7.3 Ensure Database Backups are Encrypted

Information

Ensure Database Backups are Encrypted

Databases may contain sensitive data. Backups of this data allow the data to easily leave the Enterprise and secure environments. Encrypting the backup makes accessing the data much more difficult.

Solution

SQL Server backups need to 'Back up to a new media set', not 'Back up to the existing media set' in order to allow for encryption. The backup option to Encrypt Backup can be implemented after a Certificate or Asymmetric key has been applied to the SQL Server for this purpose.

Alternatively, encrypt the database with TDE. This automatically encrypts the backups as well. See 7.5

Impact:

A database backup accidentally exposed to the Internet or transmitted outside a secure environment can be easily restored to a SQL Server anywhere and its contents discovered.

See Also

https://workbench.cisecurity.org/benchmarks/14058

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28(1)

Plugin: MS_SQLDB

Control ID: 24aa68bcf49c7f8b1713ebae7888a925997a1b5065a5eb5b87dd60a4b706efcd