Data protection considerations

Classify, protect, and monitor sensitive data assets using access control, encryption, and logging in Azure. Provide controls on data at rest and in transit.


How are you managing encryption for this workload?

  • Use identity based storage access controls.
  • Use built-in features for data encryption for Azure services.
  • Classify all stored data and encrypt it.
  • Protect data moving over a network through encryption at all points so that it's not accessed unauthorized users.
  • Store keys in managed key vault service with identity-based access control and audit policies.
  • Rotate keys and other secrets frequently.

In this section

Follow these questions to assess the workload at a deeper level.

Assessment Description
Do you use industry standard encryption algorithms? Avoid using custom encryption algorithms or direct cryptography in your workload.
How is data at rest protected? Classify your data at rest and use encryption.
How is data in transit secured? Use encrypted network channels (TLS/HTTPS) for all client/server communication.
How to authenticate access to your storage Use identity based storage access controls to enable fine-grained role-based access controls over storage resources.
Where are workload secrets (keys, certificates) stored? Store keys and secrets in managed key vault service.

Azure security benchmark

The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure the services you use in Azure:

GitHub logo The questions in this section are aligned to the Azure Security Benchmarks Data Protection.

Reference architecture

Here are some reference architectures related to secure storage:

Back to the main article: Security