System Administration

Monitor Columns for Encryption

The Stewardship Tier is delivered with a set of encrypted columns, such as passwords and connection strings. This feature allows Security and Data Source Administrators to monitor columns where encryption is either required or suggested for encrypted.

To monitor encrypted columns, it is recommended that users are categorized into two distinct and separate roles:

  • Security Administrators - Users who are members of the Security, Power User or Administrator System Administration WebApp groups. These users receive email notifications when a column is recommended for encryption and can change or remove the encryption requirement for a column. However, these users cannot disable encryption for a column.
  • Data Source Administrators - Users who are members of the Data Source, Power User or Administrator System Administration WebApp groups. These users receive email notifications when a column is recommended for encryption and can disable encryption for a column. However, these users cannot lift the encryption requirement for a column.

When users monitor encrypted columns, they can view a list of expected columns that should be encrypted. In the event that a user disables encryption for a column, an email notification is sent to track the status.

To monitor encrypted columns, select Admin > Security > Security Management > Column Encryption in the Navigation pane.

On a new Stewardship Tier installation, these columns listed on the Security Column Encryption page are encrypted. On a Stewardship Tier upgrade, if the encrypted columns do not exist, the columns are added to the Security Column Encryption page and remain in their current encryption state: if the column was already encrypted, it remains encrypted and if it was not encrypted, it remains unencrypted. A daily email is sent to Security and Data Source Administrators, notifying them that specific columns are recommended to be encrypted.

Security Administrators must either:

  1. Decide that the column should be encrypted and advise the user responsible for maintaining to encrypt it, or choose to enable the Encryption Required check box. Refer to Column Encryption for more information on encrypting a column.

    NOTE: If a column requires encryption, but is not encrypted, an email is sent daily to Security and Data Source Administrators. This email states that the column should have encryption enabled, but it is not currently encrypted. Data Source Administrators can encrypt the column.

  2. Decide that encryption is not required for the column by disabling the Encryption Required check box. Refer to Remove Encryption Requirement for more information.

    NOTE: If Security Administrators decide not to encrypt a field, encryption can be disabled, but only by Data Source Administrators.

Remove Encryption Requirement

Security Administrators for a role to which they are assigned are able to remove the encryption requirement for a column.

NOTE: Data Source Administrators are NOT able to remove the encryption requirement for a column nor can they delete system-provided encryption columns. These users can ONLY delete non-system provided Column Encryption if Encryption Required check box is disabled.

To indicate a suggested column does not require encryption:

  1. Select Admin > Security > Security Management > Column Encryption in the Navigation pane.
  2. Click Edit for the column where encryption is not required.

    View the field descriptions for the Security Column Encryption page

  1. Click ENCRYPTION REQUIRED to disable it.
  2. Click Save.

    NOTE: Email notifications to administrators about the suggested column for encryption are no longer sent.