diff --git a/documentation/src/docs/security/pravega-security-configurations.md b/documentation/src/docs/security/pravega-security-configurations.md
index 260658e2e8c..a3eb135137e 100644
--- a/documentation/src/docs/security/pravega-security-configurations.md
+++ b/documentation/src/docs/security/pravega-security-configurations.md
@@ -9,46 +9,66 @@ You may obtain a copy of the License at
 -->
 # Pravega Security Configurations
 
-The following is the list of configuration parameters for different Pravega components.
-
-## Pravega Segment store <a name = "pravega-segment-store"></a>
-
-|Parameter|Details|Default Value|
-|---------|-------|-------------|
-|pravegaservice.enableTls| Enable TLS on client to segment store connection.|False|
-|pravegaservice.certFile|Certificate file used for TLS (public key)| Empty|
-|pravegaservice.keyFile|Key file (Private key) used for TLS|Empty|
-|autoScale.tlsEnabled| Enable TLS for internal communication between segment store and controller|False|
-|autoScale.authEnabled|Enable authorization/authentication for internal communication  between segment store and controller|False|
-|autoScale.tlsCertFile|Certificate file used for encrypted internal communication between segment store and controller| Empty|
-|autoScale.tokenSigningKey|Signing key used to sign the delegation token sent from controller to segment store| Empty|
-|bookkeeper.tlsEnabled|Enable TLS for communication between segment store and Apache Bookkeeper| False|
-|bookkeeper.tlsTrustStorePath| Truststore for TLS communication between segment store and Apache Bookkeeper| Empty |
-|pravegaservice.secureZK|Enable TLS for communication between segment store and Apache Zookeeper| False|
-|bookkeeper.zkTrustStore| Truststore for TLS communication between segment store and Apache Zookeeper| Empty |
-
-## Pravega Controller <a name ="pravega-controller"></a>
-
-|Parameter|Details|Default Value|
-|---------|-------|-------------|
-|config.controller.server.authorizationEnabled|Enable authorization/authentication| False|
-|config.controller.server.tlsEnabled|Enable encrypted channel between Pravega client and controller|False|
-|config.controller.server.tlsKeyFile|The key file (Private key) for communication between Pravega client and controller|Empty|
-|config.controller.server.tlsCertFile|Public key certificate for communication between Pravega client and controller|Empty|
-|config.controller.server.tokenSigningKey|Signing key used to sign the delegation token passed on to the segment store|Empty|
-|config.controller.server.userPasswordFile|File containing user details for default _auth_ implementation for Pravega (similar to `/etc/passwd`)|Empty|
-|config.controller.server.zk.secureConnectionToZooKeeper|Enable TLS for connection to Apache ZooKeeper| False|
-|config.controller.server.zk.trustStorePath|Truststore for TLS communications with Apache ZooKeeper| False|
-
-## Pravega Standalone
-For ease of use Pravega standalone hides some of the configurations that are mentioned above. Below is the table containing relevant configurations for Pravega Standalone:
-
-|Parameter|Details|Default Value|
-|---------|-------|-------------|
-|singlenode.enableTls|Enable TLS between all the components deployed within the singlenode| False|
-|singlenode.enableAuth|Enable authentication/authorization between all the components within the singlenode |False|
-|singlenode.certFile|If TLS is enabled, the public key certificate is used for internal communication between segment store and controller|Empty|
-|singlenode.keyFile|If TLS is enabled, this represents the private key by all the server sockets| Empty|
-|singlenode.passwdFile|If _auth_ is enabled, this represents the password file for the default _auth_ plugin implementation|Empty|
-|singlenode.userName|If _auth_ is enabled, this represents the username used for internal communication between segment store and controller|Empty|
-|singlenode.passwd|If _auth_ is enabled, this represents the password used for internal communication between segment store and controller|Empty|
+This document describes the security configuration parameters of Pravega, in both **distributed** and **standalone** modes.
+
+## Security Configuration Parameters in Distributed Mode
+
+In the distributed mode, Controllers and Segment Stores are configured individually. The following sub-sections describe
+their Transport Layer Security (TLS) and auth (short for authentication and authorization) parameters.
