DoD Zero Trust Strategy for the data pillar
The DoD Zero Trust Strategy and Roadmap outlines a path for Department of Defense components and Defense Industrial Base (DIB) partners to adopt a new cybersecurity framework based on Zero Trust principles. Zero Trust eliminates traditional perimeters and trust assumptions, enabling a more efficient architecture that enhances security, user experiences, and mission performance.
This guide has recommendations for the 152 Zero Trust activities in the DoD Zero Trust Capability Execution Roadmap. The sections correspond with the seven pillars of the DoD Zero Trust model.
Use the following links to go to sections of the guide.
- Introduction
- User
- Device
- Applications and workloads
- Data
- Network
- Automation and orchestration
- Visibility and analytics
4 Data
This section has Microsoft guidance and recommendations for DoD Zero Trust activities in the data pillar. To learn more, see Secure data with Zero Trust for more information.
4.1 Data catalog risk alignment
Microsoft Purview solutions help discover, identify, govern, protect, and manage data where it resides. Microsoft Purview provides three to identify items so that they can be classified. Items can be classified manually, by users, via automated pattern recognition, as with sensitive information types, and via machine learning.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 4.1.1 Data AnalysisDoD Organizations update the service and application catalog(s) with data classifications. Data tags are also added to each service and application. Outcome: - The service catalog is updated with data types for each application and service based on data classification levels |
Microsoft Purview Review sensitive information types in Microsoft Purview compliance portal and define custom, sensitive information types. - Custom sensitive info types in Purview compliance portal Use Purview content explorer or activity explorer to view a snapshot of labeled Microsoft 365 content and view associated user activities. - Content explorer - Activity explorer Microsoft Defender for Cloud Apps Integrate Microsoft Purview Information Protection to apply sensitivity labels to data that matches policies. Investigate potential sensitive data exposure across cloud applications. - Integrate Information Protection Microsoft Purview Data Catalog Browse the Purview Data Catalog to explore the data in your data estate. - Purview Data Catalog |
4.2 DoD enterprise data governance
Microsoft Purview Information Protection uses sensitivity labels. You can create sensitivity labels relevant to your organization, control which labels are visible for users, and define the label scope. Scope labels to files, emails, meetings, Microsoft Teams, SharePoint sites, and more. Labels protect content with encryption, limit external sharing, and prevent data loss.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 4.2.1 Define Data Tagging StandardsThe DoD Enterprise works with organizations to establish data tagging and classification standards based on industry best practices. Classifications are agreed upon and implemented in processes. Tags are identified as manual and automated for future activities. Outcomes: - Enterprise data classification and tagging standards are developed - Organizations align to enterprise standards and begin implementation |
Microsoft Purview Create and publish sensitivity labels in Microsoft Purview, according to data tagging standards you define. - Sensitivity labels and policies - Sensitivity labels in Microsoft 365 |
Target 4.2.2 Interoperability StandardsThe DoD Enterprise collaborating with the organizations develops interoperability standards integrating mandatory Data Rights Management (DRM) and Protection solutions with necessary technologies to enable ZT target functionality. Outcome: - Formal standards are in place by the enterprise for the appropriate data standards |
Azure Rights Management Use Azure RMS for data rights management (DRM) and protection interoperability across DoD entities collaborating with Microsoft 365 services. - Azure RMS - Apps that support sensitivity labels |
Target 4.2.3 Develop Software Defined Storage (SDS) PolicyThe DoD enterprise working with organizations establishes a software define storage (SDS) policy and standards based on industry best practices. DoD organizations evaluate current data storage strategy and technology for implementation of SDS. Where appropriate storage technology is identified for SDS implementation. Outcomes: - Determine need for SDS tool implementation - Policy for SDS is created at the enterprise and org levels |
SharePoint Online Use SharePoint Online and OneDrive for Business as a standard interoperable software design storage (SDS) solution. Restrict access to sensitive SharePoint Online sites and content with site access restriction policies. Prevent guest access to files while data loss prevention (DLP) rules are applied. - Restrict site access to group members - Prevent guest access to files with DLP rules - Secure guest sharing Microsoft Defender for Cloud Apps Use Defender for Cloud Apps to block access to unauthorized cloud storage services. - Govern discovered apps |
4.3 Data labeling and tagging
Microsoft Purview Information Protection automatically classifies data based on sensitive information types you define. Policies for service- and client-side labeling ensure Microsoft 365 content created by your users is labeled and protected.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 4.3.1 Implement Data Tagging & Classification ToolsDoD organizations utilize the enterprise standard and requirements to implement data tagging and classification solution(s). Organizations ensure that future ML and AI integrations are supported by solutions through DoD enterprise requirements. Outcomes: - A requirement of Data classification and tagging tools must include integration and/or support of Machine Learning (ML) - Data classification and tagging tools are implemented at org and enterprise levels |
Microsoft Purview Information Protection Use Microsoft Purview Information Protection to classify data based on sensitive information types, and classifiers trained by machine learning (ML). - Sensitive data and Purview - Label policies |
