When doing an Application Control Assessment, it may ask about Data in Transit Encryption

The control procedure details approved methods for protecting data in transit, including with third parties. There are three ways to secure data in transit:

1. Encrypt the data upfront at the application level and then transmit it; or
2. Transmit the data by leveraging approved secured transmission protocols; or
3. Both of the above.

Is data sent unencrypted during any of the following data transmission scenarios:

• API
• Web traffic
• host-to-host
• client-server
• client-client
• connections to storage services
• data feeds
• between and within networks segments and interfaces
• remote connectivity and management
• connections between data centers etc.

• API - encrypted with https
• Web traffic - encrypted with https
• host-to-host - SA doesn't do this except with central manager communication that happens all within a VPN tunnel
• client-server - SA doesn't do this except with central manager communication that happens all within a VPN tunnel
• client-client - not applicable for the application
• data feeds - SA doesn't have any control over these third party feeds as they are provided to us by third party
• between and within network segments and interfaces - not really applicable except if you are using SNMP or SYSLOG.  If so, that should be securely configured on the customer side.
• remote connectivity & management - done over https or via SSH sessions to the appliance
• connections between data centers - not applicable