iCompaas Support

Description:

Azure SQL Database uses Transparent Data Encryption (TDE) to protect data at rest by automatically encrypting the database, backups, and transaction logs. Ensuring that Data Encryption is set to ‘On’ guarantees that the database is protected against unauthorised access to the underlying storage.

Rationale:

Enabling Transparent Data Encryption (TDE) ensures that data stored in SQL databases is protected by encrypting it at rest. This prevents unauthorised offline access to database files and reduces the risk of data theft if the underlying storage is compromised. TDE also ensures that backups and logs are automatically encrypted, supporting regulatory compliance requirements such as PCI-DSS, HIPAA, and ISO.

Impact:

When TDE is enabled, the SQL database, backups, and logs are automatically encrypted with minimal performance impact. Encryption occurs transparently without requiring application changes and significantly reduces the risk of data theft.

Default Value:

• Enabled (On) by default for Azure SQL Database

• Can be manually disabled (not recommended)

• Uses Microsoft-managed keys unless customer-managed keys (CMK) are configured

Pre-requisites:

• At least one Azure SQL Database or Managed Instance

• Appropriate permissions: Contributor, SQL Security Manager, or Owner
  
  

Test Plan:

1. Log in to the Azure Portal: https://portal.azure.com

2. In the search bar, type SQL databases. Select the SQL Database you want to evaluate.

3. Under the Security section, click Data encryption.

4. Under the Transparent Data Encryption option, check that the Data Encryption (TDE) status is encrypted.

5. Verify that the Data Encryption field is set to On. If it is off, follow the implementation Steps.

Implementation Steps:

1. Log in to the Azure Portal: https://portal.azure.com

2. In the search bar, type SQL databases. Select the SQL Database you want to evaluate.

3. Under the Security section, click Data encryption.

4. Switch Data Encryption toggle from Off to On.

5. If using customer-managed keys (optional), configure Key Vault integration.

6. Click Save to apply the configuration.

7. Confirm that the encryption status changes to “Encrypted”.
   
   

Backout Plan:

1. Log in to the Azure portal at https://portal.azure.com.

2. In the search bar, type SQL databases and open the resource list.

3. Select the SQL database you want to modify.

4. Under the Security section, go to Data encryption and open the Transparent Data Encryption settings.

5. Switch the Data Encryption (TDE) toggle from On to Off.

6. Click Save.

7. Confirm that the encryption status changes to “Not Encrypted.”

Reference:

• https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview