Encryption of Data in Transit
Description
The entity uses encryption to protect data transmitted over networks.
⚠️ Risk Impact
Unencrypted data in transit can be intercepted and read by attackers.
🔧 Remediation
Enforce TLS 1.2+ on all connections. EchelonGraph checks SSL/TLS configurations on all endpoints.
💀 Real-World Attack Scenario
An internal microservice communicated with the database over plaintext HTTP within a VPC. An attacker who compromised a pod in the same network namespace used tcpdump to capture all database queries, including queries returning unmasked SSNs, credit card numbers, and password hashes.
💰 Cost of Non-Compliance
PCI DSS 4.1 mandates encryption for cardholder data in transit. HIPAA §164.312(e)(1) requires ePHI transmission security. Non-compliance fines: $5K-$100K/month (PCI), $100K-$1.5M (HIPAA).
📋 Audit Questions
- 1.Are all internal and external connections encrypted with TLS 1.2+?
- 2.Show certificate management procedures.
- 3.How are weak cipher suites prevented?
- 4.Is certificate pinning implemented for sensitive connections?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Encrypting external traffic but leaving internal/east-west traffic unencrypted
- ⛔Supporting TLS 1.0/1.1 for 'backward compatibility'
- ⛔Not monitoring for certificate expiration
📈 Business Value
End-to-end encryption protects data even in compromised networks. It's required by every compliance framework and eliminates an entire class of network-based attacks.
⏱️ Effort Estimate
4-8 hours to audit all service connections and enforce TLS
EchelonGraph monitors TLS configurations across all endpoints
🔗 Cross-Framework References
Automate SOC 2 CC6.7 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →