Why is it not enough to encrypt only data crossing the internet, and what does it mean to also encrypt internal service-to-service traffic with something like mutual TLS?

technical-conceptual · Junior level · cloud-devops-security

What the interviewer is really asking

Assess whether the candidate understands that internal links are part of the threat model (zero-trust), and grasps that mutual TLS both encrypts east-west traffic and authenticates BOTH endpoints, unlike ordinary one-way TLS.

What to say

What to avoid

Example answers

Strong: Encrypting only the edge assumes everything inside is trusted, but if an attacker lands on one internal host they can sniff or impersonate on those 'private' links — so zero trust treats internal traffic as untrusted too. Mutual TLS fixes both halves: it encrypts service-to-service traffic and, unlike normal TLS, both sides present certificates so each service authenticates the other. We got this 'for free' by enabling mTLS in our service mesh, which issued and rotated the workload certs, so a rogue pod couldn't impersonate a legitimate caller.

Weak: Internal traffic stays inside our network, so it's already safe — we only need TLS on the public endpoints.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.