I am looking into hosting a HIPAA compliant web application on Azure VM's. For the database, right now I am leaning towards using a VM with SQL 2014 Standard Edition.
Since TDE is not available with Standard Edition, I am going to just use BitLocker to encrypt the entire drive. According to what I have read, however, it is not possible to encrypt the OS drive on an Azure VM without using some kind of third party service (like CloudLink).
This article from MSDN implies that it is possible, however, to use BitLocker to encrypt the data drive. Therefore, I guess my question is two-fold:
1) Is it possible to encrypt the data drive with BitLocker on an Azure VM?
2) If I get an Azure VM with SQL Standard, will it be necessary to encrypt the OS drive in order to remain HIPAA compliant?
Best Answer
Disclaimer: I am not a lawyer.
First, some required reading:
Microsoft Azure Trust Center
You might be required to sign a BAA with your cloud provider (Azure.) Ask your compliance representative(s).
Here is the Azure HIPAA Implementation Guidance.
Azure VMs, and Azure SQL, and SQL Server instances running within Azure VMs, are all in scope and supported here.
Bitlocker is sufficient for encryption of data at rest. It uses AES encryption in a way that satisfies HIPAA requirements (as well as the requirements of other similar organizations) for encryption of data at rest.
Furthermore, SQL Server will not store unencrypted, sensitive data on the OS drive unless you configure SQL to do so... like for instance configuring TempDB to live on the OS drive or something.
Encryption of cells/fields/columns within individual databases isn't strictly required assuming you have already satisfied requirements for encryption of data at rest in other ways, e.g. TDE or Bitlocker.
How you choose to manage the Bitlocker encryption key may come up, since it will not live inside a TPM chip or on a removable USB drive since you don't have access to the physical machine. (Consider having a sysadmin manually enter a password to unlock the data drive every time the server reboots.) This is sort of the main draw to services such as CloudLink, as they manage that sacred encryption key for you.