Universal encryption of data in transit
All data transmitted inside OSDU and into/out of OSDU must be encrypted in all infrastructure providers.
Data in transit includes:
- Between the OSDU API endpoint and the requesting client
- When it's another OSDU service (e.g., Load Service calls Search Service)
- When it's "internal" (e.g., the operator's non-OSDU systems calling OSDU APIs)
- When it's "external" e.g., an authorised external entity, like a partner or JV.
- Between OSDU services and the constituent cloud services
- Storage
- Databases
- Cloud provider API calls
Infrastructure providers are:
- AWS
- Azure
- Google Cloud Platform
- IBM / RedHat
Definition of Done
For each infastructure provider:
- Document all flows of data
- Document what encryption is used for each flow
- Document where encryption is not available and/or not used
- Link to cloud-specific information for more details on encryption
- All internet/extranet facing APIs refuse connections at less than TLS 1.2.
Given 4 infrastructure providers and approximately 2 kinds of data flows each, there will need to be about 8 statements generated.
For example
This is a fictitious example.
On AWS, all containers run Kubernetes version XYZ, each connection supports TLS version A, B, and C. For additional details, click here.
Edited by Paco Hope (AWS)