Benchmark: 3.13.16 Protect the confidentiality of CUI at rest
Description
Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.13.16 Protect the confidentiality of CUI at rest.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_13_16
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_13_16 --share
Controls
- App Service Environment should enable internal encryption
- Automation account variables should be encrypted
- Virtual machines and virtual machine scale sets should have encryption at host enabled
- Azure Stack Edge devices should use double-encryption
- Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host
- Disk encryption should be enabled on Azure Data Explorer
- Double encryption should be enabled on Azure Data Explorer
- Infrastructure encryption should be enabled for Azure Database for MySQL servers
- Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers
- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
- Transparent Data Encryption on SQL databases should be enabled
- Storage accounts should have infrastructure encryption