Merge pull request #112530 from MikeDodaro/securityControls

v-albemi · web-flow · commit f06d7b58682e · 2020-04-29T12:37:54.000-07:00
Security controls draft
diff --git a/articles/security/fundamentals/security-controls.md b/articles/security/fundamentals/security-controls.md
@@ -28,6 +28,7 @@ Built-in security control articles are available for the following services:
 - [Azure Service Bus Messaging](../../service-bus-messaging/service-bus-messaging-security-controls.md)
 - [Azure Service Bus Relay](../../service-bus-relay/service-bus-relay-security-controls.md)
 - [Azure Service Fabric](../../service-fabric/service-fabric-security-controls.md)
+- [Azure Spring Cloud](../../spring-cloud/spring-cloud-concept-security-controls.md)
 - [Azure SQL Database](../../sql-database/sql-database-security-controls.md)
 - [Azure Virtual Machine Scale Sets](../../virtual-machine-scale-sets/virtual-machine-scale-sets-security-controls.md)
 - [Linux Virtual Machines](../../virtual-machines/linux/virtual-machines-linux-security-controls.md)
diff --git a/articles/spring-cloud/spring-cloud-concept-security-controls.md b/articles/spring-cloud/spring-cloud-concept-security-controls.md
@@ -0,0 +1,23 @@
+---
+title:  Concept - Security controls for Azure Spring Cloud Service
+description: Use security controls built-in into Azure Spring Cloud Service.
+author:  MikeDodaro
+ms.author: brendm
+ms.service: spring-cloud
+ms.topic: conceptual
+ms.date: 04/23/2020
+---
+
+# Security controls for Azure Spring Cloud Service
+Security controls are built-in into Azure Spring Cloud Service.
+
+A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.  For each control, we use *Yes* or *No* to indicate whether it is currently in place for the service.  We use *N/A* for a control that is not applicable to the service. 
+
+**Data protection security controls**
+
+| Security control | Yes/No | Notes | Documentation |
+|:-----------:|:--------:|:-------------------------------:|:-------------------:|
+| Server-side encryption at rest: Microsoft-managed keys | Yes | User uploaded source and artifacts, config server settings, app settings and data in persistent storage are stored in Azure Storage, which automatically encrypts the content at rest.  ~~~  Config server cache, runtime binaries built from uploaded source, and application logs during the application lifetime are saved to Azure Managed Disk, which automatically encrypts the content at rest.  ~~~  Container images built from user uploaded source are saved in Azure Container Registry, which automatically encrypts the image content at rest. | [Azure Storage encryption for data at rest](https://docs.microsoft.com/azure/storage/common/storage-service-encryption)  ~~~   [Server-side encryption of Azure managed disks](https://docs.microsoft.com/azure/virtual-machines/linux/disk-encryption)  ~~~  [Container image storage in Azure Container Registry](https://docs.microsoft.com/azure/container-registry/container-registry-storage) |
+| Encryption in transient | Yes | User app public endpoints use HTTPS for inbound traffic by default. |  |
+| API calls encrypted | Yes | Management calls to configure Azure Spring Cloud service occur via Azure Resource Manager calls over HTTPS. | [Azure Resource Manager](https://docs.microsoft.com/azure/azure-resource-manager/) |
+
diff --git a/articles/spring-cloud/toc.yml b/articles/spring-cloud/toc.yml
@@ -42,6 +42,8 @@
       href: spring-cloud-quotas.md
     - name: Understanding metrics in Azure Spring Cloud
       href: spring-cloud-concept-metrics.md
+    - name: Security controls for Azure Spring Cloud Service
+      href: spring-cloud-concept-security-controls.md
     - name: Understanding app status in Azure Spring Cloud
       href: spring-cloud-concept-app-status.md
     - name: Plan for disaster recovery
