AZ-300 Exam - Question 152

Question

DRAG DROP -You maintain an existing Azure SQL Database instance. Management of the database is performed by an external party. All cryptographic keys are stored in anAzure Key Vault. You must ensure that the external party cannot access the data in the SSN column of the Person Table. Will each protection method meet the requirement? To answer, drag the appropriate responses to the correct protection methods. Each response may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Select and Place:.

Examice · Accepted Answer

References:https://docs. microsoft. com/en-us/azure/security/azure-database-security-overview.

Happiman · Answer

YES/NO/NO/NO

Daltonic75 · Answer

Same question but different answer in https://www.examtopics.com/exams/microsoft/az-203/view/15/

Prash85 · Answer

Always On Encryption is just a typo... So answer is   Y N N N

dwild · Answer

Always Encrypted != AlwaysON... so NO,NO,NO

tundervirld · Answer

Will be, NO,NO,NO,NO:

Explanation: 
Enable Always Encryption, yes is good practice and you can configure it for individual database columns containing your sensitive data, but the question says AlwaysOn Encryption, so NO.
Set Column encryption to disable, will leave to see information, we don't need it, so NO.
Fixed Roles is bad practice and can be able to escalate privileges, so NO.
Store Column encryption in system catalog view, doesn't make sense since it is the most efficient way to obtain, transform, and present customized forms of catalog metadata  information, so NO

References:
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15
https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/catalog-views-transact-sql?view=sql-server-ver15
https://docs.microsoft.com/en-us/azure/security/azure-database-security-overview

Serena_C · Answer

I think this should be cell-level encryption, according to MS doc below, Cell-level encryption is available to encrypt specific columns or even cells of data with different encryption keys.

https://docs.microsoft.com/en-us/azure/security/fundamentals/database-security-overview

Syd · Answer

Correct.
Answer no,no,no,no
Alwayson is for high availability and disaster recovery solution introduced when SQL Server 2012 was launched and above versions.

qr · Answer

AlwaysOn dosent exist... Always Encrypted does... All No.

milind8451 · Answer

Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers (for example, U.S. social security numbers), stored in Azure SQL Database or SQL Server databases. So it should be "Always Encrypted" instead of "Always on Encryption". I think its a ttypo.

AnshMan · Answer

Yes, No, Yes, NO

https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/overview-of-key-management-for-always-encrypted?view=sql-server-ver15

JeeBi · Answer

https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15
"You can configure Always Encrypted for individual database columns containing your sensitive data." 
So this should indeed work.

azurehunter · Answer

IMO, answer is N, N, N, Y.
"AlwaysOn Encryption" not exists. MS purposely try to confuse us.
Last one is how Always Encryption to store the column encryption keys.

AZ-300 Exam - Question 152

Discussion