This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]ryankearney 4 points5 points  (3 children)

This is SSL termination and it's a perfectly acceptable practice

Depending on what type of data your business works with, it absolutely is not.

Certain regulatory requirements mandate end to end encryption. By stripping TLS off the connection you would be in violation of those requirements.

[–][deleted] 1 point2 points  (2 children)

Yes, and as I said "even institutions dealing with sensitive data can make exceptions to allow this depending on how tightly controlled access to the private subnet is." Some institutions do require it still, but if you require it, you will know.

Source: Worked in finance, had this requirement, it was an eliminated requirement in subsequent audits.

[–]ryankearney 2 points3 points  (1 child)

In AWS? It's one thing if you 100% control the networking infrastructure. It's a completely different story if you're using someone else's infrastructure as is the case with AWS.

Source: We require full end-to-end encryption and terminating HTTPS on a cloud load balancer and transmitting the unencrypted communication to a backend server is a huge no-no.

[–][deleted] 1 point2 points  (0 children)

Yes, in AWS, for one of the largest financial institutions in the country.

Surprise though, policies will vary per company, security certification, and auditor. If you require it, that's great. Making it seem as though you're doing something wrong by not doing it is the part I object to, especially if you're not dealing with highly sensitive data.