SC-23 SESSION AUTHENTICITY
Page last updated:
PCF is compliant with this control. PCF supports the use of TLS for all externally accessible entry points. OAuth 2 tokens are used for maintenance of Cloud Controller API sessions, and also to implement SSO to application instances.
Internal to the deployment, PCF uses both TLS and IPsec. For communications protected via IPsec, the IKEv2 protocol provides SA establishment. Authentication of IPsec peers is via X.509 certificates.
Direct operator access to a PCF VM host or application container is protected with the SSH protocol. SSH client authentication is implemented via a public/private key pair.
The information system protects the authenticity of communications sessions.
This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.