Chapter 60 Β· Glossary

Other Infrastructure Glossary

Key terms for infrastructure models, virtualization, IoT, industrial control systems, and high availability.

On-Premises Infrastructure
An IT deployment model where all hardware, software, and data reside within the organization's own physical facilities and are managed by the organization's own staff. The organization owns and operates the servers, networking equipment, storage systems, and data center facility. Benefits: complete control over security posture, all data physically on-premises, no multi-tenancy exposure, no dependency on a third-party provider. Costs: capital expenditure for hardware, ongoing staffing, physical facility maintenance, and slower deployment of security changes that require procurement cycles.
Centralized Security Management
An approach to managing security across a diverse, decentralized IT environment from a single unified console β€” typically implemented through a SIEM (Security Information and Event Management) system combined with unified device management tools. Centralization provides correlated alerts (events from multiple systems analyzed together), consolidated log analysis (search across all environments in one query), and unified patch and configuration management. The tradeoff: the centralized console becomes a single point of failure β€” if it goes offline or is compromised, visibility across the entire environment is lost simultaneously.
Hypervisor
Software that runs directly on physical hardware (Type 1 / bare-metal hypervisor) or on top of a host OS (Type 2 hypervisor) and manages the allocation of physical resources β€” CPU, RAM, storage, network β€” among multiple virtual machines. The hypervisor enforces isolation between VMs: processes in one VM cannot directly access the memory or processes of another. The hypervisor is the foundation of virtualization. Examples: VMware ESXi (Type 1), Microsoft Hyper-V (Type 1), KVM (Type 1 on Linux), VirtualBox (Type 2). A hypervisor vulnerability that allows a VM to escape its isolation boundary and access the hypervisor or other VMs is called a VM escape β€” the most severe virtualization security incident.
Virtual Machine (VM)
A software emulation of a complete computer system, including its own dedicated (virtual) CPU, RAM, storage, and network interfaces, managed by a hypervisor. Each VM runs its own complete guest operating system β€” Windows Server, Linux, or other OS β€” independently from other VMs on the same physical host. VMs are strongly isolated from each other: a compromise of one VM does not automatically affect neighboring VMs. The cost of this strong isolation is OS overhead: each VM requires a full OS installation, consuming significant memory and storage compared to containerization.
Containerization
A virtualization model where applications are packaged with their dependencies (libraries, configuration, runtime) into isolated units called containers that share the host OS kernel. Unlike VMs, containers do not include their own OS β€” they rely on the host OS. The container engine (Docker being the most common) manages container lifecycle and provides OS-level isolation between containers using Linux namespaces and cgroups. Benefits: lightweight (no OS overhead), fast startup (milliseconds), portable across any container host, ideal for microservices and cloud-native applications. Key security difference from VMs: a host kernel vulnerability affects all containers on that host.
Docker
The most widely used container engine β€” the software layer that sits between the host operating system and the application containers, managing container creation, isolation, networking, storage, and lifecycle. Docker packages an application and its dependencies into a container image β€” a portable, version-controlled snapshot that runs identically on any Docker-capable host. Docker containers are isolated from each other using Linux namespaces (process isolation, filesystem isolation, network isolation) and cgroups (resource limits). Docker is not the only container engine (alternatives include Podman, containerd), but it is the most prevalent and is the standard exam reference for containerization.
Internet of Things (IoT)
A category of network-connected devices designed for sensing, monitoring, automation, or data collection functions that are distinct from traditional computing devices. Examples: smart thermostats, video doorbells, wearable health monitors, industrial sensors, smart lighting, facility automation systems. IoT devices are typically designed by specialists in their specific domain (HVAC, lighting, health monitoring) rather than security engineers, resulting in weak default security configurations: hardcoded or easily guessable credentials, no firmware update mechanism, unencrypted communications, and unnecessary open network services. A single compromised IoT device provides an attacker with a network foothold inside the perimeter.
SCADA (Supervisory Control and Data Acquisition)
A system architecture for monitoring and controlling large-scale industrial and infrastructure processes across multiple physical sites from a centralized control room. SCADA is the implementation model for Industrial Control Systems (ICS) β€” the terms are frequently used interchangeably. Operators use SCADA workstations to view real-time sensor data, status of industrial equipment, and issue control commands across the entire facility or network of facilities. SCADA is used in power generation, oil and gas, water treatment, manufacturing, and transportation. Because SCADA controls physical processes, cyberattacks can cause physical equipment destruction, safety incidents, or disruption of critical services β€” not merely data loss.
ICS (Industrial Control System)
The broad category of systems used to monitor and control industrial physical processes. ICS encompasses SCADA (multi-site, large-scale), Distributed Control Systems (DCS, used for continuous process control within a single facility), and Programmable Logic Controllers (PLCs, microcomputers that directly control individual machines or processes). ICS environments require strict network segmentation from corporate IT networks β€” ideally physical air gaps β€” because unauthorized access to ICS can cause physical consequences: equipment damage, safety hazards, and disruption of critical infrastructure services that may affect public safety and national security.
RTOS (Real-Time Operating System)
An operating system designed for deterministic execution β€” guaranteeing that specific tasks are completed within defined time constraints, regardless of other system activity. In a standard OS (Windows, Linux), the scheduler may delay any process; in an RTOS, critical tasks are guaranteed to execute within their required time window. Used in automotive systems (ABS, airbags, engine control), industrial automation, military and aerospace systems, and medical devices (pacemakers, insulin pumps). RTOS environments are extremely sensitive to performance disruptions β€” traditional security software (antivirus, monitoring agents) that introduces latency is typically incompatible with real-time guarantees. Security is implemented through isolation and physical protection rather than active defense.
Embedded System
A purpose-built device where hardware and software are designed together to perform exactly one specific function, with no ability to load arbitrary software or expand functionality. Embedded systems run firmware optimized for their one task β€” there is no general-purpose OS interface, no app store, and no way to install additional software. Examples: traffic light controllers, digital watches, medical imaging systems (MRI, CT scanners), industrial sensors and actuators. Security challenges: long operational lifecycles (10–20 years) with potentially unpatched firmware; limited or no remote update mechanism; no logging or monitoring capability; purpose-optimized hardware with no capacity for security software.
High Availability (HA)
An architecture design goal that ensures a system remains continuously operational β€” always on, always accessible β€” even when individual components fail. Distinguished from simple redundancy: redundancy means having a spare available; HA means the spare is automatically and transparently integrated into operations such that failure is seamless. HA configurations: Active/Passive (one primary handles traffic; standby synchronizes and takes over automatically on failure) and Active/Active (both systems actively handle traffic simultaneously; failure of one is absorbed by the other with no interruption). Active/Active also provides capacity scaling. Higher availability requires more infrastructure at each layer β€” dual power, dual networking, dual systems β€” and therefore higher cost.