Zero Trust for Data —Essentials Series

Episode 5

Protect data across your files and content, as well as structured and unstructured data wherever it resides, with the Zero Trust security model. As always, the approach applies the principles of verify explicitly, least privileged access, and assume breach. Jeremy Chapman, Director of Microsoft 365, highlights how you can apply Zero Trust security to keep your data protected.

Protection wherever data resides

With Zero Trust, protections are designed to follow your data wherever it resides, whether that’s in your infrastructure or in the services that you manage. Protections continue as data flows and people work together with sensitive information. Information can also be protected from leaks by people inside of your organization or from people who should not have access. With the right protections in place, you can protect data if your devices are infected with malware, and you can also block and prevent data access in the case of a data breach. The good news is you can extend protections at a granular level, from your databases and individual data fields, to sensitive words within your databases, and trigger words while using apps.

Steps to protect your data:

  • Identify top sensitive information
  • Apply labels and classifiers
  • Apply principle of least privilege and assume breach


01:36 — Identify your sensitive data

03:55 — Data classification

06:51 — Take action: Least privilege and assume breach

07:22 — See an example

07:54 — Insider risk management capabilities

09:20 — Wrap up

Link References:

Watch our previous deep dive shows across the layers of Zero Trust at

For more on Zero Trust, go to

Unfamiliar with Microsoft Mechanics?

We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Keep getting this insider knowledge, join us on social:

Video Transcript:

-Welcome back to our series on Zero Trust on Microsoft Mechanics. In our Essentials episode, we gave a high-level overview of the principles of the Zero Trust security model, spanning identity, endpoints, applications, networks, infrastructure, and data. Now in this episode we’ll take a look at how you can apply Zero Trust principles and policies to the data itself across your files and content, as well as structured and unstructured data, wherever it resides.

-Now by the way, if you’ve missed our previous deep dive shows across all the layers of Zero Trust, you can check those out at Ultimately, all layers in the Zero Trust security model lead to the protection of your data. As always, the approach applies the principles of verify explicitly, least-privileged access, along with assume breach.

-Now with Zero Trust, protections are designed to follow your data wherever it resides, whether that’s in your infrastructure or in the services that you manage. Protections continue as data flows and as people work together with sensitive information. Information can also be protected from intentional or unintentional leaks by people inside of your organization to people who should not have access. Also with the right protections in place, you can protect the data if your devices are infected with malware. And you can also block and prevent data access in the case of a data breach, where your infrastructure and services are hacked. The good news is that we can extend protections at a granular level from your databases, through to where your files are managed, right down to the individual data fields, sensitive words within your databases and files, as well as trigger words and phrases, for example, in the context of using apps.

-That said, before you can protect your data, the first step to using the Zero Trust approach, is to know your data. Identifying and inventorying sensitive data is a critical step to successfully implement Zero Trust. Here, Microsoft Information Protection offers a flexible set of protection controls, based on data sensitivity and risk, for files across your Microsoft 365 estate, and across cloud-based services. Azure Purview then helps you manage and govern your on-premises, multi-cloud and software as a service, or SaaS stored data, to easily create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage.

-Additionally, insider risk management in Microsoft 365 enables you to quickly detect, investigate, and act on risk to your data originating from people inside your organization, such as data theft from a departed employee. And communication compliance in Microsoft 365 then allows you to more specifically detect inappropriate communications that can result in data leaks or policy violations.

-So let’s dig deeper into these capabilities, starting with Microsoft Information Protection in the Microsoft 365 Compliance Center. In the data classification tab, you can easily find the top sensitive information types across Microsoft 365 services like SharePoint, OneDrive, and Exchange. If I click into content explorer, I can even find the number of instances for each sensitive information type. And here we can see things like credit card and bank account numbers, personal IDs, and tax information, just to name a few. This even works for multi geo-enabled organizations. In fact, there are more than 220 built-in definitions, and you can create your own sensitive information types using patterns or keywords.

-Next, moving on to knowing where your sensitive information is found in structured data and data sitting outside of Microsoft 365, you can use Azure Purview to scan your connected data sources like Azure Blob Storage, Data Lake, SQL, Cosmos DB, and Synapse Analytics. Or you can connect Azure Purview to scan non-Microsoft or on-prem data stores like Amazon S3, Hive Metastore, Oracle, SAP, and more. As a result of the scan process, Azure Purview will discover sensitive data types like the ones that I mentioned before, using default or custom classifications.

