last sync: 2025-Feb-18 18:37:08 UTC

Storage account encryption scopes should use double encryption for data at rest

Azure BuiltIn Policy definition

Source Azure Portal
Display name Storage account encryption scopes should use double encryption for data at rest
Id bfecdea6-31c4-4045-ad42-71b9dc87247d
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Storage
Microsoft Learn
Description Enable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Storage/storageAccounts/encryptionScopes/requireInfrastructureEncryption Microsoft.Storage storageAccounts/encryptionScopes properties.requireInfrastructureEncryption True False
Rule resource types IF (1)
Microsoft.Storage/storageAccounts/encryptionScopes
Compliance
The following 40 compliance controls are associated with this Policy definition 'Storage account encryption scopes should use double encryption for data at rest' (bfecdea6-31c4-4045-ad42-71b9dc87247d)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CMMC_L2_v1.9.0 MP.L2_3.8.6 CMMC_L2_v1.9.0_MP.L2_3.8.6 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 MP.L2 3.8.6 Media Protection Portable Storage Encryption Shared Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. To ensure that sensitive information remains secure and confidential even if the media is lost, stolen, or intercepted during transit. 9
CSA_v4.0.12 CEK_03 CSA_v4.0.12_CEK_03 CSA Cloud Controls Matrix v4.0.12 CEK 03 Cryptography, Encryption & Key Management Data Encryption Shared n/a Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. 58
CSA_v4.0.12 DSP_07 CSA_v4.0.12_DSP_07 CSA Cloud Controls Matrix v4.0.12 DSP 07 Data Security and Privacy Lifecycle Management Data Protection by Design and Default Shared n/a Develop systems, products, and business practices based upon a principle of security by design and industry best practices. 16
CSA_v4.0.12 DSP_17 CSA_v4.0.12_DSP_17 CSA Cloud Controls Matrix v4.0.12 DSP 17 Data Security and Privacy Lifecycle Management Sensitive Data Protection Shared n/a Define and implement, processes, procedures and technical measures to protect sensitive data throughout it's lifecycle. 15
CSA_v4.0.12 UEM_08 CSA_v4.0.12_UEM_08 CSA Cloud Controls Matrix v4.0.12 UEM 08 Universal Endpoint Management Storage Encryption Shared n/a Protect information from unauthorized disclosure on managed endpoint devices with storage encryption. 14
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .1 FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 Policy and Implementation - Systems And Communications Protection Systems And Communications Protection Shared In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. 111
HITRUST_CSF_v11.3 06.c HITRUST_CSF_v11.3_06.c HITRUST CSF v11.3 06.c Compliance with Legal Requirements To prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. Shared 1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information. 2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. 26
ISO_IEC_27001_2022 7.5.3 ISO_IEC_27001_2022_7.5.3 ISO IEC 27001 2022 7.5.3 Support Control of documented information Shared 1. Documented information required by the information security management system and by this document shall be controlled to ensure: a. it is available and suitable for use, where and when it is needed; and b. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). 2. For the control of documented information, the organization shall address the following activities, as applicable: a. distribution, access, retrieval and use; b. storage and preservation, including the preservation of legibility; c. control of changes (e.g. version control); and d. retention and disposition. Specifies that the documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled 32
ISO_IEC_27017_2015 18.1.3 ISO_IEC_27017_2015_18.1.3 ISO IEC 27017 2015 18.1.3 Compliance Protection of Records Shared For Cloud Service Customer: The cloud service customer should request information from the cloud service provider about the protection of records gathered and stored by the cloud service provider that are relevant to the use of cloud services by the cloud service customer. For Cloud Service Provider: The cloud service provider should provide information to the cloud service customer about the protection of records that are gathered and stored by the cloud service provider relating to the use of cloud services by the cloud service customer. To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records. 17
LGPD_2018_Art. 16 LGPD_2018_Art._16 Brazilian General Data Protection Law (LGPD) 2018 Art. 16 Termination of Data Processing Art. 16. Personal data shall be deleted following the termination of their processing Shared n/a Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, but their storage is authorized for the following purposes: (1) compliance with a legal or regulatory obligation by the controller; (2) study by a research entity, ensuring, whenever possible, the anonymization of the personal data; (3) transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or (4) exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized. 18
