iCompaas Support

Description:

Storage Account encryption with Customer Managed Keys (CMK) provides an additional layer of security by using an organization's own Azure Key Vault keys to encrypt data stored in Azure Storage Accounts. This is critical for activity logs that may contain sensitive information, as it ensures that the data is encrypted with a key managed by the customer rather than Azure's default encryption. Ensuring that the Storage Account containing the container with activity logs is encrypted with CMK helps meet compliance and security requirements, particularly for sensitive or regulated data.

Rationale:

If CMK is not enabled, activity logs are encrypted only with Microsoft-managed keys, reducing customer control over key rotation, key lifecycle, auditing, and access governance. CMK provides improved compliance alignment and ensures that sensitive logs are encrypted using customer-controlled cryptographic keys stored in Azure Key Vault. This enhances data protection and satisfies regulatory and organizational encryption requirements. If CMK is not configured, the Storage Account is considered NON_COMPLIANT.

Impact:

Enabling CMK encryption on the Storage Account for activity logs will ensure that all stored activity logs, including sensitive data, are encrypted according to the organization's security policies. However, the added control over keys may require additional management overhead, including key rotation and monitoring. Additionally, enabling CMK encryption may increase storage costs due to the overhead of key management and access logging.

Default Value:

By default, Azure Storage Accounts use Microsoft-managed keys for encryption. Customer-Managed Keys must be manually configured. No automatic CMK setup is performed by Azure.

Pre-requisites:

• Owner or Contributor role permissions to configure CMK encryption for Storage Accounts.

• Key Vault with a key available to be used for encryption.

• Activity Logs stored in a Storage Account container.

Test Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Search for Storage Accounts and select the Storage Account storing activity logs.

3. Under Security and Networking, Open Encryption.

4. Under the encryption, verify the encryption type is set to Customer-managed key

5. If the encryption type is not set to Customer-managed key, follow the implementation steps

Implementation Steps:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Search for Storage Accounts,  and select the Storage Account storing activity logs.

3. under Security and networking, Open Encryption.

4. Set Encryption type to Customer-managed keys

5. Select the subscription and Key Vault

6. Select the encryption key

7. Save the configuration.

Backout Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Search for Storage accounts and select the storage account

3. From the left menu, under Security and networking, select Encryption

4. Change the encryption type to Microsoft-managed keys

5. Save the configuration

References:

• https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview