Glossary

5 min read
·
Glossary
Technical terms and acronyms explained for network security and Zero Trust

CASB

Cloud Access Security Broker: provides visibility and control over SaaS application usage. Discovers unsanctioned cloud apps (“shadow IT”), enforces data security policies, and answers questions like “what cloud apps are employees using?” and “is anyone uploading sensitive data to unsanctioned services?” Typically bundled with DLP. Whether end-customers need CASB depends on their compliance obligations, for example a regulated accountancy firm auditing staff use of personal cloud storage, or a healthcare provider demonstrating patient data isn’t leaving sanctioned applications.

CISA

Cybersecurity and Infrastructure Security Agency: a US federal agency that publishes cybersecurity guidance and frameworks, including the Zero Trust Maturity Model. Relevant to MSPs because CISA’s guidance increasingly shapes the compliance expectations that boards, auditors, and insurers place on mid-market organisations.

Cyber Essentials

A UK government-backed certification scheme covering five key technical controls. Increasingly required by insurers and procurement processes. MSPs delivering Cyber Essentials alignment for customers need to demonstrate controls around firewalls, secure configuration, access control, malware protection, and patch management.

DLP

Data Loss Prevention: inspects content in transit and at rest, looking for patterns that indicate sensitive information (credit card numbers, personal data, intellectual property) and blocks or alerts on policy violations. Typically bundled with CASB. Relevant when customers have regulatory obligations around data handling.

DORA

Digital Operational Resilience Act: an EU regulation requiring financial entities to strengthen their ICT risk management, incident reporting, resilience testing, and third-party risk oversight. Relevant to MSPs serving banks, insurers, or investment firms in the EU, as DORA extends obligations to their critical ICT service providers, which may include the MSP itself.

DPI

Deep Packet Inspection: examines the data payload of packets, not just headers. This is the mechanism that allows SWGs to perform inline content inspection, URL filtering beyond domain level, and real-time malware scanning. Without DPI, filtering is limited to DNS-level blocking.

EDR

Endpoint Detection and Response: continuously monitors endpoints to detect, investigate, and respond to threats. A foundational requirement for any Zero Trust journey. ZTNA solutions often check whether EDR is running on a device before granting access, making it part of the device posture verification step. When customers already have EDR and host firewalls in place, network-level security like SWG and CASB becomes less critical because threats are being caught at the endpoint. EDR is the foundation; the network-delivered security layers build on top of it.

FWaaS

Firewall as a Service: cloud-delivered firewall providing capabilities like IDS/IPS and deep inspection of non-web protocols. In practice, FWaaS capabilities are increasingly folded into SWG products rather than sold separately, so most MSPs encounter FWaaS as part of a bundled SSE platform rather than as a standalone purchase decision.

HBFW

Host-based Firewall: a ZTNA architecture that centrally controls native operating system firewalls to enforce microsegmentation. No additional appliances required; enforcement happens at each host. Useful when the goal is to prevent lateral movement without deploying additional infrastructure.

ICE

Interactive Connectivity Establishment: a framework (RFC 8445) used to find the best path between two peers. ICE gathers a set of candidate addresses (local IPs, public IPs discovered via STUN, and relay servers) and systematically tests them to establish a direct connection. This is the mechanism mesh overlay ZTNA architectures use to traverse NAT and firewalls, trying direct peer-to-peer paths first and falling back to relayed connections only when direct connectivity is not possible.

IAP

Identity-Aware Proxy: A ZTNA architecture (also known as a vendor-brokered ZTNA architecture) in which customer traffic passes through the vendor’s PoPs to apply security, and the solution uses reverse proxies to build connections to internal systems instead of opening ports on customer infrastructure.

IdP

Identity Provider: the system that authenticates users, issues identity tokens, and provides single sign-on (SSO) across applications. Examples include Microsoft Entra ID, Okta, and Duo. An IdP is the foundation of any Zero Trust journey and should be the first thing in place. One user, one login, one identity provider. If the customer is using on-premise Active Directory, synchronising identities to a cloud IdP is a necessary first step. MFA should be enforced across all applications through the IdP.

MDR

Managed Detection and Response: combines EDR technology with human expertise to provide outsourced threat detection, incident response, and continuous monitoring. For MSPs, MDR can be a service they resell or partner on, extending their security offering without building a full SOC in-house.

Mesh Overlay

A ZTNA architecture where endpoints connect peer-to-peer via encrypted tunnels using techniques like UDP/TCP hole punching. No centralised gateway required; traffic flows directly between peers, preserving data sovereignty. A key advantage is that the mesh can also act as the pathway to the public internet and apply DNS filtering, removing the need for a separate SWG in environments that don’t require inline inspection. Because private traffic stays peer-to-peer, customers avoid the latency, bandwidth charges, and data sovereignty concerns that come with routing everything through a vendor’s cloud.

MPLS

Multiprotocol Label Switching: traditionally used for enterprise WAN connectivity with guaranteed performance and SLA-backed circuits, but often expensive. SD-WAN is typically positioned as the modern replacement, using cheaper internet circuits with software-based path selection. Customers replacing MPLS typically look at SD-WAN or, for simpler connectivity needs, mesh overlay ZTNA which already provides multi-path resilience.

NAT

Network Address Translation: a method of mapping private IP addresses to public IP addresses, allowing multiple devices on a local network to share a single public IP address. There are four common NAT types, each with different implications for peer-to-peer connectivity:

  • Full Cone NAT is the most permissive. Once an outbound connection creates a mapping, any external host can send packets to that mapped IP and port. Direct connections are always possible.

  • Restricted Cone NAT only allows responses from external IPs the internal host has previously contacted. Direct connections are possible as long as both peers have exchanged packets.

  • Port Restricted Cone NAT requires the external host to match both the IP and port the internal host contacted. Both peers must send packets to each other at roughly the same time for the connection to succeed.

  • Symmetric NAT assigns a different external port for each destination, making it impossible for peers to predict each other’s port. Direct connections almost always fail, requiring traffic to be relayed.

NFR

Not For Resale: a licence type that allows partners to use software internally for testing, demonstration, and training, but not for customer deployment. When evaluating ZTNA vendors, check whether NFR licences are available so you can run the product internally before rolling it out to customers.

NIS2

Network and Information Security Directive 2: an EU directive that expands cybersecurity obligations to a broader range of sectors and organisations, requiring risk management measures, incident reporting, and supply chain security. Member states are responsible for transposing NIS2 into national law. Relevant to MSPs because the supply chain provisions may place obligations on service providers, not just the end customer.

NIST

National Institute of Standards and Technology: a US agency whose cybersecurity frameworks (particularly SP 800-207 on Zero Trust Architecture) are widely adopted as reference standards. Even outside the US, NIST frameworks shape how auditors, insurers, and boards evaluate security posture.

PoP

Point of Presence: a physical location where a vendor has networking equipment. Relevant when evaluating bundled SSE platforms, because centralising all traffic through vendor PoPs introduces questions of data sovereignty, latency, capacity provisioning, bandwidth charges, and operational dependency on vendor uptime. Mesh overlay architectures avoid this for private traffic by keeping it peer-to-peer.

QoS

Quality of Service: traffic prioritisation techniques for managing network resources, ensuring performance for critical applications like VoIP and video. QoS is a core SD-WAN capability. Whether end-customers need dedicated QoS depends on whether they have multi-site WAN optimisation requirements.

SASE

Secure Access Service Edge: a Gartner-defined framework (2019) that bundles SD-WAN with cloud-delivered security (SSE) into a single platform. The full SASE stack targets organisations consolidating multiple point products. “We need to be SASE” is a common procurement conversation, but the underlying requirement is often private access and web protection, which ZTNA with DNS filtering can cover depending on the customer’s needs.

SD-WAN

Software-Defined Wide Area Network: the networking layer that separates SASE from SSE. Provides WAN-level traffic engineering including TCP tuning, QoS, multi-ISP path selection, and SLA-backed private backbone. Mesh overlay ZTNA already provides multi-path resilience via NAT traversal and ICE candidates; the SD-WAN differentiator is centralised traffic engineering, not connectivity itself. Only relevant when customers have genuine WAN optimisation needs such as replacing MPLS circuits, aggregating multiple ISPs, or protecting latency-sensitive applications like VoIP across multiple sites.

SDP

Software Defined Perimeter: a ZTNA architecture based on “authenticate first, connect second” principles. Uses connectors or gateways deployed at the resource side, with a controller that verifies identity and device posture before granting access. Strengths include no inbound firewall rules and application-layer awareness. Trade-offs include requiring appliance or connector deployment at each site, and less support for east-west (internal) traffic compared to mesh overlay approaches.

