FedRAMP in Five - Encryption of Data in Transit
Encryption of Data In Transit
Recently, the Project Management Office (PMO) has been enforcing a very strict interpretation of what needs to be encrypted in-transit (SC-8). Previously, the interpretation was that all traffic that crossed the system boundary required encryption, as well as some key data streams within the system boundary.
The evolving interpretation is that all traffic for protocols that support encryption must be encrypted in-transit, even within the system boundary. This is being enforced by the PMO and they are unwilling to use a Plan of Actions and Milestones (POA&M) to mitigate these deficiencies. Even though agencies may be signing off, the PMO has been known to delay listings in the FedRAMP marketplace until deficiencies are resolved.
This has had a lot of broad implications and impacts on cloud providers such as:
-
Now it is necessary to re-encrypt to the application servers behind load balancers. Depending on system architectures this can have performance impacts.
-
Content inspection mechanisms often rely on inspecting unencrypted streams.
-
Kubernetes (k8s) internode traffic isn't something very reasonable, or even achievable, to encrypt in transit traffic.
Our recommendations:
-
Have a very clear understanding of ports and protocols in use between components of the system. Understand what you have to encrypt.
-
Protocols that support encryption should be encrypted. Examples include; Database connections, Application servers, Application Programming Interface (API), service endpoints (https), and Directory services.
-
Use Federal Information Processing Standards (FIPS) endpoints if using Amazon Web Services (AWS) GovCloud
-
Know what your infrastructure service provider is capable of providing for you
Protocols that do not make sense to encrypt include:
-
Domain Name System (DNS) – Exception* - we have seen DNS over SSL used in place of DNSSEC)
-
Network Time Protocol (NTP)
-
Describe in detail in diagrams all encrypted paths, including the encryption level (Transport Layer Security (TLS) 1.2, 1.3, etc)
-
For areas that are difficult, impractical, or where performance will be significantly degraded, there are potential Infrastructure based options like AWS Nitro-based instances that can provide underlying encryption. Just be careful to plan with AWS for availability as capacity can be a limiting factor.