07_Protect-Data-in-Transit.md

Protection of Data-in-Transit

(Back)

Objective

Protect data transiting networks through the use of appropriate encryption and network safeguards.

Applicable Service Models

IaaS, PaaS, SaaS

Mandatory Requirements

Activity	Validation
Encrypt data in transit by default (for example, Transport Layer Security (TLS) 1.2) to protect the confidentiality and integrity of data, including for all publicly accessible sites and external communications, according to the GC Web Sites and Services Management Configuration Requirements, and wherever possible for internal zone communication.	Confirm that TLS 1.2 or above encryption is implemented for all cloud services (via Hypertext Transfer Protocol Secure (HTTPS), TLS or another mechanism). Note: while this encryption setting is often the default, cloud platforms and cloud services often have configuration options to select the permitted TLS version.
Use CSE-approved cryptographic algorithms and protocols in accordance with ITSP.40.111 and ITSP.40.062.	Leverage cryptographic algorithms and protocols configurable by the user in accordance with ITSP.40.111 and ITSP.40.062.
Leverage non-person entity certificates from certificate authorities that align with the Government of Canada Recommendations for TLS Server Certificates for GC Public Facing Web Services.	Confirm that non-person entity certificates are issued from certificate authorities that align with GC recommendations for TLS server certificates.

Additional Considerations

None

References

• Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) 2017-01, subsection 6.2.4
• Directive on Service and Digital, Appendix G: Standard on Enterprise Information Technology Service Common Configurations
• Web Sites and Services Management Configuration Requirements
• cryptography guidance in Cryptographic Algorithms for Unclassified, Protected A and Protected B Information (ITSP.40.111) and Guidance on Securely Configuring Network Protocols (ITSP.40.062)
• network security zoning guidance in Baseline Security Requirements for Network Security Zones (ITSP.80.022) and Network Security Zoning (ITSG-38)
• Guidance on Cloud Service Cryptography (ITSP.50.106).
• Government of Canada Recommendations for TLS Server Certificates for GC Public Facing Web Services (accessible only on the Government of Canada network)
• Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104), subsection 4.5

Related security controls from ITSG-33

IA-7, SC-12, SC-13, SC-28, SC-28(1)