Question 124 of 170 from exam DP-200: Implementing an Azure Data Solution

Question 124 of 170 from exam DP-200: Implementing an Azure Data Solution

Question

HOTSPOT -

Your company uses Azure SQL Database and Azure Blob storage.

All data at rest must be encrypted by using the company's own key. The solution must minimize administrative effort and the impact to applications which use the database.

You need to configure security.

What should you implement? To answer, select the appropriate option in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Explanations

Box 1: transparent data encryption

TDE with customer-managed keys in Azure Key Vault allows to encrypt the Database Encryption Key (DEK) with a customer-managed asymmetric key called

TDE Protector. This is also generally referred to as Bring Your Own Key (BYOK) support for Transparent Data Encryption.

Note: Transparent data encryption encrypts the storage of an entire database by using a symmetric key called the database encryption key. This database encryption key is protected by the transparent data encryption protector.

Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Data Warehouse against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Box 2: Storage account keys -

You can rely on Microsoft-managed keys for the encryption of your storage account, or you can manage encryption with your own keys, together with Azure Key

Vault.

https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption