All systems requiring authentication should make use of strong passwords as part of the authentication process in accordance with the Password Management Policy.
Systems using cryptography should use industry standard secure algorithms as noted herein.
Where applicable, any and all legislative or regulatory mandates relative to Breezy cryptographic controls will be adhered to by employing Threat and Risk Assessment followed by proper Change Management Policy procedures.
Data stored or transmitted should be encrypted at rest and in transit.

Scope

Breezy’s Cryptographic Control Policy shall include the following:

All information assets (data) either owned by Breezy or entrusted to Breezy by a client under an agreement that specifically details Breezy’s data responsibility
Information assets held, processed, or stored at Amazon Web Service facilities under accounts owned by Breezy used to facilitate Breezy product offerings

Policy

General Requirements

Do not write your own encryption implementation. Always use industry standard encryption methods known to be secure.

HTTPS

Scoped assets with HTTPS servers must be configured so:

TLS protocols available are in the Acceptable SSL list below
TLS cipher suites available are in the acceptable cipher suites list below
When possible, the server will prefer to negotiate with the preferred protocol and preferred cipher suites in the lists below

Acceptable SSL

TLSv1.2
TLSv1.3

Preferred SSL

TLSv1.2

Acceptable Ciphersuites

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-CBC-SHA
ECDHE-ECDSA-AES256-CBC-SHA
ECDHE-RSA-CHACHA20-POLY1305-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA
AES128-SHA

Preferred Ciphersuites

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
ECDHE-RSA-CHACHA20-POLY1305-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384

Encryption at Rest

All encryption at rest will use AES-128 encryption or better. Keys for encryption at rest will be maintained inside Amazon Web Services Key Management System.

Application-Level Cryptography

Applications developed by Breezy will use one of the following cryptographic methods when handling sensitive data:

Bcrypt or better, when storing passwords in a database
MD5 or better when creating one-way hashes to anonymize data
AES-128 or better when encrypting data with an appropriate mode of operation

Key Rotation

TLS keys (used for HTTPS) for certificates issued through Amazon Certificate Manager by Breezy will be rotated on an annual basis.
TLS keys for certificates issued by a 3rd party customer will be rotated at least every three years.
Keys used for encryption at rest in Amazon Web Services Key Management System will be rotated every year (for Breezy-managed keys (“CMKs”)) or every three years (for Amazon-managed keys).
Keys used for application-level cryptography will be rotated at least every three years.

Responsibilities

The Information Security Manager is responsible for ensuring the Cryptographic Controls listed in this document afford company assets adequate protection.
Asset owners are responsible for ensuring their information assets adhere to the Cryptographic Controls listed in this document.