Encrypt Data Between Database and Web Servers
Ensure data between database and web servers is kept secure by encrypting it.
Plain language
This control means that the information sent between your database and website needs to be scrambled so it can't be read by anyone except those authorised to see it. It's important because if someone can intercept this information, they could see sensitive customer data, financial details, or even damage your reputation if the data is exposed.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for database systemsSection
Database serversOfficial control statement
Data communicated between database servers and web servers is encrypted.
Why it matters
If database-to-web traffic is not encrypted, attackers can intercept credentials and query results, causing data exposure and breach reporting.
Operational notes
Enforce TLS (preferably mTLS) on DB connections from web servers, validate certificates, and alert on any plaintext DB ports or failed TLS handshakes.
Implementation tips
- The IT team should configure a secure connection using protocols like TLS (Transport Layer Security). They can do this by adjusting the settings in your server software to ensure all data between your database and its associated web server is encrypted automatically.
- The system administrator should test the encryption setup once configured. They should do this by running a tool that simulates data traffic between your database and web server, ensuring that all information is encrypted during transit.
- Train IT staff to monitor encryption status regularly. This involves setting up alerts for any anomalies in data flow that might suggest encryption failures or attempts to bypass security settings.
- The IT manager should document the encryption process and settings. They can do this by writing clear instructions about which software settings ensure encryption, including screenshots or step-by-step guides, and store this in an accessible place for future reference.
- Management should enforce regular software updates on both databases and web servers. These updates often include improved security measures that fix potential vulnerabilities in encryption.
Audit / evidence tips
-
Askthe encryption configuration settings: Request documented settings from the IT team or the current snapshot of server configuration files
-
GoodClearly specified details that show encryption is enabled for all data transmissions between the database and web server
-
Askdocumentation on encryption testing results: Request a report detailing the recent test outcomes of the encryption's effectiveness
-
GoodRecent logs demonstrating successful encryption and no breaches during testing
-
Askto see the monitoring setup: Request the details of how encryption status is monitored
-
GoodActive and configured alerts that notify responsible staff of any encryption issues
-
Asktraining records: Request documentation showing which IT staff have been trained on encryption maintenance
-
GoodComprehensive training records showing the majority of relevant IT team members have completed recent training
Cross-framework mappings
How ISM-1277 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.14 | ISM-1277 requires that data communicated between database servers and web servers is encrypted to protect it in transit | |
| Annex A 8.24 | ISM-1277 requires encryption of data in transit specifically between web servers and database servers | |
| handshake Supports (2) expand_less | ||
| Annex A 8.9 | ISM-1277 requires encryption for traffic between database servers and web servers to prevent interception or tampering in transit | |
| Annex A 8.22 | ISM-1277 requires that communications between web servers and database servers are encrypted, typically using secure channels such as TLS | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.