Universal encryption of data in transit

All data transmitted inside OSDU and into/out of OSDU must be encrypted in all infrastructure providers.

Data in transit includes:

• Between the OSDU API endpoint and the requesting client
  • When it's another OSDU service (e.g., Load Service calls Search Service)
  • When it's "internal" (e.g., the operator's non-OSDU systems calling OSDU APIs)
  • When it's "external" e.g., an authorised external entity, like a partner or JV.
• Between OSDU services and the constituent cloud services
  • Storage
  • Databases
  • Cloud provider API calls

Infrastructure providers are:

• AWS
• Azure
• Google Cloud Platform
• IBM / RedHat

Definition of Done

For each infastructure provider:

1. Document all flows of data
2. Document what encryption is used for each flow
3. Document where encryption is not available and/or not used
4. Link to cloud-specific information for more details on encryption
5. All internet/extranet facing APIs refuse connections at less than TLS 1.2.

Given 4 infrastructure providers and approximately 2 kinds of data flows each, there will need to be about 8 statements generated.

For example

This is a fictitious example.

On AWS, all containers run Kubernetes version XYZ, each connection supports TLS version A, B, and C. For additional details, click here.