Home › Azure AZ-500 › cloudcomputing › az500compstoragedb › Which Azure SQL Database feature should a securi…
Which Azure SQL Database feature should a security engineer recommend to encrypt sensitive columns CLIENT-SIDE so that even DB admins cannot see plaintext (e.g. PII)?
AAzure SQL Database Always Encrypted (with secure enclaves for richer query operations)
BAzure DNS
CTransparent Data Encryption (TDE — at-rest only, DBAs see plaintext)
DPublic table with no encryption
Answer & Solution
Correct answer: A. Azure SQL Database Always Encrypted (with secure enclaves for richer query operations)
Always Encrypted is client-side encryption opaque to DBAs (per AZ-500 §3 SQL Always Encrypted). TDE encrypts at rest but DBAs read plaintext; the others aren't encryption.
Related questions
Which Azure Storage feature should a security engineer enable to require all reads/writes Which Azure VM security feature lets a security engineer require all data passing between Which Azure SQL feature lets a security engineer enable Microsoft Entra ID-based DB loginsWhich Azure SQL feature should a security engineer enable to obscure sensitive column valuWhich Azure SQL Database feature should a security engineer enable to encrypt data at restWhich Azure storage feature lets a security engineer generate a TIME-LIMITED, scope-bound Which Azure storage authentication option should a security engineer prefer over shared-keWhich Azure storage feature should a security engineer use to PROTECT BLOBS from accidenta