last sync: 2024-Jul-17 18:20:29 UTC

[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
Id 0961003e-5a0a-4549-abde-af6a37f2724d
Version 2.1.0-deprecated
Details on versioning
Category Security Center
Microsoft Learn
Description This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation
Mode All
Type BuiltIn
Preview False
Deprecated True
References References to 2 related Policy definitions (taken from description)
Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. (3dc5edcd-002d-444c-b216-e123bbfa37c0)
Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. (ca88aadc-6e2b-416c-9de2-5a0f01d1693f)
Effect Default
Disabled
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Security/assessments/status.code Microsoft.Security assessments properties.status.code True False
Rule resource types IF (2)
Microsoft.ClassicCompute/virtualMachines
Microsoft.Compute/virtualMachines
Compliance
The following 7 compliance controls are associated with this Policy definition '[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources' (0961003e-5a0a-4549-abde-af6a37f2724d)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 4.8 Azure_Security_Benchmark_v1.0_4.8 Azure Security Benchmark 4.8 Data Protection Encrypt sensitive information at rest Customer Use encryption at rest on all Azure resources. Microsoft recommends allowing Azure to manage your encryption keys, however there is the option for you to manage your own keys in some instances. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest How to configure customer managed encryption keys: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal n/a link 7
Azure_Security_Benchmark_v2.0 DP-2 Azure_Security_Benchmark_v2.0_DP-2 Azure Security Benchmark DP-2 Data Protection Protect sensitive data Shared Protect sensitive data by restricting access using Azure Role Based Access Control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption in SQL and other databases). To ensure consistent access control, all types of access control should be aligned to your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems. For the underlying platform, which is managed by Microsoft, Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities. Azure Role Based Access Control (RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview Understand customer data protection in Azure: https://docs.microsoft.com/azure/security/fundamentals/protection-customer-data n/a link 6
Azure_Security_Benchmark_v2.0 DP-5 Azure_Security_Benchmark_v2.0_DP-5 Azure Security Benchmark DP-5 Data Protection Encrypt sensitive data at rest Shared To complement access controls, data at rest should be protected against ‘out of band’ attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data. Azure provides encryption for data at rest by default. For highly sensitive data, you have options to implement additional encryption at rest on all Azure resources where available. Azure manages your encryption keys by default, but Azure provides options to manage your own keys (customer managed keys) for certain Azure services. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services How to configure customer managed encryption keys: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal Encryption model and key management table: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-at-rest n/a link 13
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
NZ_ISM_v3.5 CR-3 NZ_ISM_v3.5_CR-3 NZISM Security Benchmark CR-3 Cryptography 17.1.53 Reducing storage and physical transfer requirements Customer n/a When encryption is applied to media or media residing within IT equipment it provides an additional layer of defence. Whilst such measures do not reduce or alter the classification of the information itself, physical storage, handling and transfer requirements may be reduced to those of a lesser classification for the media or equipment (but not the data itself). link 12
NZISM_Security_Benchmark_v1.1 CR-3 NZISM_Security_Benchmark_v1.1_CR-3 NZISM Security Benchmark CR-3 Cryptography 17.1.46 Reducing storage and physical transfer requirements Customer If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use: full disk encryption; or partial disk encryption where the access control will only allow writing to the encrypted partition holding the classified information. When encryption is applied to media or media residing within IT equipment it provides an additional layer of defence. Whilst such measures do not reduce or alter the classification of the information itself, physical storage, handling and transfer requirements may be reduced to those of a lesser classification for the media or equipment (but not the data itself). link 11
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn
Deny or Audit resources without Encryption with a customer-managed key (CMK) Enforce-Encryption-CMK Encryption GA ALZ
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-06-03 17:39:43 change Minor, new suffix: deprecated (2.0.3 > 2.1.0-deprecated)
2021-10-22 15:42:38 change Patch (2.0.2 > 2.0.3)
2021-09-13 16:35:32 change Patch (2.0.1 > 2.0.2)
2021-07-15 16:24:53 change Patch (2.0.0 > 2.0.1)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC