HOTSPOT -
Your company uses Azure SQL Database and Azure Blob storage.
All data at rest must be encrypted by using the company's own key. The solution must minimize administrative effort and the impact to applications which use the database.
You need to configure security.
What should you implement? To answer, select the appropriate option in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: transparent data encryption
TDE with customer-managed keys in Azure Key Vault allows to encrypt the Database Encryption Key (DEK) with a customer-managed asymmetric key called
TDE Protector. This is also generally referred to as Bring Your Own Key (BYOK) support for Transparent Data Encryption.
Note: Transparent data encryption encrypts the storage of an entire database by using a symmetric key called the database encryption key. This database encryption key is protected by the transparent data encryption protector.
Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Data Warehouse against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
Box 2: Storage account keys -
You can rely on Microsoft-managed keys for the encryption of your storage account, or you can manage encryption with your own keys, together with Azure Key
Vault.
References:
https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
TDE for Azure SQL DB is obvious. However, the Azure storage is a bit tricky. All Azure Storage resources are encrypted by default. However in this question they specify to encrypted by using the company's own key. Hence the answer is customer-provided key in this case "Storage account key". It's not worded properly.
thanks for explaining
Storage account keys are the keys to access to the storage account content, not to encrypt it. Storage Service Encryption authorize to use user own key to encrypt data
The given answer is correct. "You can manage Azure Storage encryption at the level of the storage account with your own keys. " https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
https://docs.microsoft.com/en-us/azure/storage/common/encryption-customer-managed-keys please check the flow diagram which specify Storage Account Encryption Key(AEK)
I think the correct answer is Azure Disk Encryption because Any customer using Azure Infrastructure as a Service (IaaS) features can achieve encryption at rest for their IaaS VMs and disks through Azure Disk Encryption. Reference: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest. Incorrect Answer: TLS because ir is not a encryption at rest. Storage account key because it is to access instead to encrypt Default SSE because you want to use your own key.
Azure Storage encryption cannot be disabled. Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.
Should be: Storage Account key. Azure Disk Encryption is only for IaaS and Blob Storage is PaaS
There is no such thing as "Storage Account keys". It's either storage Account Access key or Storage Account encryption key. The terminology used in the question created confusion.
Wording on question really bad, but answers seem to be correct: SQL Transparent Data Encryption = Encryption-at-rest https://docs.microsoft.com/en-us/azure/sql-database/sql-database-security-overview#information-protection-and-encryption SA Data in a new storage account is encrypted with Microsoft-managed keys https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
In storage account there is a link for encryption (left hand side). If you click there you can see you can't disable it and there are 2 options -1. MS managed key and 2. Customer managed key. So this is the correct option that is storage default encryption without any doubt
I think @Abhitm is correct, look at the reason given in the answer section as well, it lines up
i think that from this source the right answer is the one set on the document: https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
To use the company's own key with Azure Storage Account, you should use Azure Key Vault which is not part of the options here.
I believe the question here asks only about the security and not the encryption, hence the answer should be storage account keys for storage, but not sure about TDE
I think the answer for the storage account should be default storage service encryption. It uses Azure managed keys by default, but can be configured to use customer provided keys. see https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=portal