-And once you know where your sensitive data resides, you can then move on to data classification. Applying the Zero Trust principle of least privileged, labels and classifiers can be applied to file content in order to enforce policies to protect your information. That way only the people and processes who should have access, do have access. In fact, if you caught our previous episode, showing capabilities like auth context in SharePoint to require a second factor of authentication for access to sensitive sites, or Microsoft Cloud App Security policies to block downloads on non-Microsoft services and cloud apps. All of those actions are predicated on having these labels and associated metadata in place.

-Now, let me show you how these labels are applied. With Microsoft Information Protection, you can apply sensitivity labels to add a visual marking, and there are a number of controls, such as adding a confidential watermark, header, and footer controls that you can see here. Additionally, policies can apply file-level encryption and reduce sharing rights to limit access to the right people. Classification labels in Microsoft Information Protection can be applied in several ways. Users closest to sensitive topics can manually apply labels as you can see here, and you can use auto labeling to detect, label, and protect sensitive documents and emails, and this also works while authoring files or scanning them at rest in Microsoft 365.

-Also, data loss prevention policies can run in the background, in real-time, during the authoring of content to detect sensitive information. Policy tips then inform users of violations and specific actions can be enforced, such as blocking sharing. This works in Word, Excel, emails, even chat messages in Microsoft Teams and more. Additionally, you can also use reports in Microsoft 365 to identify SharePoint sites or Microsoft Teams locations with high numbers of sensitive files, then apply classifications to that entire site or team to ensure that files currently stored in those locations, as well as files created in the future, are just automatically protected. This can even retroactively apply to files that were previously shared from these locations, and to augment classifications applied by users, at the file or site and team level, you can use automation and AI to help apply labels.

-For example, here in information governance, you can see, I have policies to auto apply labels that trigger retention policies to personally identifiable information across email, SharePoint sites, OneDrive accounts and Microsoft 365 groups. Additionally, sensitivity and retention labels are integrated with SharePoint Syntex as part of its automated document scanning categorization process, for knowledge management. And once you’ve configured labeling in Microsoft 365, you can extend your sensitivity labels to Azure Purview, as you can see here. As Azure Purview scans registered data sources, it uses the classification rules that you set, including the custom rules you defined to assign labels to your data. And once your data has been scanned, the results are visible in the data source and added as part of the classification insights report.

-From here, you can take action, using the Zero Trust principles of least privilege and assume breach, to lock down access to data with sensitive or confidential information. In fact, Microsoft Information Protection and Azure Purview can continually identify new sources of sensitive information so that you can keep track of it as it’s being generated and apply the right permissions to protect your data. Additionally, for your structured data in SQL Server, Azure SQL and Azure Synapse, you can implement the principle of least privilege and role-based access.

-Now here’s a real example using built-in column and row-level security controls to allow different divisions in the same company, to query that same data set where each region only sees data specific to that region. Now also with dynamic data masking, you can anonymize text in data fields based on privilege and role, to mask sensitive information, as you can see here with this column of email addresses. Now the work you do to know your data, classify and protect it, is also foundational to ensuring that you understand and mitigate high-risk situations that can emerge internally. Insider risk management capabilities collect signals from activities in Microsoft 365, and agentlessly from local device endpoints to quickly spot anomalous user activities that are common indicators of insider risk.

-For example, you can set a policy triggered from an event, like an employee resignation, that looks for patterns and sequences of activity, such as downloading sensitive information, renaming it, then printing it before their departure from the company. Equally, you can continually scan Microsoft 365 audit logs to quickly assess the risk of data exfiltration in your organization, based on activity patterns. And with communication compliance also in Microsoft 365, built-in trained classifiers containing trigger words, including custom keywords, can help quickly detect inappropriate information sharing, such as financial information shared in Microsoft Teams to internal or external contacts. Communication compliance policies support eight languages, and it automatically translates message content to a policy reviewer’s preferred language. Additionally, using OCR, it extracts printed or handwritten texts and images or PDFs, to evaluate against policy violations such as threats or disclosing information.

-Keep in mind for both insider risk management and communication compliance, there are strong safeguards and controls. You can apply pseudo-anonymization or rules-based access controls, ensure admin explicit opt-in of users, and audit trails all with a view to protecting end-user privacy.

-So that was a tour of the highlights for how the Zero Trust security model applies to protecting your data wherever it resides. Now, if you’ve missed any of our previous shows in this series, be sure to check out, and you can learn more at Thanks for watching.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store