In a recent meeting with a customer group on security topics, one of the attendees asked everybody else whether they had implemented system-to-system encryption behind the firewalls in their internal landscape.
Only one attendee said yes. And it applied only for one system deemed extremely critical. To my astonishment nobody considered this strange or negligent. To make things clear everybody encrypted communication paths to their web applications at least outside the firewall. The unencrypted communication paths refer to between systems for background jobs, workflows, booking of bills, results or payroll from one system to another etc.
Most of the attendees stated that they had not implemented system to system encryption due to lack of time, other tasks becoming more important on short notice etc.
Many attacks start internally…