System Administration

Monitor Columns for Encryption

The Stewardship Tier is delivered with a set of encrypted columns, such as passwords and connection strings. This feature allows Security and Data Source Administrators to monitor columns where encryption is either required or suggested for encryption.

To monitor encrypted columns, it is recommended that users are categorized into two distinct and separate roles:

• Security Administrators - Users who are members of the Security, Power User or Administrator System Administration WebApp groups. These users receive email notifications when a column is recommended for encryption and can change or remove the encryption requirement for a column. However, these users cannot disable encryption for a column.
• Data Source Administrators - Users who are members of the Data Source, Power User or Administrator System Administration WebApp groups. These users receive email notifications when a column is recommended for encryption and can disable encryption for a column. However, these users cannot lift the encryption requirement for a column.

When users monitor encrypted columns, they can view a list of expected columns that should be encrypted. In the event that a user disables encryption for a column, an email notification is sent to track the status.

This topic contains the following sections:

• Monitor Encrypted Columns

• Remove Encryption Requirement

• Resolve Columns with Data in a Mixed State of Encryption

Monitor Encrypted Columns

To monitor encrypted columns, select Admin > Security > Security Management > Column Encryption in the Navigation pane.

On a new Stewardship Tier installation, these columns listed on the Security Column Encryption page are encrypted. On a Stewardship Tier upgrade, if the encrypted columns do not exist, the columns are added to the Security Column Encryption page and remain in their current encryption state: if the column was already encrypted, it remains encrypted and if it was not encrypted, it remains unencrypted. A daily email is sent to Security and Data Source Administrators, notifying them that specific columns are recommended to be encrypted.

Security Administrators must either:

1. Decide that the column should be encrypted and advise the user responsible for maintaining to encrypt it, or choose to enable the Encryption Required check box. Refer to Column Encryption for more information on encrypting a column.

   NOTE: If a column requires encryption, but is not encrypted, an email is sent daily to Security and Data Source Administrators. This email states that the column should have encryption enabled, but it is not currently encrypted. Data Source Administrators can encrypt the column.

2. Decide that encryption is not required for the column by disabling the Encryption Required check box. Refer to Remove Encryption Requirement for more information.

   NOTE: If Security Administrators decide not to encrypt a field, encryption can be disabled, but only by Data Source Administrators.

Remove Encryption Requirement

Security Administrators for a role to which they are assigned are able to remove the encryption requirement for a column.

NOTE: Data Source Administrators are NOT able to remove the encryption requirement for a column nor can they delete system-provided encryption columns. These users can ONLY delete non-system provided Column Encryption if Encryption Required check box is disabled.

To indicate a suggested column does not require encryption:

1. Select Admin > Security > Security Management > Column Encryption in the Navigation pane.

2. Click Edit for the column where encryption is not required.

   View the field descriptions for the Security Column Encryption page

3. Click ENCRYPTION REQUIRED to disable it.

4. Click Save.

   NOTE: Email notifications to administrators about the suggested column for encryption are no longer sent.

Resolve Columns with Data in a Mixed State of Encryption

The Stewardship Tier evaluates the data in each column of a data source for the presence of both encrypted and decrypted data in the same column.

To track a table’s unencrypted columns, the columns NOT ENCRYPTED COUNT (the total number of unencrypted columns in the table) and TOTAL COUNT (the total number of columns in the table) have been added to the following pages:

• Security Column Encryption

• Column Encryption

• Data Source Column Encryption

If the values in the NOT ENCRYPTED COUNT and TOTAL COUNT are not equal, indicating that there is a mix of encrypted and unencrypted data in the column, the STATUS field displays a warning icon and the warning Mixed Encryption on these pages.

The Stewardship Tier sends the Data Source Table Column Encryption Report workflow email to the relevant user(s). The Email From value name displays the system instance (as displayed in the Instance field on the Parameters page) that contains the mixed data.

The email includes the tables and columns that have mixed encryption and the mixed state indicator.

NOTE: In cases when a column has data in a mixed state and the encryption state is Not Encrypted, additional steps must be taken to encrypt these unencrypted records.

To encrypt unencrypted records for a column with data in a mixed state:

1. Select Admin > Data Sources in the Navigation pane.

2. Click the Encryption icon.

3. Select the column containing the mixed data.

4. Click the Reset button.

NOTE: The Encryption State field is set to Encrypted.

NOTE: The Reset button is only enabled in this scenario or when the Encryption State is Encrypting/Decrypting. If the status is Encrypting and the user clicks the Reset button, the status is reset to Not Encrypted. If the status is Decrypting and the user clicks the Reset button, the status is reset to Encrypted.