSQL

Q

QPS - Queries Per Second. Queries (requests) per second, the basic unit of performance design and capacity planning. Reverse-derive infrastructure scale from “how many QPS to handle at peak.” Often used synonymously with RPS (Requests Per Second)
QUIC - Quick UDP Internet Connections. The Google-originated UDP-based new transport protocol, integrating TCP+TLS features, accelerating connection establishment (0-RTT), and localizing packet-loss impact. Foundation of HTTP/3, greatly improving mobile-environment performance

R

RAG - Retrieval-Augmented Generation. A technique that improves answer accuracy by searching external databases or documents for relevant information and including it in the context when having an LLM generate responses. Serves as the foundation for AI features handling proprietary information not in LLM training data, such as internal document Q&A and product help. Pairing with vector DBs is the standard
RDBMS - Relational Database Management System. The general term for software managing RDBs. PostgreSQL, MySQL, Oracle Database, and SQL Server are representatives, with ACID transactions, SQL queries, and data integrity assurance through schema definitions as common features. Used nearly synonymously with RDB
RPS - Requests Per Second. A performance metric expressing the number of requests processed per second, synonymous with QPS. The basic unit for load testing and capacity planning, reverse-deriving infrastructure scale from “how many RPS can we handle at peak”
RBAC - Role-Based Access Control. The most-widely-spread model tying permissions to roles, assigning users to roles for authorization. Organized as “admin role,” “viewer role” etc. - low operational load but weak to fine exceptional conditions. In many cases, base on RBAC with ABAC or ReBAC for supplemental reinforcement
RDB (Relational Database) - The classic DB managing data normalized in row-column table structure, providing ACID transactions and SQL. PostgreSQL, MySQL, Oracle, SQL Server are representatives. When in doubt, this is a steady choice - still core of 90%+ of business systems today
ReBAC - Relationship-Based Access Control. The model authorizing based on relationships between resources (owner, member, parent-child etc.). Based on Google’s Zanzibar paper, OSS like SpiceDB and OpenFGA emerged, easier to handle SaaS fine-grained permissions (“members of this folder can see all files inside” etc.)
RED - Rate (request count), Errors (error count), Duration (response time). The metric-design framework for service monitoring - suited for grasping health of request-processing systems (Web APIs etc.). USE method is foundation-side, RED is service-side complementary relationship
REST - Representational State Transfer. The API-design style combining HTTP methods (GET/POST/PUT/DELETE etc.) with resource URLs. Origin: Roy Fielding’s PhD dissertation - became the de facto standard for public APIs from simplicity and browser-friendliness. Reality is loose RESTish over pure definitions like HATEOAS
ROI - Return on Investment. The ratio of how much return (revenue increase / cost reduction) generated against investment, one of the most-important metrics for IT-investment decisions. In architecture selection too, need to speak in ROI beyond just “technically correct”
RPO / RTO - Recovery Point Objective and Recovery Time Objective. Former represents “how far back from last backup is OK,” latter “in how many minutes after failure should recover” - the basic 2 metrics of BCP / DR design. Phase-define per business impact
RSC - React Server Components. React components executed server-side generating HTML, standardly adopted in Next.js App Router. Reduces client JS bundle and writes DB access directly inside components, while design philosophy greatly differs from conventional React
Runbook - The failure-response manual, formalizing “on alert firing, who, in what order, runs what commands.” Often organized as Postmortem improvement items - aiming for the state of responding without judgment errors even on midnight on-call. Recently, auto-runnable Automated Runbooks become mainstream

