Overview: With all IT storage, we are
looking for encryption at rest and making sure the data is encrypted “over the
wire” until it is stored storage. For encryption
in transit, Azure SQL supports TLS/SSL versions 1.0, 1.1,and 1.2. If
possible got for TLS 1.2.
Azure SQL Server Transparent
Data Encryption (TDE) related to encryption at rest by
encrypting the log and data files on the storage; Azure enforces TDE as the
default on databases. TDE can be turned off on your Azure SQL instance. The disks that the database files and backups are block encrypted automatically by Azure.
Backups should also be encrypted, and if TDS is
enabled on Azure, your backups are also automatically encrypted. Tip:
Validate your restore of Azure Backups to another instance.
Column encryption is useful for encrypting a column
within a table. I prefer to use a Key Vault and use a SQL column to point
to the database for things like tokens and secrets, but something like credit
card numbers column encryption is ideal.
Always Encrypted allows for one or more columns to be encrypted within a database. Client application shall decrypt and provides for separation where database owners/access cannot validate/view the encrypted column/columns.
Encryption at Rest on Azure SQL Server (PASS) Summary:
- Disk Encryption - Always can't change
- TDE - Server-Side - On by default (can be turn off)
- Column level encryption - Server-Side (Needs configuration, encryption done inside SQL for columns)
- Always Encrypted - Client-Side. Columns are encrypted inside the db and only the application can unencrypt the column.
No comments:
Post a Comment