Any delayed response to breaches undermines an organization's ability to limit the impact of a breach.

Configuration settings that undermine monitoring capabilities include but are not limited to:
- deliberately disabling monitoring
- not enabling optional monitoring
- not specifying relevant events to export to monitoring services
- exempting actions of specific users, groups, processes, and geographical regions from monitoring

Any delayed response to breaches undermines an organization's ability to limit the impact of a breach.

Configuration settings that undermine monitoring capabilities include but are not limited to:
- deliberately disabling monitoring
- not enabling optional monitoring
- not specifying relevant events to export to monitoring services
- exempting actions of specific users, groups, processes, and geographical regions from monitoring

Any delayed response to breaches undermines an organization's ability to limit the impact of a breach.

Configuration settings that undermine monitoring capabilities include but are not limited to:
- deliberately disabling monitoring
- not enabling optional monitoring
- not specifying relevant events to export to monitoring services
- exempting actions of specific users, groups, processes, and geographical regions from monitoring

Any delayed response to breaches undermines an organization's ability to limit the impact of a breach.

Configuration settings that undermine monitoring capabilities include but are not limited to:
- deliberately disabling monitoring
- not enabling optional monitoring
- not specifying relevant events to export to monitoring services
- exempting actions of specific users, groups, processes, and geographical regions from monitoring

Backups are critical to protect against data loss or corruption. Settings that undermine backups include but are not limited to:
- Disabling data backup
- Failure to back up data regularly
- Failure to check the integrity of backups regularly
- Insufficient backup retention period

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

A lack of audit records limits the ability to detect and respond to security-related incidents and prevents forensic investigation.

Configuration settings that undermine logging capabilities include but are not limited to:
- deliberately disabling audit logging
- exempting actions of specific users, groups, or processes from being logged
- inadequately protecting log integrity
- not enabling optional audit logging
- reducing the log sampling rate

Any delayed response to breaches undermines an organization's ability to limit the impact of a breach.

Configuration settings that undermine monitoring capabilities include but are not limited to:
- deliberately disabling monitoring
- not enabling optional monitoring
- not specifying relevant events to export to monitoring services
- exempting actions of specific users, groups, processes, and geographical regions from monitoring

Any delayed response to breaches undermines an organization's ability to limit the impact of a breach.

Configuration settings that undermine monitoring capabilities include but are not limited to:
- deliberately disabling monitoring
- not enabling optional monitoring
- not specifying relevant events to export to monitoring services
- exempting actions of specific users, groups, processes, and geographical regions from monitoring

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Physical media theft is a common means for attackers to gain access to confidential information.

By default, Azure SQL Databases use Transparent Data Encryption (TDE) to encrypt and protect data at rest.

Disabling TDE for an Azure SQL Database exposes the data to potential theft.

Example 1: The following example shows a Terraform configuration that defines an Azure SQL Database that does not encrypt its data.

resource "azurerm_mssql_database" "aztf008-tp-01" {
  name           = "aztf008-db-d"
  ... 
  sku_name       = "DW100c"
  ...
  transparent_data_encryption_enabled = false
}

Implementation flaws, misconfigurations, and compromised keys are some of the problems that prevent single-layer encryption from fully protecting highly-sensitive data. Organizations should adopt a defense-in-depth approach to protect highly-sensitive data and avoid having a single-point-of-failure in their security design.

Implementation flaws, misconfigurations, and compromised keys are some of the problems that prevent single-layer encryption from fully protecting highly-sensitive data. Organizations should adopt a defense-in-depth approach to protect highly-sensitive data and avoid having a single-point-of-failure in their security design.

Automatic software upgrades, which ensure timely patching of known software vulnerabilities, are disabled.

Cloud services typically use techniques like caching, replication, and load balancing to facilitate service scalability, deliver content faster, and mitigate the impacts of volumetric attacks. Disabled or misconfigured availability features degrade service performance, but immediate effects are often not apparent until extreme events such as traffic spikes and hardware failures occur.

Azure offers several encryption options, each with specific benefits and limitations. For example, Azure storage server-side encryption (SSE) performs encryption by default without using compute resources, however, it does not encrypt the temporary disk or caches. It also does not protect data flowing from a compute instance to storage. Azure Disk Encryption (ADE), encrypts both temporary disks and caches, as well as data flowing to storage, but at the expense of compute resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.

Data backups are often over-looked as assets that require just as much protection as the original data.

Unencrypted backups leave the backup data accessible to potential attackers.

By default, Azure SQL Virtual Machines Automated Backup settings do not enforce encryption of data backups.

Example 1: The following example shows a Terraform configuration that defines Azure SQL Virtual Machine Automated Backup settings that do not enforce encryption of backup data.

resource "azurerm_mssql_virtual_machine" "aztf009-tn-03" {
  virtual_machine_id               = data.azurerm_virtual_machine.example.id
  ...
  auto_backup {
    retention_period_in_days = 1
    storage_blob_endpoint = ""
    storage_account_access_key = azurerm_storage_account.example.primary_access_key
  }
}

Mismanaged encryption keys are the cause of various security breaches. Organizations should not rely on platform-managed keys for critical data resources.