iCompaas Support

Profile Applicability:

• Level 2

Description:
 Infrastructure encryption provides an additional layer of encryption for data at rest in Azure Storage Accounts, encrypting data twice—once with service-managed encryption and then again with infrastructure encryption. Enabling this setting enhances data protection by adding defense in depth.

Rationale:
 By enabling infrastructure encryption, organizations strengthen the security of stored data, ensuring higher protection against potential hardware vulnerabilities and advanced threats. This supports compliance with stringent regulatory requirements.

Impact:

Pros:

• Adds a second encryption layer to protect data at rest.
  

• Enhances compliance and security posture.
  

Cons:

• May incur a minor performance impact.
  

• Available only in supported regions and storage account types.
  

Default Value:
 Infrastructure encryption is disabled by default and requires explicit enabling.

Pre-requisites:

• Azure subscription with permissions to modify storage account encryption settings.
  

• Storage accounts created in supported regions and types.
  

Remediation

Test Plan:

Using Azure Portal:

1. Sign in to https://portal.azure.com.
   

2. Navigate to Storage Accounts and select the target account.
   

3. Check Encryption settings to verify that Infrastructure encryption is enabled
   

Using Azure CLI:

1. Check infrastructure encryption status:
   

   az storage account show --name --resource-group --query encryption.infrastructureEncryption.enabled

2. Confirm the value is true.
   

Implementation Plan

Using Azure Portal:

1. In the storage account’s Encryption settings, enable Infrastructure encryption.
   

2. Save the configuration.
   

3. Verify data encryption status.
   

Using Azure CLI:

1. Enable infrastructure encryption:
   

   az storage account encryption-scope update --account-name --resource-group --name --set infrastructureEncryptionEnabled=true

2. Confirm the update.
   

Backout Plan

Using Azure Portal:

1. Disable infrastructure encryption if necessary (if supported).
   

2. Assess security implications.
   

Using Azure CLI:

1. Disable infrastructure encryption:
   

   az storage account encryption-scope update --account-name --resource-group --name --set infrastructureEncryptionEnabled=false

References:

• Azure Storage Infrastructure Encryption
  Manage Encryption Scopes