ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam DP-200 All Questions

View all questions & answers for the DP-200 exam
Go to Exam

Exam DP-200 topic 3 question 8 discussion

Actual exam question from Microsoft's DP-200
Question #: 8
Topic #: 3
[All DP-200 Questions]

HOTSPOT -
Your company uses Azure SQL Database and Azure Blob storage.
All data at rest must be encrypted by using the company's own key. The solution must minimize administrative effort and the impact to applications which use the database.
You need to configure security.
What should you implement? To answer, select the appropriate option in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: transparent data encryption
TDE with customer-managed keys in Azure Key Vault allows to encrypt the Database Encryption Key (DEK) with a customer-managed asymmetric key called
TDE Protector. This is also generally referred to as Bring Your Own Key (BYOK) support for Transparent Data Encryption.
Note: Transparent data encryption encrypts the storage of an entire database by using a symmetric key called the database encryption key. This database encryption key is protected by the transparent data encryption protector.
Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Data Warehouse against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Box 2: Storage account keys -
You can rely on Microsoft-managed keys for the encryption of your storage account, or you can manage encryption with your own keys, together with Azure Key
Vault.
References:
https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
by STH at Nov. 22, 2019, 9:23 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Abhitm
Highly Voted 5 years ago
TDE for Azure SQL DB is obvious. However, the Azure storage is a bit tricky. All Azure Storage resources are encrypted by default. However in this question they specify to encrypted by using the company's own key. Hence the answer is customer-provided key in this case "Storage account key". It's not worded properly.
upvoted 26 times
avros
4 years, 6 months ago
thanks for explaining
upvoted 3 times
...
...
STH
Highly Voted 5 years, 6 months ago
Storage account keys are the keys to access to the storage account content, not to encrypt it. Storage Service Encryption authorize to use user own key to encrypt data
upvoted 8 times
...
hello_there_
Most Recent 3 years, 11 months ago
I think the answer for the storage account should be default storage service encryption. It uses Azure managed keys by default, but can be configured to use customer provided keys. see https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?tabs=portal
upvoted 1 times
...
knightkkd
4 years, 6 months ago
I believe the question here asks only about the security and not the encryption, hence the answer should be storage account keys for storage, but not sure about TDE
upvoted 1 times
...
avix
4 years, 9 months ago
In storage account there is a link for encryption (left hand side). If you click there you can see you can't disable it and there are 2 options -1. MS managed key and 2. Customer managed key. So this is the correct option that is storage default encryption without any doubt
upvoted 2 times
induna
4 years, 7 months ago
I think @Abhitm is correct, look at the reason given in the answer section as well, it lines up
upvoted 2 times
...
...
shaktiprasad88
4 years, 10 months ago
https://docs.microsoft.com/en-us/azure/storage/common/encryption-customer-managed-keys please check the flow diagram which specify Storage Account Encryption Key(AEK)
upvoted 3 times
...
SebK
4 years, 10 months ago
To use the company's own key with Azure Storage Account, you should use Azure Key Vault which is not part of the options here.
upvoted 1 times
...
chris_py_chris
5 years, 1 month ago
Wording on question really bad, but answers seem to be correct: SQL Transparent Data Encryption = Encryption-at-rest https://docs.microsoft.com/en-us/azure/sql-database/sql-database-security-overview#information-protection-and-encryption SA Data in a new storage account is encrypted with Microsoft-managed keys https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
upvoted 2 times
...
Leonido
5 years, 1 month ago
There is no such thing as "Storage Account keys". It's either storage Account Access key or Storage Account encryption key. The terminology used in the question created confusion.
upvoted 2 times
...
avestabrzn
5 years, 3 months ago
The given answer is correct. "You can manage Azure Storage encryption at the level of the storage account with your own keys. " https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
upvoted 4 times
...
[Removed]
5 years, 6 months ago
i think that from this source the right answer is the one set on the document: https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
upvoted 1 times
...
epgd
5 years, 6 months ago
I think the correct answer is Azure Disk Encryption because Any customer using Azure Infrastructure as a Service (IaaS) features can achieve encryption at rest for their IaaS VMs and disks through Azure Disk Encryption.  Reference: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest. Incorrect Answer: TLS because ir is not a encryption at rest. Storage account key because it is to access instead to encrypt Default SSE because you want to use your own key.
upvoted 2 times
alexvno
5 years, 5 months ago
Azure Storage encryption cannot be disabled. Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.
upvoted 1 times
...
epgd
5 years, 3 months ago
Should be: Storage Account key. Azure Disk Encryption is only for IaaS and Blob Storage is PaaS
upvoted 7 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel