Showing posts with label TDE. Show all posts
Showing posts with label TDE. Show all posts

Thursday 28 January 2021

Encryption Options for Azure SQL

Overview:  With all IT storage, we are looking for encryption at rest and making sure the data is encrypted “over the wire” until it is stored storage.  For encryption in transit, Azure SQL supports TLS/SSL versions 1.0, 1.1,and 1.2.  If possible got for TLS 1.2.

Azure SQL Server Transparent Data Encryption (TDE) related to encryption at rest by encrypting the log and data files on the storage; Azure enforces TDE as the default on databases.  TDE can be turned off on your Azure SQL instance.  The disks that the database files and backups are block encrypted automatically by Azure.

Backups should also be encrypted, and if TDS is enabled on Azure, your backups are also automatically encrypted.  Tip: Validate your restore of Azure Backups to another instance.

Column encryption is useful for encrypting a column within a table.  I prefer to use a Key Vault and use a SQL column to point to the database for things like tokens and secrets, but something like credit card numbers column encryption is ideal.

Always Encrypted allows for one or more columns to be encrypted within a database.  Client application shall decrypt and provides for separation where database owners/access cannot validate/view the encrypted column/columns.

Encryption at Rest on Azure SQL Server (PASS) Summary:

  1. Disk Encryption - Always can't change
  2. TDE - Server-Side - On by default (can be turn off)
  3. Column level encryption - Server-Side (Needs configuration, encryption done inside SQL for columns)
  4. Always Encrypted - Client-Side.  Columns are encrypted inside the db and only the application can unencrypt the column.

Monday 2 February 2015

Encrypting Content databases

Overview: TDE is Transparent Data Encryption, where you can encrypt your "data a rest", this encrypts the SQL mdf and ldf files.  Few enterprises require TDE for content database but if your customer has specific enterprise security requirements (Encryption at Rest for High Confidential data) or compliance requirements such as SOX, HIPAA, or Payment Card Industry Data Security Standard (PCI DSS) TDE may be an easy win.
Notes:
  • TDE is only available from SQL 2008, 2012 and 2014 Server Enterprise Edition.
  • SP Blobs are stored outside of mdf so they are not encrypted by TDE.
  • Only Content databases can be encrypted (not verified).
  • Search indexes are obviously not encrypted by TDE.
  • Encrypting the Connections to SQL or IPsec is needed to encrypt data between SP and SQL, not covered by TDE).  Nor are any call to web services or data in transit, use SSL.
  • TempDB is encrypted even if only 1 db is using TDE.
  • Applies to SP2013 On-prem. farms only.
  • I believe O365 uses BitLocker.
  • Vormetric and also offer encryption at Rest on SQL and other databases.

More Info:
Storage and SQL Server capacity planning and configuration (SharePoint Server 2013)
http://www.slideshare.net/michaeltnoel/transparent-data-encryption-for-sharepoint-content-databases
http://www.vormetric.com/search-results?query=SharePoint
http://web.townsendsecurity.com/bid/64783/4-Ways-to-Encrypt-Data-in-Microsoft-SQL-Server