Azure DLP (IaaS, PaaS) Reference Architecture

Question

Azure DLP (IaaS, PaaS) Reference Architecture

Sumeetha Mogasati 126

Hi there,

Unfortunately, there are no reference architectures available for Azure DLP to secure Azure IaaS & PaaS services via https://learn.microsoft.com/en-us/azure/architecture/browse/

I am creating one using the Azure DLP Services such as Private Link, Azure Purview and Azure Policies.

Like to create an Azure DLP Ref Architecture that is similar to MS Cyber Security Reference Architecture https://learn.microsoft.com/en-us/security/cybersecurity-reference-architecture/mcra

Help and insight with useful references that help create an Azure DLP Reference Architecture appreciated? Thanks

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-12-15T15:19:02.293+00:00

@Sumeetha Mogasati
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

1 answer

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-12-15T15:19:02.293+00:00

@Sumeetha Mogasati
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

Answer 1

JamesTran-MSFT 36,911 Microsoft Employee Moderator

@Sumeetha Mogasati
Thank you for your post and for your time and patience throughout this issue!

Based off your question and my research, I wasn't able to find a feature named "Azure DLP", which could explain why there isn't any reference architecture available for "Azure DLP". However, I did find Microsoft 365 DLP, which is just one of the Microsoft 365 Compliance tools that you can use to help protect your sensitive items wherever they live or travel.

When it comes to Microsoft 365 DLP, you implement data loss prevention by defining and applying DLP policies. As of right now, DLP policies are only supported within these below services:

Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive
Office applications such as Word, Excel, and PowerPoint
Windows 10, Windows 11 and macOS (Catalina 10.15 and higher) endpoints
non-Microsoft cloud apps
on-premises file shares and on-premises SharePoint.

I also found an Azure Purview FAQ stating that - Azure Purview does not currently provide Data Loss Prevention capabilities. Data Loss Prevention is currently only supported in Microsoft 365.

If you'd like Azure to support DLP for Azure Private Link, Purview, and Policies, so that you can create a DLP reference architecture for these services. I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this. I've also created an internal feature request so our engineering team is aware of this as well.

Additional Links:
Learn about data loss prevention
Prevent data loss
Get started with the default DLP policy
Azure security documentation

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Sumeetha Mogasati 126 Reputation points

2021-12-22T17:45:25.197+00:00

Hi James,

Apologies for the delayed response. Thanks for your response.

Please note that my query is about the DLP reference architecture for Azure IaaS & PaaS services, not about any feature.

As you already suggested there is no existing DLP reference Architecture available from Microsoft.
So I started creating one using the Azure Services that help in DLP such as Azure Private Link, Azure Policies (selective) and Azure Purview etc.

I greatly appreciate one of your Cloud Security Architecture team members reviewing my post and helping with useful feedback and input.

Please note that Azure Purview supports DLP via Sensitivity Labels (Preview)

Also, note the below where one of MS Cloud Security Architects had responded via Twitter.

Kind regards
Sumeetha Mogasati 126 Reputation points

2021-12-22T18:29:02.127+00:00

Hi James,

In addition to the above, I think It would add value and benefit the community when Azure DLP Ref Architecture is incorporated into this as a separate domain. https://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security.pdf

Kind regards
Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator

2021-12-30T11:39:33.777+00:00

Hi @Sumeetha Mogasati ,
We agree that your idea of having a Azure DLP reference architecture is great and even though we do provide a lot of information on protecting the data within the architecture center for azure we may not have this one specifically targeting Data loss prevention . We do have some reference architecture documents for IaaS data loss prevention in terms of using disk encryption on VMs . In your case your focus seems to be wider considering including azure purview and the complete azure data layer.

Reference architectures are written after much testing internally over long periods of time by analyzing a lot of data points and hence a review of your content by someone in Microsoft is unlikely to be possible unless someone directly reach out to you . We have reached out internally to the respective architects to see if they can accommodate this request and will keep you updated . As most of the team is out of office due to holiday season , we hope to get a reply by second week of Jan . We will keep the thread updated with the response we get . As you have mentioned that you have written some content and published on your blog/github pages, please do share the link for the content and we can forward it internally to the team as well .We use github for documentation related feedback and content request and you can create a request here.

Thank you .

Share via

Azure DLP (IaaS, PaaS) Reference Architecture

1 answer

Your answer