Disk encryption should be applied on virtual machines

Description:

Ensure that disk encryption monitoring is enabled within your Microsoft Azure cloud account so that Azure Security Center service can detect if your virtual machines (Windows and Linux) have disk encryption enabled.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

When working with production data it is highly recommended to implement encryption in order to protect it from unauthorized access and fulfill compliance requirements for data-at-rest encryption in your organization. Azure Security Center disk encryption monitoring identifies non-compliant virtual machines (VMs) and recommends enabling disk encryption for these VMs in order to enhance data protection.

Remediation:

1. Sign in to Azure Management Console.

2. Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

3. In the navigation panel, choose Security policy to access Policy Management portal.

4. On the Policy Management page, click on the name of the subscription that you want to examine to access the selected subscription configuration settings.

5. On the Security Policy page, in the Compute and Apps category, check the Disk encryption should be applied on virtual machines setting status. If the configuration setting is set to Disabled, the disk encryption monitoring is not enabled for the Microsoft Azure virtual machines (VMs) provisioned in the current subscription.

6. Repeat step no. 4 and 5 for each Microsoft Azure subscription available in your account.

Documentation/Reference:

• https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss

• https://www.cloudconformity.com/knowledge-base/azure/SecurityCenter/monitor-disk-encryption.html