davoodharun
commented
7 years ago - [ ] Encryption / TDE
Closed davoodharun closed 7 years ago
davoodharun
commented
7 years ago 
jomolesk
commented
7 years ago Relevant controls: CM-6.b, CM-7.a, CM-7.b, SC-28 (1)
CM-6.b: The organization implements the configuration settings. NOTE: For consideration: https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines or CIS benchmark** (Also see issue #21.)
CM-7.a: The organization configures the information system to provide only essential capabilities. [The resources deployed by this Azure Blueprint Solution are configured to provide the least functionality for their intended purpose.] (Also see issue #21.)
CM-7.b: The organization prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. [The resources deployed by this Azure Blueprint Solution are configured to restrict the use of functions, ports, protocols, and services to provide only the functionality intended. Azure Application Gateway and network security groups are deployed to restrict the use of ports and protocols to only those necessary.] (Also see issue #21.)
SC-28 (1): The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: all information system components storing customer data deemed sensitive]. [Virtual machines deployed by this Azure Blueprint Solution implement disk encryption to protect the confidentiality and integrity of information at rest. Azure disk encryption for Windows is implemented using the BitLocker feature of Windows. SQL Database is configured to use Transparent Data Encryption (TDE), which performs real-time encryption and decryption of data and log files to protect information at rest. TDE provides assurance that stored data has not been subject to unauthorized access. Customer may elect to implement additional application-level controls to protect the integrity of stored information. Confidentiality and integrity of all storage blobs deployed by this Azure Blueprint Solution (including those used for backup, log storage list all deployed storage account uses) are protected through use of Azure Storage Service Encryption (SSE). SSE safeguards data at rest within Azure storage accounts using 256-bit AES encryption.] (Also see issue #35.)
davoodharun
commented
7 years ago @manishkumar-agarwal per our discussion we will be creating an empty database as a part of the arm template that will use TDE
jomolesk
commented
7 years ago If it's required to turn on TDE, then yes.
davoodharun
commented
7 years ago closing per #59
manishkumar-agarwal
commented
7 years ago The Azure Key Vault Integration feature for the Sql Server Configuration is enabled. This feature is used to register the Azure Key Vault and the credentials to the SQL Server. This can later be used to create Asymmetric keys in the Azure Key vault and use the keys to encrypt the databases.
a) Key Vault Url b) Principal Name c) Principal Secret d) Credential Name
This feature can be enabled using the 'SQL Server Configuration' tab on the Iaas SQL VM or using Powershell by installing the IaaS extension.
To verify that the Key Vault integration is enabled follow the steps below: 1) Login to the SQL Server VM and connect to the SSMS 2) Check Security --> Credentials. The newly added credential should be visible in the Credentials 3) Check Security --> Cryptographic Providers. The entry for the addition of the Azure Key Vault is present here.