Glossary¶
Terminology reference for CertifyClouds.
Product Terms¶
Assets Module¶
The asset management module containing two components:
Assets Discovery - Scans Azure Key Vaults across subscriptions to inventory secrets, keys, and certificates. Tracks expiration dates and provides a centralized view of all vault contents.
Assets Dependencies (PRO) - Maps Azure Key Vault credentials to dependent Azure resources for impact analysis and coordinated credential rotation.
Automation Module (PRO)¶
The automation module containing two components:
Automation Rotation - Automates credential rotation for Azure App Registrations. Matches app registration secrets to their Key Vault locations and performs one-click rotation.
Automation Sync - Synchronizes Azure Key Vault secrets and certificates to AWS and GCP for disaster recovery and multi-cloud deployments.
License Terms¶
STARTER Tier¶
Entry-level license tier. Includes:
- Assets Discovery (scanning)
- Compliance scoring
- Alert notifications
- Audit logging
- Maximum 4 subscriptions
- Single user
PRO Tier¶
Full-feature license tier. Includes everything in STARTER plus:
- Automation Rotation
- Automation Sync
- Assets Dependencies
- Unlimited subscriptions
- Multi-user support
- SSO/OIDC integration
License Key¶
Encrypted JWT token that activates CertifyClouds. Contains organization name, tier, expiration date, and subscription limits.
Azure Terms¶
Key Vault¶
Azure's cloud service for securely storing and accessing secrets, keys, and certificates. CertifyClouds monitors and manages Key Vault contents but does not replace the vault itself.
App Registration¶
Azure AD identity for applications. App Registrations have secrets (passwords) or certificates for authentication. Rotation rotates these credentials.
Managed Identity¶
Azure's recommended authentication method for cloud workloads. CertifyClouds uses managed identity when deployed in Azure, eliminating the need for stored credentials.
Service Principal¶
Azure AD identity created from an App Registration. Used when managed identity isn't available (e.g., on-premises deployments).
Subscription¶
Azure billing and resource container. Discovery scans across multiple subscriptions based on license tier limits.
Technical Terms¶
Modular Monolith¶
CertifyClouds' architecture pattern. A single deployable unit with cleanly separated domain modules. Combines monolith simplicity with module independence.
Domain Module¶
Self-contained code unit handling specific functionality (e.g., Assets, Automation). Each domain has its own API routes, database models, and services.
Zero-Knowledge Architecture¶
CertifyClouds' security model. The application reads secret metadata (names, expiration) but never reads or transmits secret values. All data stays within the customer's environment.
SSE (Server-Sent Events)¶
One-way real-time communication from server to client. Used for progress updates during long-running operations.
WebSocket¶
Two-way real-time communication. Used for notifications and live updates in the dashboard.
Compliance Terms¶
Compliance Score¶
Percentage score (0-100) indicating how well secrets follow security best practices. Based on expiration status, age, and naming conventions.
Compliance Rule¶
Configurable policy for evaluating secret health. Examples: "Secrets must expire within 90 days", "No secrets older than 365 days".
Violation¶
A secret failing one or more compliance rules. Violations are categorized by severity (critical, high, medium, low).
Operational Terms¶
Scan¶
Discovery operation that reads Key Vault metadata across configured subscriptions. Results are stored for historical comparison.
Rotation¶
Automation operation that generates a new secret or certificate for an App Registration and updates the corresponding Key Vault entry.
Sync¶
Automation operation that copies an Azure Key Vault secret to AWS or GCP. Only syncs the current value, not version history.
Discovery¶
Rotation operation that finds App Registrations and matches them to Key Vault secrets. Prerequisite for rotation.
Dependency Mapping¶
Dependencies operation that analyzes Azure resources to find references to Key Vault credentials.
Blast Radius Analysis¶
Dependencies operation that calculates the impact of rotating a specific credential. Shows all dependent resources.
Full-Stack Rotation¶
Dependencies operation that rotates a credential AND automatically updates all dependent Azure resources.
Exclusion¶
Rule preventing specific secrets from being synced or rotated. Useful for legacy systems or sensitive credentials.
Status Terms¶
Healthy¶
Secret with valid expiration date well into the future (typically 30+ days).
Expiring¶
Secret approaching expiration (typically within 30 days). Triggers warnings and alerts.
Expired¶
Secret past its expiration date. Critical status requiring immediate action.
Pending¶
Operation queued but not yet started.
In Progress¶
Operation currently executing.
Completed¶
Operation finished successfully.
Failed¶
Operation encountered an error. Details in audit log.
Abbreviations¶
| Abbrev | Full Term |
|---|---|
| ACI | Azure Container Instances |
| ACM | AWS Certificate Manager |
| ACR | Azure Container Registry |
| AD | Azure Active Directory (now Entra ID) |
| API | Application Programming Interface |
| ASM | AWS Secrets Manager |
| CAE | Azure Container Apps Environment |
| CLI | Command Line Interface |
| DR | Disaster Recovery |
| GCP | Google Cloud Platform |
| GSM | GCP Secret Manager |
| JWT | JSON Web Token |
| KV | Key Vault |
| MI | Managed Identity |
| OIDC | OpenID Connect |
| RBAC | Role-Based Access Control |
| REST | Representational State Transfer |
| SP | Service Principal |
| SSE | Server-Sent Events |
| SSO | Single Sign-On |
| TLS | Transport Layer Security |
| WS | WebSocket |