SID-TRANS-05 — Operator TLS Deployment Enforcement
| Property | Value |
|---|---|
| Owner | operator |
| Category | technical |
| CSF Function | protect |
| Group | Transport Security Controls |
Description
All internal service-to-service communication within the wallet deployment MUST be protected by TLS 1.2 or later, including the issuer-to-registry path, backend-to-database connections, and any auxiliary service calls (FaceTec API, trust-list endpoints).
Implementation requirements: (1) Reverse proxy (Nginx / Caddy / Envoy) MUST terminate external TLS and re-encrypt to backend with a valid internal certificate. (2) Database connections (PostgreSQL, MongoDB) MUST use TLS with certificate verification enabled; plain-text mode MUST be disabled in the deployment configuration. (3) Service mesh or network policy MUST deny plain HTTP between wallet backend components (e.g. via Kubernetes NetworkPolicy or Istio mTLS STRICT mode). (4) Certificate management: certificates MUST be provisioned via an automated system (e.g. cert-manager + ACME / internal CA) and auto-renewed before expiry. (5) TLS configuration MUST be validated post-deployment with a TLS scanner (e.g. testssl.sh or Qualys SSL Labs equivalent) and the scan report retained as assurance evidence.
Review criteria: deployment manifest reviewed and TLS scan report available. No plain-text paths accepted between components.
Components
- Reverse Proxy / TLS
- PostgreSQL Database
Source References
Framework Requirements
ISO 27001 Annex A: A.8.24