cc6-7 Critical priority Security / Logical and Physical Access

Sensitive data is protected during transmission and storage

Data that is intercepted in transit or extracted from storage is useless to an attacker if it is encrypted. Encryption is a foundational control that protects data confidentiality even when other controls fail. This criterion requires that customer data and other sensitive information be encrypted in transit using TLS and at rest using strong encryption algorithms.

8h estimated effort

encryption tls data-protection key-management

Complete first: cc6-1

Implementation steps

1

Enforce TLS for all data in transit

All data transmitted between clients and your services, and between internal services, must use TLS 1.2 or higher. Disable older TLS versions (1.0, 1.1) and weak cipher suites. Configure HTTPS-only on all public endpoints and enforce HSTS. Use TLS for all internal service-to-service communication, database connections, and API calls to third parties.

cloudflare aws-acm lets-encrypt vercel
2

Encrypt sensitive data at rest

Enable encryption at rest for all storage that contains customer data: databases, object storage (S3 buckets), disk volumes, backups, and logs. Use platform-managed encryption keys at minimum; use customer-managed keys (CMKs) for higher-sensitivity data. Verify that encryption at rest is enabled for all datastores in scope.

aws-kms aws-rds aws-s3 google-cloud-kms hashicorp-vault
3

Manage encryption keys securely

Encryption keys must be protected with the same rigor as the data they protect. Use a managed key service rather than storing keys alongside data. Rotate keys on a defined schedule. Limit access to key management operations. Document your key management approach.

aws-kms hashicorp-vault google-cloud-kms azure-key-vault