Share via

Implementing Zero Trust with Microsoft Purview

  • Article

Microsoft Purview solutions can help you implement a Zero Trust security strategy that is based on the following security principles:

Verify explicitly Use least privilege access Assume breach
Always authenticate and authorize based on all available data points. Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

Microsoft Purview is a primary component of the Use least privilege access principle by providing data protection solutions. Use Purview capabilities to help you safeguard your data across platforms, apps, and clouds.

Zero Trust to protect data

Microsoft Purview provides the following capabilities and options for a data defense in depth strategy and a Zero Trust implementation for data protection:

  • Data classification: So you can know your data

    Discover and detect sensitive data across your entire organization, so that you can better protect it. For more information, see How to use the Microsoft data classification dashboard.

  • Information protection: So you can protect your data

    Apply sensitivity labels to integrate with Microsoft Copilot and other apps and services to provide access control guardrails, and encryption with rights management for your most sensitive data. Content markings, such as footers and watermarks, can increase awareness and security policy compliance. While users create or update content, the highly visible labels and labeling recommendations support user education about sensitive data. For more information, see Learn about sensitivity labels.

    When you use sensitivity labels with protection policies, you can automatically enforce access restrictions across your data estate the moment sensitive information is detected.

  • Data loss prevention (DLP): So you can prevent data loss

    Users sometimes take risks with your organization’s sensitive data, which might result in a data security or compliance incident. Data loss prevention helps you monitor for and protect against risky oversharing of sensitive data. As with sensitivity labeling, policy tips support user education about sensitive data. For more information, see Learn about data loss prevention.

  • Data lifecycle management: So you can delete what you don't need, and safeguard important data

    Deploy policies to manage the lifecycle of sensitive data to reduce data exposure. Limit the number of copies or propagation of sensitive data by automatically and permanently deleting it when it's no longer needed. Or conversely, protect important data from malicious or accidental deletes by automatically retaining a copy in a secured location after a user deletes the data. For more information, see Learn about data lifecycle management.

Supporting tools and technologies:

Note

Now in preview, Microsoft Purview AI Hub helps you to more quickly protect your data and gain insights into how users are interacting with AI assistants, such as Microsoft Copilot, ChatGTP, Bard, and other third-party LLMs.

  • As you implement these capabilities, use appropriate role-based permissions and administrative units to provide Just-Enough-Access and segment access. Augment these protective measures with privileged access management for Just-In-Time access.

  • Consider your encryption requirements for specific scenarios, for example:

    • Microsoft Copilot for Microsoft 365
    • Use your sensitivity labels to apply Double Key Encryption to selected documents and emails when only your organization and no cloud services should be able to decrypt them.
    • Use Advanced Message Encryption if you need to keep sensitive content within your organization boundary, log external mail access, or revoke access to encrypted emails.
    • Use Customer Key if you need to control the root encryption keys for Microsoft 365 data at-rest.
    • If you use Conditional Access or cross-tenant access settings, these services need specific configurations to support encrypted content.

  • For high-value documents and emails, records management supports additional restrictions and a disposition review process.

  • Use insider risk management to identify and take action against risky security-related user activities and data activity patterns.

  • Consider using information barriers if you need to segment access between specific users by restricting two-way communication and collaboration between groups and users in Microsoft Teams, SharePoint, and OneDrive.

  • Additional governance options:

    • Access policies in the Microsoft Purview Data Catalog allow users to request access to data, but also give you the tools to ensure they only have access to the data they need, and only for as long as they need it.
    • Use the data sharing app to minimize data duplication and instead, provide read-only access that you can time-limit or remove the access.

  • Consider using Compliance Manager to help drive the adoption of and monitor the implementation of security features and configurations. Easy-to-build assessments with automatic monitoring help you stay on track with requirements across your multicloud environment.

  • Use auditing solutions to help you monitor Microsoft 365 data and respond to security events.

  • Use Customer Lockbox to ensure Microsoft service engineers must obtain approval before accessing any Microsoft 365 data you own during a support investigation.

Next steps

Solution guidance to help you implement a Zero Trust strategy for data protection by using Microsoft Purview:

Because data protection helps protect personal data stored and managed by your organization, see also Manage data privacy and data protection with Microsoft Priva and Microsoft Purview.

Zero Trust solution guidance:

Learn more about Zero Trust and how to build an enterprise-scale strategy and architecture with the Zero Trust Guidance Center.