We are a small business that host applications and data for clients. Some of our clients are requesting we protect their data with 'encryption at rest' - although it's never very clear if they know what this really means.
The data is currently on an Azure VM running SQL Server Standard.
One option is for us to use TDE but this is only available in SQL Enterprise and the extra licencing cost would be a considerable for us.
The other is to use Azure Disk Encryption on the existing SQL Standard VM for free.
Is there much practical difference in the outcome between using TDE and Disk Encryption when it comes to reassuring the client that their data is encrypted at rest.
What differences should I be considering?
Data at rest includes information that resides in persistent storage on physical media, in any digital format. The media can include files on magnetic or optical media, archived data, and data backups.
TDE and Disk Encryption are protecting against different (though similar) risks. With disk or file encryption, a user of the computer with access to the files, could copy the database (mdf, ndf, ldf) files to another computer, decrypting them. And then attach the files to a different SQL Server as an administrator and read everything. Perhaps this is done by a rogue backup operator.
With TDE enabled, the new SQL Server would not be able to read the files which would be encrypted with a key that the new SQL Server does not know.
As you mentioned TDE is a SQL Server Enterprise Edition only feature, so Azure Disk Encryption may be your best option on a SQL Server VM, if you cannot afford paying for the Enterprise license
If you can consider moving your costumer database from IaaS to PaaS (Azure SQL Database DTU Model), then you can have TDE as part of the service and you do not have to pay for SQL Server licenses, saving thousands of dollars in licensing costs, you save on security features and save on storage disks used for backups (you have free 35 days of backups provided by PaaS).