+
+
+### Segment Store
+
+|Parameter|Description|Default Value|Feature|
+|---------|-------|-------------|------------|
+| `pravegaservice.enableTls` | Whether to enable TLS for client-server communications. | False | TLS |
+| `pravegaservice.certFile` | Path of the X.509 PEM-encoded server certificate file for the service. | Empty | TLS |
+| `pravegaservice.keyFile` | Path of the PEM-encoded private key file for the service. | Empty | TLS |
+| `pravegaservice.secureZK` | Whether to enable TLS for communication with Apache Zookeeper. | False | TLS |
+| `pravegaservice.zkTrustStore` | Path of the truststore file in `.jks` format for TLS connections with Apache Zookeeer. | Empty | TLS |
+| `pravegaservice.zkTrustStorePasswordPath` | Path of the file containing the password of the truststore used for TLS connections with Apache Zookeeper. | Empty | TLS |
+| `autoScale.tlsEnabled` | Whether to enable TLS for internal communication with the Controllers. | False | TLS |
+| `autoScale.tlsCertFile` | Path of the PEM-encoded X.509 certificate file used for TLS connections with the Controllers. | Empty | TLS |
+| `autoScale.validateHostName` | Whether to enable hostname verification for TLS connections with the Controllers. | True | TLS |
+| `autoScale.authEnabled` | Whether to enable authentication and authorization for internal communications with the Controllers. | False | Auth |
+| `autoScale.tokenSigningKey` | The key used for signing the delegation tokens. | Empty | Auth |
+| `bookkeeper.tlsEnabled` | Whether to enable TLS for communication with Apache Bookkeeper. | False | TLS |
+| `bookkeeper.tlsTrustStorePath` | Path of the truststore file in `.jks` format for TLS connections with Apache Bookkeeper. | Empty | TLS |
+
+
+### Controller
+
+|Parameter|Details|Default Value|Feature|
+|---------|-------|-------------|-------|
+| `controller.auth.tlsEnabled` | Whether to enable TLS for client-server communication. | False | TLS |
+| `controller.auth.tlsCertFile` | Path of the X.509 PEM-encoded server certificate file for the service. | Empty | TLS |
+| `controller.auth.tlsKeyFile` | Path of the PEM-encoded private key file for the service. | Empty | TLS |
+| `controller.auth.tlsTrustStore` | Path of the PEM-encoded truststore file for TLS connections with Segment Stores. | Empty | TLS |
+| `controller.rest.tlsKeyStoreFile` | Path of the keystore file in `.jks` for the REST interface. | Empty | TLS |
+| `controller.rest.tlsKeyStorePasswordFile` | Path of the file containing the keystore password for the REST interface. | Empty | TLS |
+| `controller.zk.secureConnection` | Whether to enable TLS for communication with Apache Zookeeper| False | TLS |
+| `controller.zk.tlsTrustStoreFile` | Path of the truststore file in `.jks` format for TLS connections with Apache Zookeeer. | Empty | TLS |
+| `controller.zk.tlsTrustStorePasswordFile` | Path of the file containing the password of the truststore used for TLS connections with Apache Zookeeper. | Empty | TLS |
+| `controller.auth.enabled` | Whether to enable authentication and authorization for clients. | False | Auth |
+| `controller.auth.userPasswordFile` | Path of the file containing user credentials and ACLs, for the PasswordAuthHandler.| Empty | Auth |
+| `controller.auth.tokenSigningKey` | Key used to sign the delegation tokens for Segment Stores. | Empty | Auth |
+
+
+## Security Configurations in Standalone Mode
+
+For ease of use, Pravega standalone mode abstracts away some of the configuration parameters of distributed mode. As a result, it has
+fewer security configuration parameters to configure.
+
+
+|Parameter|Details|Default Value|Feature|
+|---------|-------|-------------|-------|
+| `singlenode.enableTls` | Whether to enable TLS for client-server communications. | False | TLS |
+| `singlenode.certFile` | Path of the X.509 PEM-encoded server certificate file for the server. |Empty| TLS |
+| `singlenode.keyFile` | Path of the PEM-encoded private key file for the service. | Empty | TLS |
+| `singlenode.keyStoreJKS` | Path of the keystore file in `.jks` for the REST interface. | Empty | TLS |
+| `singlenode.keyStoreJKSPasswordFile` |Path of the file containing the keystore password for the REST interface. | Empty | TLS |
+| `singlenode.trustStoreJKS` | Path of the truststore file for internal TLS connections. | Empty | TLS |
+| `singlenode.enableAuth` | Whether to enable authentication and authorization for clients. |False| Auth |
+| `singlenode.passwdFile` | Path of the file containing user credentials and ACLs, for the PasswordAuthHandler. |Empty| Auth |
+| `singlenode.userName` | The default username used for internal communication between Segment Store and Controller. | Empty| Auth |
+| `singlenode.passwd` | The default password used for internal communication between Segment Store and Controller. | Empty| Auth |