IF Encryption in motion is required, THEN Always encrypt data in motion.
OTHERWISE Follow the table below:
|Sensitivity||Location||Low Risk||Medium Risk||High Risk|
ALSO IF Surveillance of traffic is required AND encryption is used, THEN either:
Feasible: Encryption is not always feasible. For example, real-time control data at a rates or with delay requirements beyond technical capabilities to encrypt are infeasible. Infeasibility may be fed by economic concerns, complexity of operations, political sensitivities, or any number of other factors.
Convenient: Encryption is often convenient and readily available. For examples, SSL to Web servers, WPA for wireless systems, and ssh for remote terminal access are almost always as each or nearly as easy to do as operating unencrypted. When use of encryption is as easy, reliable, fast, and allowable as non-use, encryption should be used.
Alternatives: There are, of course, alternatives to encryption (and other modes of coding) in transit. For example, physical separation of infrastructure and local wiring may be used in some cases. Signals may be sent via multiple paths or protocols to make it harder to intercept complete information, etc. But without physical containment and a great deal of additional control, access will be attainable.
Information that must be protected from observation either because it is confidential or because it revels operational information that could be used in intelligence, should be encrypted in transit to prevent exploitation.
All (other) information:
Not all information is sensitive and the rest of the information may be treated differently. A good example is content of public Web servers which often has integrity requirements, but usually has no confidentiality requirements.
Within internal infrastructure, encryption may be harder to do on a uniform basis, and it may be more expensive. If physical or other protective mechanisms are adequate to the need, there is no need to encrypt internally, but this does not apply to remote connections to "internal" resources at another location.
When transiting untrusted networks, including the Internet and other connections that pass through areas of lesser trust.
In some cases, it is necessary to observe traffic to meet external mandates (e.g., laws requiring law enforcement and government access to transmissions), while in other cases, protection may be enhanced by surveillance (e.g., leakage prevention, intrusion detection, etc.) In these cases, there are three basic options:
The use of encryption for information in transit, as opposed to other techniques, is specifically and solely for the purpose of preventing unauthorized revelation of content or information about the systems exchanging the content. It is expensive to do well and prevents internal surveillance that may be important to intrusion detection, network debugging, and other similar uses. Therefore, the only justification for encryption in transit comes from external requirements or risks. However, it is very inexpensive in most cases today to encrypt less well, so unless there is a need to surveil the communications, encryption is sensible at some level or quality in most cases.
Low risk: In low risk situations, encrypting all content traveling through internal networks may be too hard or expensive, is often unnecessary, and may be difficult to manage. If required for some contractual or other reason, external traffic should be encrypted. Sensitive information should be internally encrypted if it is convenient because, while the risk is low, the cost is also low in this situation. External sensitive information should be encrypted if required for regulatory, public perception, or contractual reasons.
Medium risk: In medium risk situations, all internal network traffic should only be encrypted if convenient. Most information is not likely to be important if leaked, and this keeps unnecessary costs down without sacrificing anything critical. All external and internal sensitive information should be encrypted if it is convenient because, in the case of external information, it increases the difficulty of understanding which information is important, and for internal information, it doesn't hurt to encrypt if it is convenient. Sensitive information with value this high and identified threats should always be encrypted in transit, even internally.
High risk: In high risk situations, loss of life or similar high consequences may be the result of sensitive information leaks. As a result, all sensitive information should be encrypted in transit. Non-sensitive information should be encrypted internally if convenient and externally if feasible, for the same reasons as the medium risk situation.