Protection of Data-in-Transit



Protect data transiting networks through the use of appropriate encryption and network safeguards.

Applicable Service Models

IaaS, PaaS, SaaS

Mandatory Requirements

Activity Validation
<ul><li>Encrypt data in transit by default (for example, Transport Layer Security (TLS) 1.2) to protect the confidentiality and integrity of data, including for all publicly accessible sites and external communications, according to the GC Web Sites and Services Management Configuration Requirements, and wherever possible for internal zone communication.</li></ul> <ul><li>Confirm that TLS 1.2 or above encryption is implemented for all cloud services (via Hypertext Transfer Protocol Secure (HTTPS), TLS or another mechanism).</li><li>Note: while this encryption setting is often the default, cloud platforms and cloud services often have configuration options to select the permitted TLS version.</li></li></ul>
<ul><li>Use CSE-approved cryptographic algorithms and protocols in accordance with ITSP.40.111 and ITSP.40.062.</li></ul> <ul><li>Leverage cryptographic algorithms and protocols configurable by the user in accordance with ITSP.40.111 and ITSP.40.062.</li></ul>
<ul><li>Leverage non-person entity certificates from certificate authorities that align with the Government of Canada Recommendations for TLS Server Certificates for GC Public Facing Web Services.</li></ul> <ul><li>Confirm that non-person entity certificates are issued from certificate authorities that align with GC recommendations for TLS server certificates.</li></ul>

Additional Considerations



IA-7, SC-12, SC-13, SC-28, SC-28(1)

Page details

Date modified: