CODEWITHSUNDEEP
azureencryptionazure-cosmosdbpci-compliancepci-dss
Mark W
Mark W

Reputation: 705

Azure data storage encryption?

I am creating an azure based application that must be pci compliant. There is an understanding within my company that to meet this compliancy any personally identifiable information (PII) should be stored encrypted.

I have a number of questions.

Is it true that pci compliance means encrypting PII within the data store?

What are my options with this on Azure?

I would like to be storing data in documentdb as this would be the closest match to the format of the data within the application. Most of the data is document based and json. Would this meet the PCI compliance standards?

Does it make a difference if the data store that contains payment and card info is different to that containing the PII?

Upvotes: 0

Views: 1496

Answers (3)

David Makogon
David Makogon

Reputation: 71066

Cosmos DB (formerly DocumentDB) now supports encryption-at-rest. It is enabled by default in every region. There is no impact to cost or performance SLA. Note: The local emulator does not support encryption-at-rest (though the emulator is only for dev/test purposes).

As far as compliance goes, you'll need to talk with a compliance/legal expert for that.

For more info on Cosmos DB encryption-at-rest, see this post.

Upvotes: 0

StefanGordon
StefanGordon

Reputation: 1589

While the sample uses local files, it should be noted that Azure Encryption Extensions supports streams as well for all upload/download methods - and nothing is ever written to disk (streams are encrypted/decrypted on the fly).

UploadFromStreamEncrypted(...) DownloadToStreamEncrypted(...)

https://github.com/stefangordon/azure-encryption-extensions/blob/master/AzureEncryptionExtensionsTests/FunctionalTests.cs#L107

Upvotes: 0

BrentDaCodeMonkey
BrentDaCodeMonkey

Reputation: 5513

The question regarding what PCI compliance requires is best directed to your organization's compliance officer. They are the one that will ultimately have to "sign off" on your solution so they control the specifications you're working towards.

As for what your options are, mfanto pointed out the SQL support for the new tiers. There's also Azure Storage which now has encryption extensions. Document DB doesn't have anything yet to my knowledge. And if you're running your own database, Windows VMs have had support for bitlocker drive encryption on data drives for some time now.

Upvotes: 1

Related Questions