NIST_SP_800-171_R3_3 .13.8 NIST_SP_800-171_R3_3.13.8 NIST 800-171 R3 3.13.8 System and Communications Protection Control Transmission and Storage Confidentiality Shared This requirement applies to internal and external networks and any system components that can transmit CUI, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are susceptible to interception and modification. Encryption protects CUI from unauthorized disclosure during transmission and while in storage. Cryptographic mechanisms that protect the confidentiality of CUI during transmission include TLS and IPsec. Information in storage (i.e. information at rest) refers to the state of CUI when it is not in process or in transit and resides on internal or external storage devices, storage area network devices, and databases. Protecting CUI in storage does not focus on the type of storage device or the frequency of access to that device but rather on the state of the information. This requirement relates to 03.13.11. Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI during transmission and while in storage. 12
NIST_SP_800-53_R5.1.1 SC.28 NIST_SP_800-53_R5.1.1_SC.28 NIST SP 800-53 R5.1.1 SC.28 System and Communications Protection Protection of Information at Rest Shared Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage. 17
NIST_SP_800-53_R5.1.1 SC.28.1 NIST_SP_800-53_R5.1.1_SC.28.1 NIST SP 800-53 R5.1.1 SC.28.1 System and Communications Protection Protection of Information at Rest | Cryptographic Protection Shared Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]. The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. 9
NZISM_v3.7 14.3.10.C.01. NZISM_v3.7_14.3.10.C.01. NZISM v3.7 14.3.10.C.01. Web Applications 14.3.10.C.01. - To maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. Shared n/a Agencies SHOULD implement allow listing for all HTTP traffic being communicated through their gateways. 24
NZISM_v3.7 14.3.10.C.02. NZISM_v3.7_14.3.10.C.02. NZISM v3.7 14.3.10.C.02. Web Applications 14.3.10.C.02. - To maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. Shared n/a Agencies using an allow list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify allow list addresses by domain name or IP address. 23
NZISM_v3.7 14.3.10.C.03. NZISM_v3.7_14.3.10.C.03. NZISM v3.7 14.3.10.C.03. Web Applications 14.3.10.C.03. - To maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. Shared n/a If agencies do not allow list websites they SHOULD deny list websites to prevent access to known malicious websites. 22
NZISM_v3.7 14.3.10.C.04. NZISM_v3.7_14.3.10.C.04. NZISM v3.7 14.3.10.C.04. Web Applications 14.3.10.C.04. - To maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. Shared n/a Agencies deny listing websites SHOULD update the deny list on a frequent basis to ensure that it remains effective. 22
NZISM_v3.7 17.8.10.C.01. NZISM_v3.7_17.8.10.C.01. NZISM v3.7 17.8.10.C.01. Internet Protocol Security (IPSec) 17.8.10.C.01. - To enhance overall cybersecurity posture. Shared n/a Agencies SHOULD use tunnel mode for IPSec connections. 22
NZISM_v3.7 17.8.10.C.02. NZISM_v3.7_17.8.10.C.02. NZISM v3.7 17.8.10.C.02. Internet Protocol Security (IPSec) 17.8.10.C.02. - To enhance overall cybersecurity posture. Shared n/a Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections. 35
NZISM_v3.7 19.1.10.C.01. NZISM_v3.7_19.1.10.C.01. NZISM v3.7 19.1.10.C.01. Gateways 19.1.10.C.01. - To ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. Shared n/a When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. 50
NZISM_v3.7 19.1.11.C.01. NZISM_v3.7_19.1.11.C.01. NZISM v3.7 19.1.11.C.01. Gateways 19.1.11.C.01. - To ensure network protection through gateway mechanisms. Shared n/a Agencies MUST ensure that: 1. all agency networks are protected from networks in other security domains by one or more gateways; 2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and 3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. 49
NZISM_v3.7 19.1.11.C.02. NZISM_v3.7_19.1.11.C.02. NZISM v3.7 19.1.11.C.02. Gateways 19.1.11.C.02. - To maintain security and integrity across domains. Shared n/a For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party. 48
NZISM_v3.7 19.1.12.C.01. NZISM_v3.7_19.1.12.C.01. NZISM v3.7 19.1.12.C.01. Gateways 19.1.12.C.01. - To minimize security risks and ensure effective control over network communications Shared n/a Agencies MUST ensure that gateways: 1. are the only communications paths into and out of internal networks; 2. by default, deny all connections into and out of the network; 3. allow only explicitly authorised connections; 4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network); 5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and 6. provide real-time alerts. 47
