Implementing Zero Trust with Microsoft Purview

Microsoft Purview solutions can help you implement a Zero Trust security strategy that is based on the following security principles:

Microsoft Purview is a primary component of the Use least privilege access principle by providing data protection solutions. Use Purview capabilities to help you safeguard your data across platforms, apps, and clouds.

Zero Trust to protect data

Microsoft Purview provides the following capabilities and options for a data defense in depth strategy and a Zero Trust implementation for data protection:

• Data classification: So you can know your data

  Discover and detect sensitive data across your entire organization, so that you can better protect it. For more information, see Classifiers overview and Reports.

• Information protection: So you can protect your data

  Apply sensitivity labels to integrate with Microsoft 365 Copilot and other apps and services to provide access control guardrails, and encryption with rights management for your most sensitive data. Content markings, such as footers and watermarks, can increase awareness and security policy compliance. While users create or update content, the highly visible labels and labeling recommendations support user education about sensitive data. For more information, see Learn about sensitivity labels.

  When you use sensitivity labels with protection policies, you can automatically enforce access restrictions across your data estate the moment sensitive information is detected.

• Data loss prevention (DLP): So you can prevent data loss

  Users sometimes take risks with your organization’s sensitive data, which might result in a data security or compliance incident. Data loss prevention helps you monitor for and protect against risky oversharing of sensitive data. As with sensitivity labeling, policy tips support user education about sensitive data. For more information, see Learn about data loss prevention.

• Insider Risk Management: So you can identify and take action against risky security-related user activities and data activity patterns

  Correlate various signals to identify and take action on potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. For more information, see Learn about Insider Risk Management.

• Data lifecycle management: So you can delete what you don't need, and safeguard important data

  Deploy policies to manage the lifecycle of sensitive data to reduce data exposure. Limit the number of copies or propagation of sensitive data by automatically and permanently deleting it when it's no longer needed. Or conversely, protect important data from malicious or accidental deletes by automatically retaining a copy in a secured location after a user deletes the data. For more information, see Learn about data lifecycle management.

Supporting tools and technologies:

• As you implement these capabilities, use appropriate role-based permissions and administrative units to provide Just-Enough-Access and segment access. Augment these protective measures with privileged access management for Just-In-Time access.

• Consider your encryption requirements for specific scenarios, for example:

  • Microsoft 365 Copilot
  • Use your sensitivity labels to apply Double Key Encryption to selected documents and emails when only your organization and no cloud services should be able to decrypt them.
  • Use Advanced Message Encryption if you need to keep sensitive content within your organization boundary, log external mail access, or revoke access to encrypted emails.
  • Use Customer Key if you need to control the root encryption keys for Microsoft 365 data at-rest.
  • If you use Conditional Access or cross-tenant access settings, these services need specific configurations to support encrypted content.

• For high-value documents and emails, records management supports additional restrictions and a disposition review process.

• Consider using information barriers if you need to segment access between specific users by restricting two-way communication and collaboration between groups and users in Microsoft Teams, SharePoint, and OneDrive.

• Additional governance options:

  • Access policies in the Microsoft Purview Unified Catalog allow users to request access to data, but also give you the tools to ensure they only have access to the data they need, and only for as long as they need it.
  • Use the data sharing app to minimize data duplication and instead, provide read-only access that you can time-limit or remove the access.

• Consider using Compliance Manager to help drive the adoption of and monitor the implementation of security features and configurations. Easy-to-build assessments with automatic monitoring help you stay on track with requirements across your multicloud environment.

• Use auditing solutions to help you monitor Microsoft 365 data and respond to security events.

• Use Customer Lockbox to ensure Microsoft service engineers must obtain approval before accessing any Microsoft 365 data you own during a support investigation.

Next steps

Solution guidance to help you implement a Zero Trust strategy for data protection by using Microsoft Purview:

• Deploy an information protection solution with Microsoft Purview
• Deploy a data governance solution with Microsoft Purview

Because data protection helps protect personal data stored and managed by your organization, see also Manage data privacy and data protection with Microsoft Priva and Microsoft Purview.

Zero Trust solution guidance:

• For data protection concepts and deployment objectives, see Secure data with zero trust
• For other capabilities that contribute to a strong Zero Trust strategy and architecture for your Microsoft 365 data, see Zero Trust deployment plan with Microsoft 365
• To learn how to apply Zero Trust to Microsoft 365 Copilot, see Apply principles of Zero Trust to Microsoft 365 Copilot.

Learn more about Zero Trust and how to build an enterprise-scale strategy and architecture with the Zero Trust Guidance Center.