Glossary

A reference guide to concepts, protocols, technologies and other jargon you may encounter on our site or in the field

A reference guide to key cybersecurity concepts, protocols, and technologies relevant to password management, privileged access, and security posture for real-world businesses.

AES-256

AES-256 (Advanced Encryption Standard, 256-bit) is a symmetric encryption algorithm used worldwide to protect classified and sensitive data. It is considered unbreakable with current computing technology. AES-256 is the encryption standard used by governments, financial institutions, and security-conscious organisations to encrypt data at rest and in transit. Heimlane Vault uses AES-256-CBC with HMAC-SHA256 to encrypt all vault contents client-side before they ever reach the server.

National cybersecurity agencies

National cybersecurity agencies are government bodies that publish security standards, issue threat advisories, certify products, and coordinate incident response at country or regional level. Their guidance shapes procurement requirements, regulatory frameworks, and the baseline expectations for what “good security” looks like in their jurisdiction. Major agencies you will encounter in the field:

  • ACN (Agenzia per la Cybersicurezza Nazionale, Italy) is Italy’s national cybersecurity authority, established in 2021. It coordinates incident response through CSIRT Italia and maintains the Perimetro di Sicurezza Nazionale Cibernetica framework for critical national infrastructure.
  • ACSC (Australian Cyber Security Centre, Australia) publishes the Essential Eight, one of the few government frameworks that explicitly ranks security controls by priority and maturity level. Widely cited internationally as a starting point for hardening.
  • ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information, France) issues guidance and certifications including CSPN and SecNumCloud, and is a key reference for French public sector procurement.
  • BSI (Bundesamt für Sicherheit in der Informationstechnik, Germany) issues the IT-Grundschutz framework and certifies products under the German national scheme.
  • CCN-CERT (Centro Criptológico Nacional, Spain) is Spain’s national cryptologic centre. It publishes the ENS (Esquema Nacional de Seguridad), the mandatory security framework for the Spanish public sector.
  • CISA (Cybersecurity and Infrastructure Security Agency, United States) is the US federal operational lead for cyber defence and critical infrastructure protection. Its Known Exploited Vulnerabilities (KEV) catalog is widely used.
  • ENISA (European Union Agency for Cybersecurity) is the EU-wide body that supports member states on policy, capacity building, and the implementation of directives such as NIS2.
  • NCSC (National Cyber Security Centre, United Kingdom) is the UK’s authority on cyber threats and best practice. Its Cyber Essentials scheme is a widely adopted baseline certification.
  • NIST (National Institute of Standards and Technology, United States) publishes the SP 800-series and the NIST Cybersecurity Framework (CSF), the most globally referenced security standards in the industry.

These agencies often align on core principles (least privilege, defence in depth, audit trails, MFA), so following any one of them tends to satisfy most of the others. Heimlane’s product design references guidance from multiple agencies rather than a single jurisdiction.

Argon2id

Argon2id is a modern key derivation function (KDF) designed to resist brute-force attacks by requiring significant memory and processing time. It won the Password Hashing Competition in 2015 and is recommended by OWASP for password hashing. Unlike older algorithms such as PBKDF2, Argon2id is resistant to GPU-based and ASIC-based attacks due to its memory-hard design. Heimlane Vault supports Argon2id as its recommended KDF for deriving master keys from user passwords.

Bastion

A bastion (also called bastion host or jump server) is a hardened entry point that acts as a single, controlled gateway for administrators and third-party providers to access an organisation’s servers and applications. All privileged connections pass through the bastion, which authenticates users, enforces access policies, records sessions, and provides a complete audit trail. The term “bastion” is sometimes used interchangeably with PAM (Privileged Access Management). Heimlane Realm functions as a bastion, providing browser-based access to RDP, SSH, and VNC targets with full session recording and credential injection.

End-to-end encryption

End-to-end encryption (E2EE) means that data is encrypted on the sender’s device and can only be decrypted on the recipient’s device. No intermediary, including the service provider, can access the plaintext content. This is the foundation of zero-knowledge architectures where the provider never has access to customer data, even if their servers are compromised.

Password vault

A password vault is an encrypted digital safe that stores passwords, credentials, notes, payment cards, and other sensitive data. A business password vault adds features such as team sharing, access controls, organisational zones, and audit trails. Unlike consumer-grade solutions, a business vault integrates with privileged access management tools to enable credential injection into remote sessions without exposing passwords to users.

Credential injection

Credential injection is the process of automatically inserting stored credentials (username, password) into a login session without revealing them to the user. The user connects to a target system through a PAM solution, and the solution retrieves the credentials from the password vault and injects them transparently. This eliminates shared passwords, prevents credential theft via keyloggers, and creates a full audit trail of who accessed what, when, and with which account. Heimlane Realm retrieves credentials from Vault and injects them into RDP, SSH, VNC, and web sessions.

GDPR

The General Data Protection Regulation (GDPR) is the European Union regulation governing the collection, processing, and storage of personal data. It requires organisations to implement appropriate technical and organisational measures to protect personal data, including encryption, access controls, and the ability to demonstrate compliance. GDPR applies to any organisation processing data of EU residents, regardless of where the organisation is based.

HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that forces browsers to only connect to a website over HTTPS. Once a browser receives an HSTS header, it will refuse to connect over plain HTTP for a specified period, preventing downgrade attacks and cookie hijacking. HSTS preloading goes further by having the domain included in browsers’ built-in lists, so even the first connection is secure.

