last sync: 2024-May-24 18:03:04 UTC

Microsoft Managed Control 1663 - Protection Of Information At Rest | Regulatory Compliance - System and Communications Protection

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1663 - Protection Of Information At Rest
Id 60171210-6dde-40af-a144-bf2670518bfa
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Communications Protection control
Additional metadata Name/Id: ACF1663 / Microsoft Managed Control 1663
Category: System and Communications Protection
Title: Protection Of Information At Rest
Ownership: Customer, Microsoft
Description: The information system protects the Confidentiality and integrity of Customer data.
Requirements: Azure protects information at rest by applying information-handling procedures. Assets must be protected per the standards appropriate for their defined asset class. Microsoft’s Online Services has devised a set of minimum required protection standards for each asset class to appropriately protect the confidentiality, integrity, and availability of each asset. These minimum standards are defined in the Asset Classification and Asset Protection Standards. Data must be classified according to Corporate, External, and Legal Affairs (CELA) data classifications and associated retentions. Protections for information at rest are outlined in, but not limited to, the categories below: * Azure Storage automatically encrypts data when persisting it to the cloud. Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is enabled for all new and existing storage accounts and cannot be disabled. Storage accounts are encrypted regardless of their performance tier (standard or premium) or deployment model (Azure Resource Manager or classic). All Azure Storage redundancy options support encryption, and all copies of a storage account are encrypted. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. * For each block written to Azure Storage accounts, a compressed and uncompressed CRC is used to identify corrupted data. Azure Storage checks the CRC after every major handoff of the data. In addition, a background job periodically runs on the extant assets checking the data checksum to find corrupted data. * Azure uses the Transport Layer Security (TLS) protocol to protect data traveling between Azure services and customers. Azure datacenters negotiate a TLS connection with client systems that connect to Azure services. Perfect Forward Secrecy (PFS) protects connections between customers’ client systems and Azure services by unique keys. Connections also use RSA-based 2,048-bit encryption key lengths. * Logical access to protected data at rest is controlled at various levels through technical means. Access to servers where information is stored is restricted through Active Directory security group membership in the domain where the server resides. Security groups that restrict access to information at rest are configured to allow the least privilege possible to complete tasks. Any Microsoft personnel needing access must follow account creation, modification, and escalation procedures. * Technical means also create logical access control at the network layer. ACLs prevent servers that store data at rest from being exposed outside of the environment. * The Azure datacenter and Global Cloud Communication Center (GCC) teams maintain controls over physical access. The server rooms and caged environments have multiple access levels regulated with least privilege. * Privileged Access Workstation (PAWs) utilizes BitLocker to protect information at rest.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a