I have a situation where we (as a SaaS vendor) are migrating one of our clients away from their local premise to our public SaaS.
However as a security concern they want to route all their TCP traffic over an IPSEC Tunnel to our application. Now i’m not very familiar with doing that (i’ve done it once) and i don’t believe in just doing things like that quickly.
But it makes me wonder, is that really neccesary if we already use a strong TLS1.2 encryption on the webserver? I constantly check to ensure we keep an A+ score on ssllabs.com/ssltest and i’m wondering if that isn’t secure enough?
Obviously i can understand that adding an extra layer of encryption will always be more secure. But i want to see if there is an argument to be made for the pros and cons of this.
Is there anyone who has any insight into this?