Secure Communication with Cloud

CyberSecure Canada Section 6.2.3.1(d) mandates that organizations ensure their IT infrastructure and users communicate securely with all cloud services. This generally means enforcing strong encryption in transit, such as modern TLS, to protect data from interception.

Organizations should require users to access SaaS applications over HTTPS using modern TLS encryption. Additionally, enforcing multi-factor authentication (MFA) and routing traffic through secure VPNs or Zero Trust Network Access (ZTNA) solutions adds further protection for remote connections.

Organizations should enforce TLS 1.2 or TLS 1.3 for all cloud connections. Legacy protocols like TLS 1.0, TLS 1.1, and SSLv, as well as weak cipher suites like RC or DES, should be strictly disabled to prevent known cryptographic vulnerabilities.

While not explicitly mandated for all basic setups, implementing mutual TLS (mTLS) is highly recommended for cloud APIs and service-to-service communication. It ensures both the client and the server cryptographically verify each other's identities before exchanging data.

Organizations can prove encryption in transit by maintaining updated network architecture diagrams, providing vulnerability scan results showing disabled legacy protocols, and sharing firewall or load balancer configurations that enforce HTTPS/TLS 1.2+ connections. Tools like WatchDog Security's Compliance Center can centralize these artifacts and link them directly to CSC-06-016 for auditor review.

A VPN provides a secure tunnel to an entire network segment, while ZTNA grants identity-based access only to specific cloud applications regardless of network location. SASE (Secure Access Service Edge) is a broader framework that combines ZTNA, CASB, and secure web gateways into a single cloud-delivered security service.

Organizations should implement automated TLS certificate management and renewal processes using tools like Let's Encrypt or enterprise PKI. Additionally, infrastructure should be monitored to alert administrators before certificates expire or when weak ciphers are detected. Tools like WatchDog Security's Posture Management can help flag misconfigurations and support remediation tracking as part of ongoing compliance.

For mature environments, using a Cloud Access Security Broker (CASB) or Secure Web Gateway (SWG) is highly recommended. These tools provide deep visibility, enforce security policies, and prevent unauthorized data sharing across SaaS applications.

Administrative access to cloud consoles and APIs must be protected using multi-factor authentication (MFA) and restricted to dedicated administrative accounts. Connections should ideally be limited to trusted IP addresses or require routing through a secure corporate VPN.

Collect configuration exports showing TLS enforcement, network architecture diagrams detailing secure communication paths, and system access logs for cloud management consoles. Evidence should clearly demonstrate that unencrypted protocols are actively blocked. Tools like WatchDog Security's Compliance Center can organize this evidence set and maintain an audit trail, and WatchDog Security's Trust Center can help share approved evidence with auditors or customers using access controls.

Start by building a complete inventory of cloud accounts, SaaS applications, and the users/systems that connect to them, then prioritize high-risk services (identity, finance, customer data). Tools like WatchDog Security's Asset Inventory can help discover and map cloud and SaaS services to owners so teams can consistently enforce TLS and secure access paths.

Secure cloud communications are usually demonstrated with repeatable evidence such as TLS configuration baselines, scan outputs, firewall/load balancer policies, and periodic reviews. Tools like WatchDog Security's Compliance Center can map this control to required evidence, centralize artifacts, and maintain an audit-ready record of checks and remediation.