Level 2

Description:

Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO].


Priority: High


Domain:  SYSTEM AND COMMUNICATIONS PROTECTION (SC) 


Services Associated with AWS:

  1. AWS Key Management Service (KMS)
  2. Amazon S3
  3. Amazon Macie
  4. Amazon GuardDuty
  5. AWS Security Hub
  6. Amazon Inspector


Services Associated with Azure: 

  1. Azure SQL Database Transparent Data Encryption (TDE)
  2. Azure Information Protection
  3. Azure Key Vault
  4. Azure Storage Service Encryption
  5. Azure Disk Encryption


What needs to be answered?

Are there controls used to protect CUI while stored in company information systems? Does the system protect the confidentiality of information at rest?


Checks for AWS: 

  • Confidentiality of CUI at Rest Check
    Description: This check verifies that CUI is stored securely when at rest. It ensures that cryptographic mechanisms are used to protect the data, and that secure offline storage is used when adequate online protection cannot be achieved. It also verifies that continuous monitoring is in place to identify potential threats.
  • File Share Scanning Check
    Description: This check verifies that file share scanning mechanisms are used to detect and protect CUI at rest. It ensures that scanning is done on a regular basis, and that any threats or unauthorized access attempts are identified and addressed.


Checks for Azure:

  • Encryption at Rest Check:
    Description: This check verifies that encryption mechanisms are used to protect CUI when it is at rest. It ensures that appropriate encryption techniques, such as Azure Disk Encryption or Azure Storage Service Encryption, are implemented to safeguard the confidentiality of the data stored in Azure services.
  • Azure Key Vault Integration Check:
    Description: This check ensures that Azure Key Vault is integrated into the system to securely store and manage cryptographic keys and secrets used for protecting CUI at rest. It verifies that Azure Key Vault is properly configured and utilized for key management tasks, such as encrypting and decrypting sensitive data.
  • Secure Offline Storage Check:
    Description: This check validates that secure offline storage methods are employed when adequate online protection for CUI at rest cannot be achieved. It ensures that appropriate procedures are in place to securely store and manage offline backups or archives of sensitive data, mitigating the risk of unauthorized access or data loss.
  • Threat Detection and Monitoring Check:
    Description: This check confirms that continuous monitoring and threat detection mechanisms are in place to identify potential threats or malicious activities targeting CUI at rest. It ensures that Azure Security Center, Azure Sentinel, or other relevant security monitoring solutions are deployed and properly configured to detect and respond to security incidents.
  • Access Control and Authorization Check:
    Description: This check verifies that access control mechanisms are implemented to restrict unauthorized access to CUI at rest. It ensures that Azure role-based access control (RBAC) is properly configured, and appropriate access permissions are granted based on the principle of least privilege, reducing the risk of unauthorized disclosure or modification of sensitive data.
  • Azure Information Protection Integration Check:
    Description: This check ensures that Azure Information Protection (AIP) is integrated into the system to classify, label, and protect CUI at rest. It verifies that AIP policies are correctly defined and applied to sensitive data, enabling data owners to enforce data protection requirements, such as encryption and access restrictions.

More Details:

CUI at rest stored on encrypted and controlled systems.