SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
Page last updated:
When deployed in accordance with the associate reference architecture, PCF PAS provides both confidentiality and integrity of transmitted information. All implied requirements are satisfied.
Network traffic to any PCF publicly accessible endpoint is protected via TLS, and optionally via SSH.
Network traffic within the PCF PAS private subnet may be protected using the IPsec BOSH Add-on.
For more information about IPsec see IPsec Add-on for PCF.
For an overview of securing traffic into PCF see Securing Traffic into Cloud Foundry.
For more information about TLS in PCF see PCF Component and Container Security.
For more information about SSH with BOSH see Enabling SSH Access.
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.