iCompaas Support

Profile Applicability:
 Level 1

Description:
 Microsoft Managed Keys (MMK) provide default encryption at rest for critical data stored in Azure services, managed entirely by Microsoft. Using MMK ensures that data is encrypted with keys handled securely by Microsoft, relieving customers from managing encryption keys while still protecting sensitive data against unauthorized access.

Rationale:
 Encrypting critical data at rest is a fundamental security control to protect data confidentiality and integrity. Using Microsoft Managed Keys simplifies compliance and reduces operational overhead by delegating key management to Microsoft’s secure infrastructure, which follows strict security standards and lifecycle management.

Impact:

• Pros:
  

  • Simplifies encryption key management with no customer involvement.
    

  • Ensures encryption keys are rotated, stored, and managed securely by Microsoft.
    

  • Meets many compliance requirements for encryption at rest.
    

• Cons:
  

  • Less control compared to customer-managed keys (CMK) if specific key lifecycle policies are needed.
    

  • Does not allow customer-driven key rotation or auditing.
    

Default Value:
 By default, many Azure services encrypt data at rest using Microsoft Managed Keys.

Pre-requisites:

• Access to Azure Portal or CLI with permissions to configure encryption settings.
  

• Critical data stored in Azure services that support MMK encryption.
  

Remediation

Test Plan:

Using Azure Portal:

1. Go to https://portal.azure.com.
   

2. Navigate to the resource (e.g., Storage Account, SQL Database, Key Vault).
   

3. Locate the Encryption settings.
   

4. Verify that Microsoft Managed Keys are enabled for encryption at rest.
   

5. Confirm that critical data is protected with MMK.
   

Using Azure CLI:

1. For a storage account, check encryption settings:

az storage account show --name <storage-account-name> --resource-group <resource-group> --query encryption

2. Confirm the key source is set to Microsoft.Storage or equivalent indicating MMK use.

3. For SQL Database, check encryption status:

az sql db show --name <database-name> --server <server-name> --resource-group <resource-group> --query "encryptionProtector.keyType"

4. Verify it is set to ServiceManaged.

Implementation Plan

Using Azure Portal:

1. Navigate to the Azure resource requiring encryption.
   

2. In Encryption settings, select Microsoft Managed Keys as the encryption method if not already selected.
   

3. Save changes to enforce encryption using MMK.
   

Using Azure CLI:

1. For storage accounts, to enable encryption with MMK (default), ensure keySource is set to Microsoft.Storage:

az storage account update --name <storage-account-name> --resource-group <resource-group> --set encryption.keySource=Microsoft.Storage

2. For SQL Database encryption, ensure service-managed encryption is enabled (default):

az sql server tde set --database-name <database-name> --resource-group <resource-group> --server-name <server-name> --status Enabled

Backout Plan

Using Azure Portal:

1. Revert encryption settings to previous configuration if necessary, such as switching to customer-managed keys (CMK).
   

2. Document the impact of changing encryption methods on existing data access and compliance.
   

Using Azure CLI:

1. Update the resource to use customer-managed keys or previous encryption settings as required:

az storage account update --name <storage-account-name> --resource-group <resource-group> --set encryption.keySource=Microsoft.Keyvault

2. Disable Transparent Data Encryption (TDE) or change encryption settings for SQL databases if needed.

References:

• Azure Encryption at Rest
  

• Azure Storage Service Encryption
  

• Transparent Data Encryption (TDE) for Azure SQL Database