Least privilege

The principle of least privilege (moindre privilège) dictates that users, accounts, and processes should only have the minimum permissions necessary to perform their tasks. Applying least privilege reduces the attack surface by limiting what a compromised account can access. In the context of PAM, least privilege means granting administrators access only to the specific servers and applications they need, for the time they need it, with no standing permissions.

MFA / 2FA

Multi-factor authentication (MFA) and two-factor authentication (2FA) require users to prove their identity using two or more independent factors: something they know (password), something they have (phone, security key), or something they are (biometrics). MFA significantly reduces the risk of account compromise from stolen credentials. OWASP, NIST, and ANSSI all recommend MFA for any privileged or sensitive access.

MSP / MSSP

A Managed Service Provider (MSP) is a company that remotely manages a customer’s IT infrastructure, typically including servers, networks, endpoints, and security. A Managed Security Service Provider (MSSP) specialises in security operations. MSPs and MSSPs need tools that are multi-tenant by design, allowing them to manage multiple customers from a single platform while maintaining strict data isolation between tenants.

NIS2

NIS2 (Network and Information Security Directive 2) is the European Union directive that expands cybersecurity obligations to a broader range of organisations, including mid-sized businesses in essential and important sectors. NIS2 requires measures such as access control, incident reporting, risk management, supply chain security, and accountability at management level. Article 21 specifically addresses access control and privileged access management as required security measures.

PAM

PAM (Privileged Access Management) is the discipline of controlling, monitoring, and auditing access to critical systems by users with elevated permissions (administrators, third-party providers, service accounts). A PAM solution typically includes a bastion or gateway, a password vault, session recording, access policies, and credential injection. PAM addresses the risk that privileged accounts, if compromised, give attackers direct access to an organisation’s most sensitive systems.

PBKDF2

PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function that applies a pseudorandom function (typically HMAC-SHA256) to a password along with a salt, repeated over many iterations, to produce a derived key. The high iteration count (600,000 is the current OWASP recommendation) makes brute-force attacks computationally expensive. PBKDF2 is widely supported across all platforms and remains the default KDF for Bitwarden-compatible clients.

RBAC

Role-Based Access Control (RBAC) is an access control method where permissions are assigned to roles rather than to individual users. Users are then assigned to roles based on their job function. RBAC simplifies access management, reduces administrative overhead, and makes it easier to enforce least privilege across an organisation. When an employee changes role, their access changes with their role assignment rather than requiring individual permission updates.

RSA-2048

RSA-2048 is an asymmetric encryption algorithm that uses a pair of keys (public and private) to encrypt and decrypt data. The 2048-bit key length is considered secure for current use and is recommended by NIST and ANSSI. In password management, RSA is typically used for sharing encrypted data between users: a sender encrypts with the recipient’s public key, and only the recipient’s private key can decrypt it. Heimlane Vault uses RSA-2048 for zero-knowledge team sharing within organisations.

Session recording

Session recording is the capture and storage of everything that happens during a privileged access session (RDP, SSH, VNC, or web). Recordings may include video of the screen, keystroke logs, command histories, and metadata such as timestamps and user identity. Session recordings provide an auditable trail for compliance, forensic investigation, and real-time monitoring of administrative actions. Heimlane Realm records all privileged sessions with OCR-based event detection for searchable audit trails.

SSO

Single Sign-On (SSO) allows users to authenticate once and gain access to multiple applications without re-entering credentials. SSO improves user experience and reduces password fatigue, but it also concentrates risk: if the SSO provider is compromised, all connected applications are exposed. SSO is typically implemented using protocols such as SAML 2.0 or OpenID Connect.

Digital sovereignty

Digital sovereignty refers to the ability of an organisation or nation to control its own digital infrastructure, data, and technology choices without dependence on foreign providers or jurisdictions. In cybersecurity, digital sovereignty means hosting data within trusted regions, using locally-developed solutions, and ensuring that no foreign government can compel access to customer data through extraterritorial laws such as the US CLOUD Act.

TLS 1.3

TLS 1.3 (Transport Layer Security, version 1.3) is the most recent version of the protocol that secures communications over the internet. Compared to TLS 1.2, it removes obsolete cipher suites, reduces the handshake to one round trip (improving performance), and mandates Perfect Forward Secrecy (PFS), which means that even if a server’s private key is compromised in the future, past sessions cannot be decrypted.

Zero knowledge

Zero-knowledge architecture means that the service provider has zero ability to access, read, or recover customer data. All encryption and decryption happens on the user’s device (client-side), and the provider only stores encrypted ciphertext. Even if the provider’s servers are breached, the attacker obtains only encrypted data that cannot be decrypted without the user’s master password. The provider cannot reset passwords or recover vaults because they never possess the decryption keys.

Zero trust

Zero trust is a security model based on the principle “never trust, always verify.” Instead of assuming that users or devices inside the network perimeter are trusted, zero trust requires continuous verification of identity, device health, and context for every access request. Zero trust architectures typically combine strong authentication, micro-segmentation, least privilege access, and continuous monitoring. ZTNA (Zero Trust Network Access) implements this model for remote access to applications and resources.

ZTNA

ZTNA (Zero Trust Network Access) replaces traditional VPNs by providing application-level access based on identity and context rather than network-level access. Unlike a VPN, which gives broad access to an entire network, ZTNA grants access only to specific applications the user is authorised to use. ZTNA provides the connectivity layer, while PAM provides the governance layer: who accessed what, when, with which credentials, and what they did during the session.