Leadline Inc.Leadline Inc.
Control Requirements

LS-16: Encrypted Data Transmission

Default encryption for all electronic information transmissions over public networks

Control Description

All transmissions of electronic information from/to the in-scope applications and related databases are encrypted as the default setting over public networks via secure transmission protocols (e.g., HTTPS, SFTP, VPN, and TLS).

Plain Meaning

This control requires organizations to encrypt all data transmissions to and from applications and databases when communicating over public networks. This ensures that sensitive information is protected during transmission and cannot be intercepted by unauthorized parties.

Implementation: SSL/TLS Database Encryption

AWS RDS SSL/TLS Encryption

We utilize AWS RDS SSL/TLS encryption to secure all database connections and data transmissions between applications and our RDS database instances.

SSL/TLS Configuration

  • Certificate Authorities: AWS RDS provides multiple CA options (rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, rds-ca-ecc384-g1)
  • Automatic Rotation: Server certificates are automatically rotated before expiration
  • Server Identity Verification: Optional server certificate validation for enhanced security
  • Regional Certificates: Region-specific certificate bundles for secure connections

Supported Database Engines

  • MySQL: SSL/TLS support for MySQL DB instances

Transmission Security Protocols

Database Connections

  • SSL/TLS: All database connections use SSL/TLS encryption
  • Certificate Validation: Server certificate validation for trusted connections
  • Encrypted Data: All data transmitted between applications and databases is encrypted
  • Secure Protocols: HTTPS, SFTP, and VPN for additional transmission security

Network Security

  • VPC Isolation: Database instances in private subnets with no public access
  • Security Groups: Restrictive security group rules for database access
  • Encrypted Transit: All data in transit is encrypted at the physical layer
  • Regional Encryption: Cross-region traffic automatically encrypted

Compliance and Monitoring

  • Audit Logging: Complete logs of all encrypted transmission activities
  • Certificate Management: Automated certificate rotation and management
  • Security Monitoring: Real-time monitoring of transmission security
  • Compliance Validation: Regular validation of encryption protocols
  • LS-01: Database encryption at rest
  • LS-05: Direct database access restrictions
  • LS-14: Administrative access restrictions

LS-14: Administrative Access Restrictions

Restrict administrative access to applications and databases based on job function

LS-19: Access Termination

Automated or manual access termination within specified timeframes after employee/contractor termination