DAT-004 Encryption in Transit
Description
All data transmitted over networks (internal and external) is protected using approved transport encryption protocols (minimum TLS 1.2, TLS 1.3 preferred). Unencrypted transmission of sensitive or personal data over any network is prohibited.
Rationale
Network interception is a high-probability threat vector for SaaS services. Transport encryption is a non-negotiable baseline that all cloud-native architectures must enforce.
Framework Mappings (8)
| CEK-03 | Data Protection | full |
| DSP-10 | Sensitive Data Transfer | partial |
| GDPR-Art.32.1 | Technical and Organisational Security Measures | partial |
| 5.14 | Information transfer | partial |
| 8.24 | Use of cryptography | partial |
| SC-13 | Cryptographic Protection | partial |
| SC-8 | Transmission Confidentiality and Integrity | full |
| CC6.7 | Transmission, Movement, and Removal of Information | partial |
Evidence (2)
Load balancer, API gateway and web server configuration demonstrating enforcement of TLS 1.2 or higher with weak protocol versions and cipher suites disabled.
Example: AWS ALB listener configuration export, nginx TLS configuration, or Qualys SSL Labs scan results (A rating) for all public-facing endpoints — showing TLS 1.0 and 1.1 disabled
Test: Run an SSL/TLS scan against all external endpoints (e.g. Qualys SSL Labs or testssl.sh) and review load balancer listener configurations. Verify: (1) TLS 1.0 and 1.1 are disabled on all endpoints, (2) minimum TLS 1.2 is enforced, (3) no weak cipher suites (RC4, 3DES, NULL) are enabled, (4) HTTP (port 80) redirects to HTTPS or is blocked.
Internal service mesh or network policy configuration showing that service-to-service communication within the cluster or VPC is encrypted in transit.
Example: Kubernetes Istio mTLS policy export or AWS VPC security group / service mesh configuration confirming mutual TLS is enforced for all east-west service communication in the production environment
Test: Review the service mesh or internal network encryption configuration. Verify: (1) mTLS (or equivalent internal encryption) is enforced in STRICT mode across all namespaces, (2) no services are exempted from internal transport encryption without documented justification, (3) configuration was last reviewed within 12 months.
Questions (2)
Is all data transmitted over networks (internal and external) protected using TLS 1.2 or higher, with unencrypted transmission of sensitive or personal data prohibited?
TLS 1.3 is preferred. TLS 1.0 and 1.1 must be disabled. This applies to all public-facing endpoints and to service-to-service communication within the infrastructure.
What is the minimum TLS version enforced on external-facing endpoints?
TLS 1.2 is the minimum acceptable baseline. TLS 1.3 is strongly preferred. Any answer indicating TLS 1.1 or lower requires a remediation plan.