SSE

Security Service Edge: a Gartner-defined category (2021) that isolates the security stack from SASE, recognising that enterprises were adopting cloud security components independently of SD-WAN. Bundles SWG, CASB, ZTNA, and FWaaS. Depending on the customer’s requirements, the full SSE bundle may introduce complexity and cost beyond what is actually needed. A mesh overlay ZTNA paired with a standalone SWG (separate products) may be preferable, splitting traffic by purpose: private access flows peer-to-peer, while internet-bound traffic flows through the SWG for inline inspection.

SWG

Secure Web Gateway: upgrades DNS filtering to full inline proxy inspection. Where DNS filtering asks “should I resolve this domain?”, SWG asks “what is the user actually doing, and should I allow it?” Decrypts TLS traffic, performs deep packet inspection, applies URL filtering (not just domain-level), and scans for malware in real-time. Add SWG when the customer has a regulatory requirement for inline inspection, needs to block specific URLs rather than entire domains, or requires content-level acceptable use enforcement. Note that host-based, cloud-managed SWGs perform inspection on the endpoint itself, avoiding the latency and data sovereignty concerns of routing all traffic through vendor infrastructure.

XDR

Extended Detection and Response: extends detection and response capabilities across multiple security layers including endpoints, networks, cloud workloads, and email. Like EDR and MDR, XDR is a market differentiation term. For MSPs, the practical question is whether a single vendor’s XDR platform provides meaningful cross-layer correlation that justifies consolidation, or whether best-of-breed point products serve the customer better.

Zero Trust

A security model based on the principle “never trust, always verify”. Rather than trusting users and devices because they are inside the network perimeter, Zero Trust requires continuous verification of identity, device posture, and context before granting access to any resource. Zero Trust is an approach, not a product. CISA publishes a Zero Trust Maturity Model that provides a useful framework for assessing progress. For MSPs, it represents both a competitive differentiator and a maturity journey: start with identity (IdP and MFA), layer in device posture (EDR), then add network controls (ZTNA with DNS filtering), before considering SWG or CASB for customers with specific compliance requirements.

ZTNA

Zero Trust Network Access: the modern VPN replacement. Provides secure, private access to internal resources based on identity verification rather than network location. Common MSP use-cases include remote workers accessing internal applications (Sage, QuickBooks, file shares, printers), MSP technicians reaching customer infrastructure across dozens of sites, connecting branch offices, and scoping contractor access to a single resource. Multiple architectures exist (mesh overlay, SDP, IAP), each with different trade-offs around appliance deployment, data sovereignty, protocol support, and east-west traffic handling. Depending on the customer’s requirements, ZTNA combined with DNS filtering may cover the requirement without the complexity of a full SSE or SASE stack.

Book a Demo

Connect all of your computers, servers, cloud instances and containers across any infrastructure with secure private networks that just work. We'll show you how to use Enclave to:
  • Introduce a zero-trust network access model
  • Avoid ACLs and VPNs to secure network access
  • Leverage your firewalls to darken your network
  • Protect against discovery, targeting and attack
After completing this form, a member of our team will contact you to arrange a short product demo at a time of your choosing.

Book a Demo

Connect all of your computers, servers, cloud instances and containers across any infrastructure with secure private networks that just work. We'll show you how to use Enclave to:
  • Introduce a zero-trust network access model
  • Avoid ACLs and VPNs to secure network access
  • Leverage your firewalls to darken your network
  • Protect against discovery, targeting and attack
After completing this form, a member of our team will contact you to arrange a short product demo at a time of your choosing.

Contact Sales

Connect all of your computers, servers, cloud instances and containers across any infrastructure with secure private networks that just work. We'll talk to you about how to:
  • Get secure network access without deploying a VPN or changing network settings
  • Easily automate and manage your network from our portal
  • Protect against discovery, targeting and attack.
After completing this form, a member of our team will contact you with additional information.

Contact Sales

Connect all of your computers, servers, cloud instances and containers across any infrastructure with secure private networks that just work. We'll talk to you about how to:
  • Get secure network access without deploying a VPN or changing network settings
  • Easily automate and manage your network from our portal
  • Protect against discovery, targeting and attack.
After completing this form, a member of our team will contact you with additional information.