HOTSPOT
You manage Microsoft SQL Server databases for an organization.
You need to configure the databases to meet the following requirements:
– Encrypt the data at rest.
– Ensure that unencrypted values for specific columns can only be viewed by using a decryption key.
– Ensure that decrypted columns are only accessible by using database views.
Which actions should you perform? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Configure TDE…in the master database
To protect all databases use a certificate in the master database
Note: TDE encrypts the storage of an entire database by using a symmetric key called the database encryption key. The database encryption key can also be protected using a certificate, which is protected by the database master key of the master database.
The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module.
Box 2: Configure DDM
Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. DDM can be configured on the database to hide sensitive data in the result sets of queries over designated database fields, while the data in the database is not changed.
References:
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/enable-tde-on-sql-server-using-ekm?view=sql-server-2017
https://docs.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking