You are designing security for an Azure landing zone.
Your company identifies the following compliance and privacy requirements:
✑ Encrypt cardholder data by using encryption keys managed by the company.
✑ Encrypt insurance claim files by using encryption keys hosted on-premises.
Which two configurations meet the compliance and privacy requirements? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
To meet the compliance and privacy requirements, cardholder data should be encrypted using keys managed by the company, and insurance claim files should be encrypted using keys hosted on-premises. Storing the cardholder data in an Azure SQL database encrypted with keys stored in Azure Key Vault Managed HSM meets the requirement for company-managed encryption keys, as these keys are managed by the company within Azure. Storing the insurance claim data in Azure Blob Storage encrypted by using customer-provided keys satisfies the requirement for on-premises hosted encryption keys, as customer-provided keys can be managed and stored outside of Azure, including on-premises environments. This combination ensures both compliance and privacy requirements are fulfilled.
I would like to select B & C
B: Customer provided keys (CPK) enables you to store and manage keys in on-premises or key stores other than Azure Key Vault to meet corporate, contractual, and regulatory compliance requirements for data security. https://azure.microsoft.com/en-us/blog/customer-provided-keys-with-azure-storage-service-encryption/
Hardware Security Module takes the cake. Want to use your own keys? Great. You can still do that with BYOK.
You can add a local key to an managed HSM, but with customer-provided (not customer-managed) keys they are not stored in any Azure Service
Azure Key Vault Managed HSM. are not hosted on pre. B and C are right answer
BC is the answer. https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql Azure SQL transparent data encryption (TDE) with customer-managed key (CMK) enables Bring Your Own Key (BYOK) scenario for data protection at rest, and allows organizations to implement separation of duties in the management of keys and data. With customer-managed TDE, the customer is responsible for and in a full control of a key lifecycle management (key creation, upload, rotation, deletion), key usage permissions, and auditing of operations on keys.
https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-customer-provided-keys Clients making requests against Azure Blob storage can provide an AES-256 encryption key to encrypt that blob on a write operation. Subsequent requests to read or write to the blob must include the same key. Including the encryption key on the request provides granular control over encryption settings for Blob storage operations. Customer-provided keys can be stored in Azure Key Vault or in another key store.
Las opciones B y C cumplen con los requisitos de cumplimiento y privacidad. La opción B (Almacene los datos de reclamaciones de seguros en Azure Blob Storage cifrados mediante claves proporcionadas por el cliente) cumple con el requisito de cifrar los archivos de reclamos de seguros mediante el uso de claves de cifrado alojadas en las instalaciones del cliente. La opción C (Almacenar los datos del titular de la tarjeta en una base de datos de Azure SQL cifrada mediante el uso de claves almacenadas en Azure Key Vault Managed HSM) cumple con el requisito de cifrar los datos del titular de la tarjeta mediante el uso de claves de cifrado administradas por la empresa. Azure Key Vault Managed HSM proporciona una solución segura y gestionada para el almacenamiento de claves.
English please
Key need to be on-prem, customer-provided keys.
It is obvious for me B & C
C - everybody almost agree with this option. So, what is second for insurence claim files? You can use on prem keys and store them on Azure Managed HSM Import keys from your on-premises HSMs Generate HSM-protected keys in your on-premises HSM and import them securely into Managed HSM. https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/overview#import-keys-from-your-on-premises-hsms
It is not D and for those choosing D, please refer to the diagram for Azure Storage here: https://rajanieshkaushikk.com/2023/04/08/azure-blob-storage-vs-file-storage-vs-disk-storage-which-is-right-for-you/
Answer seems correct. C. Store the cardholder data in an Azure SQL database that is encrypted by using keys stored in Azure Key Vault Managed HSM: This option aligns with the requirement to encrypt cardholder data using encryption keys managed by the company. Azure Key Vault Managed HSM provides FIPS 140-2 Level 3 validated HSMs, ensuring a high level of security for key management. D. Store the insurance claim data in Azure Files encrypted by using Azure Key Vault Managed HSM: This option allows you to generate HSM-protected keys on-premises and securely import them into Azure Key Vault Managed HSM. By encrypting insurance claim files with keys stored in Azure Key Vault Managed HSM, you can meet the requirement to encrypt insurance claim files using encryption keys hosted on-premises while leveraging the security and manageability of Azure Key Vault Managed HSM. https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/hsm-protected-keys-byok
Option A is incorrect because it uses Microsoft-managed keys, which does not meet the requirement for the company to manage the encryption keys for cardholder data. Option D is incorrect because it uses Azure Key Vault Managed HSM, which is a cloud-based service. The requirement for insurance claim files is to use keys hosted on-premises.
C is definitely one of the answers
To meet the compliance and privacy requirements for encrypting cardholder data and insurance claim files, you should consider the following configurations: ✅ C. Store the cardholder data in an Azure SQL database that is encrypted by using keys stored in Azure Key Vault Managed HSM. ✅ D. Store the insurance claim data in Azure Files encrypted by using Azure Key Vault Managed HSM.
C and D - surely you can't recommend storing cardholder data in a storage account.
Of course you can as long as you can keep it safe, secure and encrypted .
CD https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/overview
Currently, Azure Blob storage does not support customer-provided keys (BYOK) for encryption. Azure Blob storage utilizes Azure Storage Service Encryption (SSE) to automatically encrypt data at rest. With SSE, Azure Blob storage encrypts your data using Microsoft-managed keys. These keys are managed and rotated by Azure behind the scenes, providing a high level of security for your data. You do not have direct control over the encryption keys used by Azure Blob storage. so answer: C & D
Incorrect, Data in Blob storage and Azure Files is always protected by customer-managed keys when customer-managed keys are configured for the storage account. https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json#customer-managed-keys-for-queues-and-tables
AB is correct in my opinion ,Explanation: A. Storing cardholder data in an Azure SQL database encrypted with Microsoft-managed keys ensures that the data is encrypted. Microsoft-managed keys are suitable for encrypting cardholder data as per compliance requirements. B. Storing insurance claim data in Azure Blob storage encrypted with customer-provided keys allows for encryption of the data. By using on-premises keys, the company maintains control over the encryption keys and meets the requirement for encrypting insurance claim files.
AB is right
A definitely not - requirements is not to use Microsoft keys