由于TDE不适用于标准版,因此我将使用BitLocker加密整个驱动器.但是,根据我所读到的,如果不使用某种第三方服务(如CloudLink),则无法在Azure VM上加密OS驱动器.
但是,MSDN的This article意味着可以使用BitLocker加密数据驱动器.因此,我想我的问题是双重的:
1)是否可以使用Azure VM上的BitLocker加密数据驱动器?
2)如果我使用sql Standard获得Azure VM,是否需要加密OS驱动器以保持HIPAA兼容?
解决方法
首先,一些必读:
HIPAA Business Associate Agreement (BAA)
HIPAA and the HITECH Act are United States laws that apply to
healthcare entities with access to patient information (called
Protected Health Information,or PHI). In many circumstances,for a
covered healthcare company to use a cloud service like Azure,the
service provider must agree in a written agreement to adhere to
certain security and privacy provisions set forth in HIPAA and the
HITECH Act. To help customers comply with HIPAA and the HITECH Act,
Microsoft offers a BAA to customers as a contract addendum.Microsoft currently offers the BAA to customers who have a Volume
Licensing / Enterprise Agreement (EA),or an Azure only EA enrollment
in place with Microsoft for in-scope services. The Azure only EA does
not depend on seat size,rather on an annual monetary commitment to
Azure that allows a customer to obtain a discount over pay as you go
pricing.Prior to signing the BAA,customers should read the Azure HIPAA
Implementation Guidance. This document was developed to assist
customers who are interested in HIPAA and the HITECH Act to understand
the relevant capabilities of Azure. The intended audience includes
privacy officers,security officers,compliance officers,and others
in customer organizations responsible for HIPAA and HITECH Act
implementation and compliance. The document covers some of the best
practices for building HIPAA compliant applications,and details Azure
provisions for handling security breaches. While Azure includes
features to help enable customer’s privacy and security compliance,
customers are responsible for ensuring their particular use of Azure
complies with HIPAA,the HITECH Act,and other applicable laws and
regulations,and should consult with their own legal counsel.Customers should contact their Microsoft account representative to
sign the agreement.
您可能需要与您的云提供商(Azure)签署BAA.请咨询您的合规代表.
这是Azure HIPAA Implementation Guidance.
It is possible to use Azure in a way that complies with HIPAA and HITECH Act requirements.
Azure VM中运行的Azure VM,Azure sql和sql Server实例都在此范围内并受支持.
Bitlocker足以加密静态数据.它以满足HIPAA要求(以及其他类似组织的要求)的方式使用AES加密来加密静态数据.
此外,sql Server不会在操作系统驱动器上存储未加密的敏感数据,除非您配置sql来执行此操作…例如将TempDB配置为在OS驱动器上运行等.
假设您已经满足了以其他方式加密静态数据的要求,例如,单个数据库中的单元/字段/列的加密并不是严格要求的. TDE或Bitlocker.
如何选择管理Bitlocker加密密钥可能会出现,因为它无法访问TPM芯片或可移动USB驱动器,因为您无法访问物理机. (考虑让系统管理员手动输入密码以在每次服务器重新启动时解锁数据驱动器.)这是CloudLink等服务的主要吸引力,因为他们为您管理神圣的加密密钥.