S

SaaS - Software as a Service. The instant-use cloud service usable just from browser - Slack, Salesforce, Microsoft 365, Google Workspace are representatives. No installation / operation needed, with subscription-style licensing too. Grew to enterprise IT spending’s largest category
SASE - Secure Access Service Edge (pronounced “sassy”). A framework that integrates network functions (SD-WAN) and security functions (CASB, SWG, ZTNA, FWaaS) in the cloud. Proposed by Gartner in 2019, spreading as the next-generation architecture for securely accommodating distributed access in the remote-work era
SCA - Software Composition Analysis. The technique of detecting vulnerabilities and license violations in OSS libraries used by applications. Snyk, Dependabot, and Trivy are representative tools, built into CI alongside SBOM generation as a basic DevSecOps measure
SDK - Software Development Kit. A package of libraries, tools, and documentation for using a specific platform or service. AWS SDK, Firebase SDK, Stripe SDK, etc. - operating via SDK is the standard for cloud service usage
SEO - Search Engine Optimization. The overall practice of optimizing websites for higher rankings in search engines like Google. Core Web Vitals (LCP, INP, CLS), structured data (JSON-LD), and SSR/SSG for crawlability improvement directly relate to frontend architecture
SIEM - Security Information and Event Management. A security foundation that centrally aggregates logs, alerts, and events for correlation analysis and threat detection. Splunk, Microsoft Sentinel, Elastic SIEM, and Google Chronicle are representatives. The core tool of SOC (Security Operations Center), supporting early incident detection and investigation
SOC - Security Operations Center. An organization or facility that monitors networks and systems 24/7 and handles incident response. Centered on SIEM, it handles alert triage, investigation, and escalation. A different concept from SOC 2 audits (AICPA control evaluation)
SOX - Sarbanes-Oxley Act. A US law enacted after the Enron scandal that mandates internal controls over financial reporting for public companies. IT controls require “change management,” “access control,” and “audit logs,” with J-SOX (Japan’s version) demanding similar controls
SSL - Secure Sockets Layer. The encryption protocol predecessor to TLS, with SSL 3.0 and earlier prohibited due to vulnerabilities. Today’s “SSL certificates” are actually TLS certificates, with only the name persisting. Often written as “SSL/TLS” for historical reasons
Saga pattern - The design pattern aligning microservice-spanning business processing with chains of each service’s local transactions and compensation processing (cancellation processing). Realizes eventual consistency while avoiding distributed transactions (2PC). Has 2 types - Choreography and Orchestration, the latter active with dedicated platforms like Camunda
SAML - Security Assertion Markup Language. The XML-based enterprise SSO protocol, the long-used veteran from before OIDC’s emergence. Heavy spec but still active in corporate areas, with enterprise SaaS like Salesforce and ServiceNow standard-supporting
SAST / DAST - Static/Dynamic Application Security Testing. SAST detects vulnerabilities in source-code static analysis (SonarQube, Snyk Code, Semgrep), DAST detects via attempting attacks on running apps (OWASP ZAP, Burp). Mutually complementary - DevSecOps building both into CI is the modern standard
SBOM - Software Bill of Materials. List of all libraries / components apps depend on - SPDX and CycloneDX are representative formats. As supply-chain-attack countermeasure (Log4Shell etc.), required in US-presidential-order federal procurement, with global spread progressing
Schema - The structural definition of data. Meaning varies by context: DB table definitions (DDL), API request/response specifications (OpenAPI, GraphQL schema), and message format definitions (Avro, Protobuf). Schema change management (migrations, compatibility) is a critical point of system operations
