7.5 Ensure Databases are Encrypted with TDE

Information

Ensure user databases are encrypted using Transparent Data Encryption (TDE). Backups of databases encrypted with TDE are automatically encrypted as well.

Rationale:

A malicious party who steals physical media like drives or backup tapes can restore or attach the database and browse its data.

One solution is to encrypt sensitive data in a database and use a certificate to protect the keys that encrypt the data. This solution prevents anyone without the keys from using the data.

Impact:

A database datafile, logfile or backup accidentally exposed to the Internet or transmitted outside a secure environment can be easily copied/restored to a SQL Server anywhere and its contents discovered.

Solution

Implement TDE encryption on each user database with sensitive data.
More info on how to do this is available here: https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15

See Also

https://workbench.cisecurity.org/benchmarks/7202

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: MS_SQLDB

Control ID: 525df41b1273d12c5df022336439b2735cc12a49b5d753a91406cce056bf29d1