DM.4.01_encryption_of_data_in_transit.html.md 2.62 KB
Newer Older
1
---
2
layout: handbook-page-toc
3 4 5 6
title: "DM.4.01 - Encryption of Data in Transit Control Guidance"
---

## On this page
7
{:.no_toc .hidden-md .hidden-lg}
8 9

- TOC
10
{:toc .hidden-md .hidden-lg}
11 12 13 14

# DM.4.01 - Encryption of Data in Transit

## Control Statement
15
Data in transit is encrypted over public networks according to GitLab policy.
16 17 18 19 20

## Context
Encrypting data transmitted over public networks helps ensure the confidentiality and integrity of that data. Without encryption, data in transit over public networks can easily be intercepted using automated, open source tools and viewed and maliciously modified by malicious actors.

## Scope
Luka Trbojevic's avatar
Luka Trbojevic committed
21
This control applies to red, orange, and yellow data in the production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com
22 23

## Ownership
Luka Trbojevic's avatar
Luka Trbojevic committed
24
* Control Owner: `Infrastructure`
25
* Process owner(s): `Infrastructure`
26

27
## Guidance
28 29
*  TLS 1.2 or higher should be used to encrypt data in transit [Deprecate support for TLS 1.0 and TLS 1.1](https://gitlab.com/gitlab-com/gl-security/security-department-meta/issues/202).
*  Biannual validation of this control may be done by performing a scan with [Qualys SSL Labs](https://www.ssllabs.com/ssltest/) and/or scanning with [tls-scanner](https://gitlab.com/gitlab-com/security-tools/tls-scanner).
30
*  Such scans are sufficient for testing this control as the results show whether infrastructure transmitting red, organge, and yellow data over public networks uses TLS.
31

32
## Additional control information and project tracking
Jeff Burrows's avatar
Jeff Burrows committed
33
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Encryption of Data in Transit control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/796).
34

Luka Trbojevic's avatar
Luka Trbojevic committed
35 36 37 38
Examples of evidence an auditor might request to satisfy this control:
* Architecture and design documentation showing the use and high-level implementation details of TLS for production
* Random sampling of connections to/from production

39
### Policy Reference
emilie's avatar
emilie committed
40
* [GitLab Production Architecture](/handbook/engineering/infrastructure/production/architecture/)
41
* [Encryption in Transit in Google Cloud](https://cloud.google.com/security/encryption-in-transit/)
42
* [Deprecate support for TLS 1.0 and TLS 1.1](https://gitlab.com/gitlab-com/gl-security/security-department-meta/issues/202)
43

44 45 46 47 48 49 50 51 52 53 54 55 56 57
## Framework Mapping
* ISO
  * A.13.2.3
  * A.14.1.2
  * A.14.1.3
  * A.18.1.4
  * A.18.1.5
* SOC2 CC
  * CC6.7
* PCI
  * 2.3
  * 4.1
  * 4.1.1
  * 8.2.1