Schema Registry - The mechanism centrally managing schema definitions for Avro, Protobuf, JSON Schema, etc. Confluent Schema Registry is representative - required in Kafka ecosystem to maintain inter-data-send/receive compatibility. Compatibility checks (forward, backward, complete) on schema changes built in
shadcn/ui - A React + Tailwind CSS-based UI component collection. Distinctive for its design philosophy of copying component source code into your project rather than installing as an npm package. Built on Radix UI, easy to customize and has excellent compatibility with AI code generation. Also adopted as the output format for AI UI generators like v0
SLA / SLO / SLI - Service Level Agreement (external customer contract) / Objective (internal target) / Indicator (measurement metric). Hierarchy of: SLI for actuals, SLO for target, SLA for external commitment. With SLO < SLA, internal response can start at SLO violation
SLSA - Supply-chain Levels for Software Artifacts. The software-supply-chain-security-maturity framework Google originated and OpenSSF standardizing. Levels 1-4 phase-evaluate “to what extent can the build-process provenance and integrity be guaranteed” - pillar of supply-chain countermeasures alongside SBOM
SOAP - Simple Object Access Protocol. The XML-based RPC protocol with heavy spec combining WS-Security and WS-* spec group. Web-service standard from late 1990s-2000s, replaced by REST and GraphQL - currently remains in legacy integration and finance / public systems
SOC 2 - Service Organization Control 2. The internal-control-audit framework for service-providing businesses defined by AICPA, evaluating 5 principles of security, availability, processing integrity, confidentiality, and privacy. Audit report nearly required when B2B SaaS contracts with large-enterprise customers - 2 types: Type 1 and Type 2
SOLID principles - 5 principles of object-oriented design - acronym of Single Responsibility, Open/Closed, Liskov Substitution, Interface Segregation, Dependency Inversion. Robert C. Martin systematized, settling as the basic guideline of high-maintainability / extensibility code design
SPA - Single Page Application. The app form where after first loading 1 HTML, page transitions are JS-redrawn. General to build with React, Vue, Angular - realizes near-native-app UX on Web. SEO / first-display-delay challenges resolved via SSR / SSG combination
SPOF - Single Point of Failure. The composition element not redundant, where its falling stops the whole system. The first item to check in architecture review - typical examples: DB primary single composition, LB single-side biasing, specific-region dependence
SQL Injection - The classic attack of mixing SQL statements into input values to unauthorizedly operate DB. Principally preventable with placeholders (parameterized queries), still frequent in old code building SQL by string concatenation. Regular OWASP Top 10
SRE - Site Reliability Engineering. The reliability-engineering methodology born at Google - philosophy of “solve operations problems with software engineering.” Packages concepts of SLO, error budget, Toil reduction, and Postmortem, providing framework dissolving dev-ops opposition
SSG - Static Site Generation. The method generating static HTML for all pages at build time, delivered via CDN. Astro, Next.js, Hugo, Jekyll are representatives - excellent in display speed, security, and low operational cost. This blog itself is built on Astro SSG too
SSO - Single Sign-On. The mechanism logging into multiple linked services with one auth, implemented via SAML or OIDC. Internally Microsoft Entra ID and Okta, in consumer Google and Apple accounts are representative IdPs. Security-aggregation effects beyond just “reducing passwords to remember” are large
SSR - Server Side Rendering. The method composing HTML server-side and returning to browser. Stronger than CSR in initial display, SEO, and low-spec devices - frameworks like Next.js, Nuxt, SvelteKit support. Tradeoff of increased server load and deploy complexity
SSRF - Server-Side Request Forgery. The attack making servers send requests to internal networks - the famous victim case is Capital One incident (2019) where AWS credentials were stolen by reaching cloud-metadata endpoint (169.254.169.254). Countermeasures: migrate to IMDSv2, validate URL input

T

TCO - Total Cost of Ownership. The lifetime cost including not just system introduction costs but also operations, maintenance, personnel, and decommissioning. An important metric alongside ROI for architecture decisions like cloud vs. on-premises comparisons and language/framework selection
Technical Debt - The state where compromised design/implementation from prioritizing short-term speed increases future change costs. A metaphor where debt compounds like interest over time, classified by Martin Fowler into 4 quadrants (deliberate/inadvertent x prudent/reckless). Regular repayment (refactoring) planning is necessary
Tenant - The unit of use in SaaS and cloud services (typically one company or organization). Multi-tenant is a configuration where multiple tenants share the same infrastructure and app, with high cost efficiency but important data isolation and noisy-neighbor design concerns. Single-tenant is a dedicated environment, chosen when compliance requirements are strict
Throughput - The amount of data or number of requests processable per unit time. A performance metric paired with latency (response time per request) - “latency is speed, throughput is width.” Batch processing often focuses on throughput, while APIs focus on latency
Tailwind CSS - A utility-first CSS framework. Class names directly represent styles like bg-blue-500 text-lg rounded-md, eliminating the need to create custom CSS naming conventions. The clear meaning of class names gives it excellent compatibility with AI code generation, also adopted as the standard output format for AI UI generators like v0 and Bolt
TTFB - Time to First Byte. The time from sending a request to receiving the first byte of the response. A performance metric reflecting server processing speed and network latency, used for measuring the effectiveness of CDN, SSG, and edge caching
Terraform - HashiCorp’s IaC tool, declaratively defining cloud resources in HCL (proprietary language), applying with terraform apply taking diff with actual state. Supports many providers like AWS, Azure, GCP, Datadog - de facto standard for multi-cloud / SaaS-config management. With BSL license change as trigger, OSS fork OpenTofu split off
TLS - Transport Layer Security. The standard protocol encrypting / authenticating communication, the inside of HTTPS (SSL successor). Currently TLS 1.3 mainstream - TLS 1.0/1.1 deprecated for vulnerabilities. With Let’s Encrypt’s emergence, anyone can get certificates free, accelerating Web HTTPS-ization
TOGAF - The Open Group Architecture Framework. The EA industry-standard framework, with ADM (Architecture Development Method) - 8-phase approach - at core. Document body massive and large-enterprise-oriented, but the thinking helps mid-size projects too. Certifications also widespread
Toil - SRE term pointing to “operational work repeated manually that should be automatable.” Manual deploys, alert response, user-account issuance are typical - keeping Toil ratio under 50% is SRE-team KPI. Used as basis for continuous-automation investment
TOTP - Time-based One-Time Password. The method calculating 30-second-changing 6-digit one-time passwords from shared secret (RFC 6238). Widely used in apps like Google Authenticator, Authy, 1Password - the standard MFA means with higher security than SMS
tRPC - The TypeScript type-sharing RPC-style API standard, strong when server and client are in same TS repo. Realizes type-safe APIs via TypeScript type inference alone, without schema definitions like GraphQL or OpenAPI. Popular surge in monorepo-composition Next.js projects etc.

U

UEBA - User and Entity Behavior Analytics. A security technology that learns normal behavior patterns of users and devices, detecting anomalous behavior (insider threats, account compromise, etc.). Often integrated into SIEM, utilized for continuous risk assessment in zero-trust environments
UML - Unified Modeling Language. A modeling language expressing software structure and behavior in standardized diagrammatic notation (formulated by OMG). Defines 14 types of diagrams including class, sequence, and use-case diagrams. In the agile era, lightweight usage (whiteboard-sketch level) is mainstream, but still useful for requirements definition and design review
UUID - Universally Unique Identifier. A 128-bit unique identifier that can generate non-duplicate IDs even in distributed environments. v4 (random) is most commonly used, standard for inter-microservice data linkage and event identification. Unlike sequential IDs, DB index efficiency requires attention
USE - Utilization, Saturation, Errors. The metric-design framework for resource (CPU, memory, disk, network) monitoring, proposed by Brendan Gregg. The auxiliary line for systematically seeing “whether resources are clogged” - used combined with service-side RED

V

VCS - Version Control System. A tool managing source code change history and enabling parallel development by multiple people. Git is the de facto standard, with GitHub, GitLab, and Bitbucket as the three major hosting platforms
Vendor Lock-in - The state of being strongly dependent on a specific vendor or product, making switching difficult. Dependence on cloud-specific services (Lambda, DynamoDB, etc.) is typical, with migration costs, relearning costs, and data migration difficulties as barriers. Standard technologies like containers, Kubernetes, and OpenTelemetry serve as lock-in mitigation measures
VPC - Virtual Private Cloud. The logically-isolated virtual network built in cloud - AWS VPC, Azure VNet, GCP VPC are representatives. Combines subnet splitting, routing, security groups, and NAT Gateway etc., basic unit building pseudo-corporate-network in cloud
VPN - Virtual Private Network. The technology realizing dedicated-line-equivalent secure communication by tunneling encrypted over public internet. Used in remote-work internal-network connections and on-prem-cloud Site-to-Site connections. With zero-trust-ization progressing, the very necessity of corporate VPN being reconsidered

