iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 Transparent Data Encryption (TDE) should be enabled on all SQL databases. TDE helps protect against malicious activity by encrypting database files (data, log, and backups) while they are at rest. Enabling TDE ensures that data is encrypted without needing to make any application changes.

Rationale:
 Enabling TDE helps prevent unauthorized access to the underlying data by encrypting all sensitive information stored in the database. It is an essential security measure for protecting data at rest and complying with various security regulations and standards, such as PCI-DSS and HIPAA.

Impact:

• Pros:
  

  • Enhances data security by encrypting data at rest.
    

  • Helps in compliance with security standards and regulations.
    

  • Provides automatic encryption without requiring application changes.
    

• Cons:
  

  • May incur additional performance overhead due to the encryption process.
    

  • Increased storage requirements for encryption keys and logs.
    

Default Value:

By default, Data encryption is set to Off for SQL databases.

Pre-requisites:
 Ensure that you have appropriate key management in place (either Platform Managed Keys or Customer Managed Keys).

Remediation

Test Plan:

Using Azure Portal:

1. Log in to Azure Portal: https://portal.azure.com.
   

2. Navigate to SQL databases.
   

3. For each database instance, click on Transparent data encryption.
   

4. Ensure that Data encryption is set to On.
   

Using Azure CLI:
 1. Run the following command to verify the status of Data Encryption:

az sql db tde show --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --query status

• The output should show Enabled.
  

Implementation Plan:

Using Azure Portal:

1. Go to SQL databases.
   

2. For each database instance, click on Transparent data encryption.
   

3. Set Data encryption to On and click Save.
   

Using Azure CLI:
1.  To enable Data Encryption for SQL DB, run

az sql db tde set --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --status Enabled

Backout Plan:

Using Azure Portal:

1. Navigate to SQL databases.
   

2. For each database instance, go to Transparent data encryption.
   

3. Set Data encryption to Off if necessary.
   

Using Azure CLI:
1.  To disable Data Encryption for SQL DB, run:

az sql db tde set --resource-group <resourceGroup> --server <dbServerName> --database <dbName> --status Disabled

References:

• Transparent Data Encryption in Azure SQL Database
  

• Azure SQL TDE Overview