da-3 High priority Data Security / Data Security

Data in transit is encrypted using modern protocols

Unencrypted traffic can be intercepted on any segment of the network path, including internal networks, cloud provider links, and ISP infrastructure. Encrypting data in transit ensures that even if traffic is captured, it cannot be read or modified. Modern protocols mean TLS 1.2 at minimum, with TLS 1.3 preferred. Older protocols like SSLv3, TLS 1.0, and TLS 1.1 have known weaknesses and must be disabled.

2h estimated effort

encryption-in-transit tls https data-protection

Implementation steps

1

Enforce HTTPS for all web-facing services and APIs

Enable HTTPS on every web application, API endpoint, and admin console. Redirect all HTTP traffic to HTTPS automatically. Configure HSTS headers so browsers remember to use HTTPS for your domains. Disable TLS 1.0 and 1.1 at the load balancer or web server level.

aws-acm cloudflare lets-encrypt nginx aws-alb
2

Encrypt internal service-to-service communication

Internal traffic between microservices, databases, and backend systems should also be encrypted. Enable TLS on database connections, message queues, and internal APIs. Use a service mesh or mutual TLS for east-west traffic in containerized environments.

istio linkerd aws-privatelink vault cert-manager
3

Scan for weak TLS configurations and unencrypted endpoints

Run a TLS scanner against your public-facing domains to identify weak cipher suites, expired certificates, or outdated protocol versions. Automate certificate renewal to prevent expiry. Include internal endpoints in scope by scanning from within the network.

ssllabs testssl.sh qualys-ssl-labs nessus detectify