W

WASM - WebAssembly. A binary instruction format that can execute code at near-native speed in browsers. Compiled to WASM from Rust, C++, Go, etc. Usage is also expanding outside browsers (Cloudflare Workers, Wasmtime), gaining attention as an edge computing runtime
WORM - Write Once Read Many. A storage characteristic where data cannot be overwritten or deleted once written. Used for tamper-proofing audit logs and compliance data, realized through AWS S3 Object Lock, Azure Blob Immutable Storage, etc.
WAF - Web Application Firewall. The defense layer inspecting OSI layer-7 HTTP requests/responses, blocking Web attacks like SQL injection, XSS, and path traversal. AWS WAF, Cloudflare, Akamai, Imperva are representatives - many forms integrated with CDN. Composes multi-layer defense with app-side countermeasures
WCAG - Web Content Accessibility Guidelines. The international standard of Web accessibility formulated by W3C, with 3 levels A, AA, AAA. Many nations / municipalities legally require WCAG 2.1 AA compliance - required for public / large-enterprise sites. Required Web-developer knowledge alongside OWASP Top 10
WebAuthn - The W3C standard API of FIDO2, the JavaScript interface handling public-key-based auth from browsers. The core technology of Passkey implementation - all of Chrome, Safari, Firefox, Edge support. Unifiedly handles biometric, security keys, and platform authenticators
WebSocket - The protocol upgrading HTTP connections to bidirectional communication (RFC 6455). Servers can actively push, so widely used in chat, real-time notifications, online games, and stock-tickers. Recent debate also includes use-separation with Server-Sent Events (SSE) and WebTransport

X

XDR - Extended Detection and Response. A security platform integrating EDR (endpoint), NDR (network), SIEM, etc. for cross-organizational threat detection and response. An evolution of EDR that detects advanced attacks by correlating analysis across multiple data sources
XSS - Cross-Site Scripting. The attack making malicious scripts execute in other users’ browsers, stealing cookies, tokens, or operations. Caused by user-input output-escape gaps - 3 types: Stored, Reflected, DOM-Based. Modern frameworks like React standard-escape, but holes easily open via dangerouslySetInnerHTML etc.

Y

YAGNI - You Aren’t Gonna Need It. The principle of not pre-implementing features that “might be needed in the future.” Originating from XP (Extreme Programming), a fundamental design-decision principle that cautions against over-engineering and over-abstraction. Implementing when actually needed results in less waste

Z

ZTNA - Zero Trust Network Access. A remote access method replacing VPN that evaluates user authentication, device state, and context each time, granting access to only the minimum necessary applications. Often provided as a function of SASE, resolving VPN’s problem of “once connected, the entire internal network is visible”
Zero Trust - The modern security model with “no implicit trust” as principle. Discards the premise that internal networks are safe, authenticating / authorizing / encrypting every communication / access. NIST SP 800-207 formulating standards - went mainstream in one stroke with remote-work spread

How to use the glossary

This glossary is intended to be used as an index when feeling “this term is unclear” throughout the series.

The IT-architecture world has very many acronyms, with areas where similar acronyms line up like SaaS / PaaS / IaaS / FaaS, and areas where AuthN / AuthZ / OAuth / OIDC / SAML appear around auth - just organizing terms is one job.

Reading through this article once produces the recognition “this is an acronym I saw before” when reading individual articles, greatly raising read-along speed. No need to memorize completely - just grasping the feel of “such a term exists” is enough.

Summary

This article organized the terminology-list reference appearing in the series “Architecture Crash Course for the Generative-AI Era.”

Each article also adds 1-line explanations to first-mentioned terms - the assumed use is first reading individual articles, returning here when concerned about terms.

This glossary is a document planned to grow alongside article additions / updates. As the series progresses, items will be added.

Back to series TOC -> ‘Architecture Crash Course for the Generative-AI Era’: How to Read This Book

I hope you’ll read the next article as well.