-
Notifications
You must be signed in to change notification settings - Fork 20
Application Configuration (e.g SQL server)
CM-6.b, CM-7.a, CM-7.b, SC-28 (1)
As part of the Application Configuration, the Azure Key Vault Integration feature for the Sql Server Configuration is enabled. This feature is used to register the Azure Key Vault and the credentials to the SQL Server. This can later be used to create Asymmetric keys in the Azure Key vault and use the keys to encrypt the databases.
You can view the configuration here. You can configure the parameters:
a) Key Vault Url
b) Principal Name
c) Principal Secret
d) Credential Name
This feature can be enabled using the 'SQL Server Configuration' tab on the Iaas SQL VM or using Powershell to install the IaaS extension.
To verify that the Key Vault integration is enabled follow the steps below:
Login to the SQL Server VM and connect to the SSMS
a) Check Security --> Credentials. The newly added credential should be visible in the Credentials
b) Check Security --> Cryptographic Providers. The entry for the addition of the Azure Key Vault is present here.
CM-6.b: The organization implements the configuration settings.
A configuration-controlled group policy object (GPO) is maintained for all customer-controlled Windows machines within Azure. This group policy object is established, in addition to other configuration resources, to document and ensure consistent implementation of configuration settings.
CM-7.a: The organization configures the information system to provide only essential capabilities
The resources deployed by this Azure Blueprint Solution are configured to provide the least functionality for their intended purpose.
CM-7.b: The organization prohibits or restricts the use of the following functions, ports, protocols, and/or services
The resources deployed by this Azure Blueprint Solution are configured to restrict the use of functions, ports, protocols, and services to provide only the functionality intended. Azure Application Gateway and network security groups are deployed to restrict the use of ports and protocols to only those necessary.
SC-28 (1): The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information on information system components storing customer data deemed sensitive
Virtual machines deployed by this Azure Blueprint Solution implement disk encryption to protect the confidentiality and integrity of information at rest. Azure disk encryption for Windows is implemented using the BitLocker feature of Windows. SQL Database is configured to use Transparent Data Encryption (TDE), which performs real-time encryption and decryption of data and log files to protect information at rest. TDE provides assurance that stored data has not been subject to unauthorized access. Customer may elect to implement additional application-level controls to protect the integrity of stored information. Confidentiality and integrity of all storage blobs deployed by this Azure Blueprint Solution (including those used for backup, log storage list all deployed storage account uses) are protected through the use of Azure Storage Service Encryption (SSE). SSE safeguards data at rest within Azure storage accounts using 256-bit AES encryption.