A company stores sensitive information about customers and employees in Azure SQL Database. You need to ensure that the sensitive data remains encrypted in transit and at rest. What should you recommend?
Suggested Answer:B🗳️
Incorrect Answers: A: Transparent Data Encryption (TDE) encrypts SQL Server, Azure SQL Database, and Azure Synapse Analytics data files, known as encrypting data at rest. TDE does not provide encryption across communication channels. Reference: https://cloudblogs.microsoft.com/sqlserver/2018/12/17/confidential-computing-using-always-encrypted-with-secure-enclaves-in-sql-server-2019-preview/
The answer is A. Azure SQL db auto enforces TLS (Transport layer security) which means that the data will be encrypted in transit. Enable TDE (Transparent data encryption) and Azure will encrypt your DB files, log files and backup files (= data at rest)
A correct: Transparent Data Encryption (TDE) encrypts SQL Server, Azure SQL Database, and Azure Synapse Analytics (SQL Data Warehouse) data files. This encryption is known as encrypting data at rest
By default, Azure Storage accounts permit clients to send and receive data with the oldest version of TLS, TLS 1.0, and above. To enforce stricter security measures, you can configure your storage account to require that clients send and receive data with a newer version of TLS.
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15
https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
B not correct, see pingvins11 comment:
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver15
Appropriate answer is B and the explanation is included in the link below.
Reference: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver15
the provided answer is correct: https://docs.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-azure-key-vault-configure?tabs=azure-powershell
Actually, after digging more,
B is the correct option. Ignore my previous post.
https://docs.microsoft.com/en-us/learn/modules/protect-data-transit-rest/5-explain-object-encryption-secure-enclaves
B - is incorrect, because it is in preview
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver15
Always Encrypted with secure enclaves is available in SQL Server 2019 (15.x) and in Azure SQL Database (in preview).
It can´t be A as TDE doesn´t support in transit. Best option is:
TDE as the first line of defense (and to meet common compliance requirements) to encrypt the entire database at rest.
TLS to protect all traffic to the database.
Always Encrypted to protect highly sensitive data from high-privilege users and malware in the database environment.
https://azure.microsoft.com/es-es/blog/transparent-data-encryption-or-always-encrypted/
For me only accepted option despite it only works on SQL 2019 is the current answer.
Transparent data encryption - APPLIES TO: Azure SQL Database, Azure SQL Managed Instance, Azure Synapse Analytics
Always Encrypted with secure enclaves - Applies to: SQL Server 2019 (15.x) - Windows only
Correct answer is B. In SQL server management studio you can do always encrypt which encrypts the data at rest and in transit. TDE and TLS are enabled by default, so TDE alone cannot be the correct answer.
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver15:
"Always Encrypted with secure enclaves provides additional functionality to the Always Encrypted feature."
B is correct
How A can be right Ans..?
Encrypting your data at rest, which means encrypting it while it is stored on whatever file storage you use.
Encrypting your data in transit, which means encrypting data while it travels through private or public network communication channels.
Encrypting your data in use, which means encrypting it while it is actively used in RAM or CPU caches and registers.
https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/security/transparent-data-encryption#:~:text=Encrypting%20your%20data%20in%20transit,or%20CPU%20caches%20and%20registers.
Important
TDE doesn't provide encryption across communication channels. For more information about how to encrypt data across communication channels, see Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager).
Option A
Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. By default, TDE is enabled for all newly deployed SQL Databases and must be manually enabled for older databases of Azure SQL Database, Azure SQL Managed Instance. TDE must be manually enabled for Azure Synapse Analytics
By looking at this in Documentation answer B is correct:
Always Encrypted also protects the data, stored in encrypted columns, at rest and in transit. However, unless your goal is to protect sensitive data in use, TDE is the recommended choice for encryption at rest, and we recommend TLS for protecting data in-transit. In fact, it is often advised to use Always Encrypted, TDE, and TLS together:
It should be A.
Transparent Data Encryption
TDE is intended to add a layer of security to protect data at rest from offline access to raw files or backups, common scenarios include datacenter theft or unsecured disposal of hardware or media such as disk drives and backup tapes. For a deeper look into how TDE protects against the risk of malicious parties trying to recover stolen databases: data, log files, snapshots, copies or backups and to review TDE best practices see Feature Spotlight: Transparent Data Encryption (TDE).
Common sense people!.. Transparent Data Encryption is a technology employed by Microsoft, IBM and Oracle to encrypt database files. TDE offers encryption at file level. TDE solves the problem of protecting data at rest, encrypting databases both on the hard drive and consequently on backup media. Answer is A
TDE doesn't encrypt the data in transit and only at rest.https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15
Hence, I feel 'A' may not be correct.
Always Encrypted with secure enclaves:10/31/2019
14 minutes to read
THIS TOPIC APPLIES TO: Yes to SQL Server 2019 and later (Windows only)
No to Azure SQL Database, No to Azure Synapse Analytics (SQL DW), No to Parallel Data Warehouse
This section is not available anymore. Please use the main Exam Page.DP-201 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Wout
Highly Voted 5 years, 3 months agoTreadmill
4 years, 9 months agoawitick
4 years, 3 months agocadio30
3 years, 11 months agoPsycho
3 years, 12 months agomaynard13x8
Highly Voted 4 years, 1 month agorikku33
Most Recent 3 years, 7 months agormn900
4 years, 3 months agormn900
4 years, 3 months agoBerlinersp
4 years, 4 months agoJohnnien
4 years, 4 months agoAnkit123
4 years, 4 months agosyu31svc
4 years, 5 months agoAkva
4 years, 5 months agoShiven
4 years, 7 months agoBob123456
4 years, 8 months agoArsa
4 years, 8 months agoArsa
4 years, 8 months agoArsa
4 years, 8 months agopassnow
4 years, 9 months agorohitbinnani
4 years, 9 months agoSudipta3009
4 years, 9 months ago