last sync: 2024-May-24 18:03:04 UTC

Storage accounts should have infrastructure encryption

Azure BuiltIn Policy definition

Source Azure Portal
Display name Storage accounts should have infrastructure encryption
Id 4733ea7b-a883-42fe-8cac-97454c2a9e4a
Version 1.0.0
Details on versioning
Category Storage
Microsoft Learn
Description Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType DefaultPath Modifiable
Microsoft.Storage/storageAccounts/encryption.requireInfrastructureEncryption Microsoft.Storage storageAccounts properties.encryption.requireInfrastructureEncryption false
Rule resource types IF (1)
Microsoft.Storage/storageAccounts
Compliance
The following 17 compliance controls are associated with this Policy definition 'Storage accounts should have infrastructure encryption' (4733ea7b-a883-42fe-8cac-97454c2a9e4a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_2.0.0 3.2 CIS_Azure_2.0.0_3.2 CIS Microsoft Azure Foundations Benchmark recommendation 3.2 3 Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’ Shared The read and write speeds to the storage will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This performance impact should be considered in an analysis for justifying use of the feature in your environment. Customer-managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the storage. Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions. Azure Storage automatically encrypts all data in a storage account at the network level using 256-bit AES encryption, which is one of the strongest, FIPS 140-2-compliant block ciphers available. Customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level for double encryption. Double encryption of Azure Storage data protects against a scenario where one of the encryption algorithms or keys may be compromised. Similarly, data is encrypted even before network transmission and in all backups. In this scenario, the additional layer of encryption continues to protect your data. For the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault. link 1
CMMC_2.0_L2 SC.L2-3.13.16 CMMC_2.0_L2_SC.L2-3.13.16 404 not found n/a n/a 15
CMMC_L3 SC.3.177 CMMC_L3_SC.3.177 CMMC L3 SC.3.177 System and Communications Protection Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Shared Microsoft and the customer share responsibilities for implementing this requirement. Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography. link 26
CMMC_L3 SC.3.191 CMMC_L3_SC.3.191 CMMC L3 SC.3.191 System and Communications Protection Protect the confidentiality of CUI at rest. Shared Microsoft and the customer share responsibilities for implementing this requirement. Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. link 14
FedRAMP_High_R4 SC-28 FedRAMP_High_R4_SC-28 FedRAMP High SC-28 System And Communications Protection Protection Of Information At Rest Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. References: NIST Special Publications 800-56, 800-57, 800-111. link 17
FedRAMP_High_R4 SC-28(1) FedRAMP_High_R4_SC-28(1) FedRAMP High SC-28 (1) System And Communications Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. link 17
FedRAMP_Moderate_R4 SC-28 FedRAMP_Moderate_R4_SC-28 FedRAMP Moderate SC-28 System And Communications Protection Protection Of Information At Rest Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. References: NIST Special Publications 800-56, 800-57, 800-111. link 17
FedRAMP_Moderate_R4 SC-28(1) FedRAMP_Moderate_R4_SC-28(1) FedRAMP Moderate SC-28 (1) System And Communications Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. link 17
NIST_SP_800-171_R2_3 .13.16 NIST_SP_800-171_R2_3.13.16 NIST SP 800-171 R2 3.13.16 System and Communications Protection Protect the confidentiality of CUI at rest. Shared Microsoft and the customer share responsibilities for implementing this requirement. Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO]. link 19
NIST_SP_800-53_R4 SC-28 NIST_SP_800-53_R4_SC-28 NIST SP 800-53 Rev. 4 SC-28 System And Communications Protection Protection Of Information At Rest Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. References: NIST Special Publications 800-56, 800-57, 800-111. link 17
NIST_SP_800-53_R4 SC-28(1) NIST_SP_800-53_R4_SC-28(1) NIST SP 800-53 Rev. 4 SC-28 (1) System And Communications Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. link 17
NIST_SP_800-53_R5 SC-28 NIST_SP_800-53_R5_SC-28 NIST SP 800-53 Rev. 5 SC-28 System and Communications Protection Protection of Information at Rest Shared n/a Protect the [Selection (OneOrMore): confidentiality;integrity] of the following information at rest: [Assignment: organization-defined information at rest]. link 17
NIST_SP_800-53_R5 SC-28(1) NIST_SP_800-53_R5_SC-28(1) NIST SP 800-53 Rev. 5 SC-28 (1) System and Communications Protection Cryptographic Protection Shared n/a Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]. link 17
RBI_ITF_NBFC_v2017 3.1.h RBI_ITF_NBFC_v2017_3.1.h RBI IT Framework 3.1.h Information and Cyber Security Public Key Infrastructure (PKI)-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. link 32
RMiT_v1.0 10.16 RMiT_v1.0_10.16 RMiT 10.16 Cryptography Cryptography - 10.16 Shared n/a A financial institution must establish a robust and resilient cryptography policy to promote the adoption of strong cryptographic controls for protection of important data and information. This policy, at a minimum, shall address requirements for: (a) the adoption of industry standards for encryption algorithms, message authentication, hash functions, digital signatures and random number generation; (b) the adoption of robust and secure processes in managing cryptographic key lifecycles which include generation, distribution, renewal, usage, storage, recovery, revocation and destruction; (c) the periodic review, at least every three years, of existing cryptographic standards and algorithms in critical systems, external linked or transactional customer-facing applications to prevent exploitation of weakened algorithms or protocols; and (d) the development and testing of compromise-recovery plans in the event of a cryptographic key compromise. This must set out the escalation process, procedures for keys regeneration, interim measures, changes to business-as-usual protocols and containment strategies or options to minimise the impact of a compromise. link 10
U.05.2 - Cryptographic measures U.05.2 - Cryptographic measures 404 not found n/a n/a 52
U.11.3 - Encrypted U.11.3 - Encrypted 404 not found n/a n/a 52
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-10-07 16:00:33 add 4733ea7b-a883-42fe-8cac-97454c2a9e4a
JSON compare n/a
JSON
api-version=2021-06-01
EPAC