NZISM_v3.7 19.1.14.C.01. NZISM_v3.7_19.1.14.C.01. NZISM v3.7 19.1.14.C.01. Gateways 19.1.14.C.01. - To enhance security by segregating resources from the internal network. Shared n/a Agencies MUST use demilitarised zones to house systems and information directly accessed externally. 40
NZISM_v3.7 19.1.14.C.02. NZISM_v3.7_19.1.14.C.02. NZISM v3.7 19.1.14.C.02. Gateways 19.1.14.C.02. - To enhance security by segregating resources from the internal network. Shared n/a Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally. 39
NZISM_v3.7 19.1.19.C.01. NZISM_v3.7_19.1.19.C.01. NZISM v3.7 19.1.19.C.01. Gateways 19.1.19.C.01. - To enhance security posture. Shared n/a Agencies MUST limit access to gateway administration functions. 34
NZISM_v3.7 19.2.16.C.02. NZISM_v3.7_19.2.16.C.02. NZISM v3.7 19.2.16.C.02. Cross Domain Solutions (CDS) 19.2.16.C.02. - To maintain security and prevent unauthorized access or disclosure of sensitive information. Shared n/a Agencies MUST NOT implement a gateway permitting data to flow directly from: 1. a TOP SECRET network to any network below SECRET; 2. a SECRET network to an UNCLASSIFIED network; or 3. a CONFIDENTIAL network to an UNCLASSIFIED network. 34
NZISM_v3.7 19.2.18.C.01. NZISM_v3.7_19.2.18.C.01. NZISM v3.7 19.2.18.C.01. Cross Domain Solutions (CDS) 19.2.18.C.01. - To enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks. Shared n/a Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path. 34
NZISM_v3.7 19.2.19.C.01. NZISM_v3.7_19.2.19.C.01. NZISM v3.7 19.2.19.C.01. Cross Domain Solutions (CDS) 19.2.19.C.01. - To ensure the integrity and reliability of information accessed or received. Shared n/a Trusted sources MUST be: 1. a strictly limited list derived from business requirements and the result of a security risk assessment; 2. where necessary an appropriate security clearance is held; and 3. approved by the Accreditation Authority. 34
PCI_DSS_v4.0.1 3.5.1.2 PCI_DSS_v4.0.1_3.5.1.2 PCI DSS v4.0.1 3.5.1.2 Protect Stored Account Data If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows: on removable electronic media OR if used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1 Shared n/a Examine encryption processes to verify that, if disk-level or partition-level encryption is used to render PAN unreadable, it is implemented only as follows: on removable electronic media, OR if used for non-removable electronic media, examine encryption processes used to verify that PAN is also rendered unreadable via another method that meets Requirement 3.5.1. Examine configurations and/or vendor documentation and observe encryption processes to verify the system is configured according to vendor documentation the result is that the disk or the partition is rendered unreadable 9
RBI_ITF_NBFC_v2017 3.1.h RBI_ITF_NBFC_v2017_3.1.h RBI IT Framework 3.1.h Information and Cyber Security Public Key Infrastructure (PKI)-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. link 31
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 219
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 230
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 214
UK_NCSC_CAF_v3.2 C1.b UK_NCSC_CAF_v3.2_C1.b NCSC Cyber Assurance Framework (CAF) v3.2 C1.b Security Monitoring Securing Logs Shared 1. The integrity of logging data is protected, or any modification is detected and attributed. 2. The logging architecture has mechanisms, processes and procedures to ensure that it can protect itself from threats comparable to those it is trying to identify. This includes protecting the function itself, and the data within it. 3. Log data analysis and normalisation is only performed on copies of the data keeping the master copy unaltered. 4. Logging datasets are synchronised, using an accurate common time source, so that separate datasets can be correlated in different ways. 5. Access to logging data is limited to those with business need and no others. 6. All actions involving all logging data (e.g. copying, deleting or modification, or even viewing) can be traced back to a unique user. 7. Legitimate reasons for accessing logging data are given in use policies. Hold logging data securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted. 11
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn unknown
Brazilian General Data Protection Law (LGPD) 2018 770977b7-fceb-4c16-9d09-b7484fb8eef2 Regulatory Compliance GA BuiltIn unknown
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
Enforce recommended guardrails for Storage Account Enforce-Guardrails-Storage Storage GA ALZ
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27001 2022 5e4ff661-23bf-42fa-8e3a-309a55091cc7 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27017 2015 f48ecfa6-581c-43f9-8141-cd4adc72cf26 Regulatory Compliance GA BuiltIn unknown
NCSC Cyber Assurance Framework (CAF) v3.2 6d220abf-cf6f-4b17-8f7e-0644c4cc84b4 Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-08-23 14:26:16 add bfecdea6-31c4-4045-ad42-71b9dc87247d
JSON compare n/a
JSON
api-version=2021-06-01
EPAC