Communication and Transport Protocols are the standardized rules governing how data moves between systems across networks — and the privacy controls embedded within or layered onto those protocols to prevent unauthorized interception, metadata leakage, and identity exposure. In the CDPSE privacy architecture context, this extends beyond encrypting data in transit to encompass the full protocol-level privacy stack: which cipher suites are negotiated, whether mutual authentication is enforced (mTLS), how DNS queries are protected (DoH/DoT), whether session metadata exposes sensitive information (ECH/eSNI), what data appears in headers versus payload, and how cryptographic keys are managed across their lifecycle. The canonical standard is TLS 1.3, governed by NIST SP 800-52 Rev. 3, with post-quantum cryptography (NIST FIPS 203/204/205) as the forward compliance requirement. Transport protocols are a primary privacy control category under GDPR Article 32, HIPAA 45 CFR §164.312(e)(1), and PCI-DSS Requirement 4.2.1 — making protocol selection a legal compliance decision, not a technical preference.
Where it stops · what it isn't
- —IN SCOPE: TLS 1.2/1.3 configuration, cipher suite selection, certificate lifecycle management, mTLS for service-to-service authentication, DNS privacy protocols (DoH/DoT), VPN and tunnel protocol selection (WireGuard, IPSec), Encrypted Client Hello (ECH), Perfect Forward Secrecy (PFS) enforcement, post-quantum cryptographic agility planning, and protocol-level data minimization (header stripping, metadata control).
- —OUT OF SCOPE: Application-layer data encryption (field-level or database encryption at rest), authentication and access control systems beyond transport-layer identity (OAuth, SAML), network firewall and IDS policies, endpoint encryption (disk/device), and content-level data classification — each addressed in adjacent CDPSE controls.
- —NOT A SUBSTITUTE: A correctly configured TLS channel still carries privacy risk if the application transmits unnecessary PII in URLs, logs session tokens, or exposes metadata in API responses. Transport encryption is necessary but not sufficient for privacy.
- —BOUNDARY — Zero-Trust Overlap: mTLS and cryptographic service identity enforcement are shared between transport protocol controls and zero-trust network architecture (ZTNA). For CDPSE purposes, the privacy dimensions (data-in-transit protection, identity non-repudiation) are in scope; the broader ZTNA policy engine is a separate control domain.
- —BOUNDARY — Data at Rest: Protocol controls govern data only while it traverses a network segment. Once written to storage, encryption-at-rest controls apply. Both are often required simultaneously (e.g., HIPAA Technical Safeguards mandate both).
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFTechnical Privacy Controls (CDPSE Domain 2)Privacy Architecture (CDPSE Domain 2)
REQUIRESPublic Key Infrastructure (PKI) and Certificate ManagementCryptographic Fundamentals (symmetric/asymmetric encryption, key exchange, hashing)
ENABLESZero-Trust Architecture ImplementationPrivacy-by-Design in API and Microservices ArchitectureRegulatory Compliance (GDPR Art. 32, HIPAA §164.312, PCI-DSS Req. 4.2.1)
RELATED TOData Encryption at Rest ControlsAccess Control and Identity Management
CONSTRAINSAPI Design and Data Transmission ChoicesMicroservices Service Mesh Architecture