Used to be, 10 years ago or so, we had segmented networks, public/dmz/private. The private network was where the database and application servers lived and network communication was clear text, not ssl. Configuration was simple and everyone was happy.
The company I’m at now is pushing to secure all network communication with ssl/tls, even within the private network; ie behind the firewall, inside the datacenter they own. Even between application servers and databases (for example). This seems like overkill to me. Is this really a best practice now?
I found this document that superficially seems to support this:
Protecting data in transit should be essential part of your data protection strategy. Since data will be moving back and forth from many locations, the general recommendation is that you always use SSL/TLS protocols to exchange data across different locations.
It’s an Azure doc, and I think the context is it’s a best practice to secure network communication that traverses the public internet (d’uh), not necessarily inside a corporate firewall. But without that context clearly stated, “unsophisticated” people read it as ssl/tls everywhere? I’m really baffled by this state of affairs. What are your thoughts?