Target 4.3.2 Manual Data Tagging Pt1Using the DoD enterprise data tagging and classification policy and standards, manual tagging starts using basic data level attributes to meet ZT target functionality. Outcome: - Manual data tagging begins at the enterprise level with basic attributes |
Microsoft Purview Create and publish sensitivity labels in Microsoft Purview, according to data tagging standards you define. See Microsoft guidance in 4.2.1. Configure a labeling policy to require users to apply sensitivity labels to emails and documents. - Users apply labels to email and documents |
Advanced 4.3.3 Manual Data Tagging Pt2DoD organizational specific data level attributes are integrated into the manual data tagging process. DoD enterprise and organizations collaborate to decide which attributes are required to meet ZTA advanced functionality. Data level attributes for ZTA advanced functionality are standardized across the enterprise and incorporated. Outcome: - Manual data tagging is expanded to the program/org levels with specific attributes |
Microsoft Purview Review the sensitive information types in the Microsoft Purview compliance portal. Define custom sensitive information types as needed. See Microsoft guidance in 4.1.1. |
Advanced 4.3.4 Automated Data Tagging & Support Pt1DoD organizations use data loss prevention, rights management, and/or protection solutions to conduct scanning of data repositories. Standardized tags are applied to supported data repositories and data types. Unsupported data repositories and types are identified. Outcome: - Basic automation begins by scanning data repositories and applying tags |
Microsoft Purview Information Protection Configure client-side labeling for files and emails created in Microsoft Office applications. - Autolabeling for Office apps Configure service-side labeling for content stored in Office 365. - Autolabeling policy for SharePoint, OneDrive, and Exchange Apply sensitivity labels to containers: Microsoft Teams sites, Microsoft 365 Groups, and SharePoint sites. - Sensitivity labels for Teams, Microsoft 365, groups, and SharePoint sites To find documents and emails in your environment, scan it for data matching values in defined sensitive information types. - Data-match sensitive info types Use document fingerprinting to find and label content that matches document templates and standard forms. - Document fingerprinting Microsoft Purview Register data sources, scan, ingest, and classify data in the Microsoft Purview governance portal. - Data sources in Purview - Scans and ingestion - Data classification Microsoft Defender for Cloud Apps Integrate Purview Information Protection with Defender for Cloud Apps to apply sensitivity labels automatically, enforce encryption policies, and prevent data loss. - Integrate Information Protection - Apply sensitivity labels - DLP content inspection |
Advanced 4.3.5 Automated Data Tagging & Support Pt2Remaining supported data repositories have basic and extended data tags which are applied using machine learning and artificial intelligence. Extended data tags are applied to existing repositories. Unsupported data repositories and data types are evaluated for decommissioning using a risk based methodical approach. Approved exceptions utilize manual data tagging approaches with data owners and/or custodians to manage tagging. Outcomes: - Full automation of data tagging is completed - Results of data tagging are fed into ML algorithms. |
Microsoft Purview Information Protection Trainable classifiers in Purview help you recognize content by using machine learning (ML). Create and train classifiers with human picked and positively matched samples. - Trainable classifiers |
4.4 Data monitoring and sensing
Microsoft Purview Data Loss Prevention (DLP) policies prevent data from leaving your organization. You can apply DLP policies to data at rest, in use, and in motion. DLP policies are enforced where data resides in cloud services, on-premises file shares, also on Windows and macOS devices.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 4.4.1 DLP Enforcement Point Logging and AnalysisDoD Organizations identify data loss prevention (DLP) enforcement points such as specific services and user endpoints. Using the established DoD Enterprise cybersecurity incident response standard, DoD organizations ensure the appropriate detail of data is captured. Additionally, protection, detection, and response use cases are developed to better outline solution coverage. Outcomes: - Enforcement points are identified - Standardized Logging schema is enforced at the enterprise and org levels |
Microsoft Purview Data Loss Prevention Create DLP policies in Purview compliance. Enforce DLP for Microsoft 365 applications, Windows, and macOS endpoints, also non-Microsoft cloud apps. - Plan for DLP - Design DLP policy - Audit log activities - Office 365 Management Activity API schema Microsoft Defender for Cloud Apps Integrate Purview Information Protection with Defender for Cloud Apps to apply sensitivity labels automatically, enforce encryption policies, and prevent data loss. See Microsoft guidance in 4.3.4. |
Target 4.4.2 DRM Enforcement Point Logging and AnalysisDoD Organizations identify data rights management (DRM) enforcement points such as specific services and user endpoints. Using the established DoD Enterprise cybersecurity incident response standard, DoD organizations ensure the appropriate detail of data is captured. Additionally, protection, detection, and response use cases are developed to better outline solution coverage. Outcomes: - Enforcement points are identified - Standardized Logging schema is enforced at the enterprise and org levels |
Microsoft Purview Information Protection Purview data rights management (DRM) enforcement points include Microsoft 365 and third-party applications and services integrated with the Microsoft Information Protection (MIP) SDK, online apps, and rich clients. - Protect sensitive data - Restrict content access with sensitivity labels - MIP SDK - Encryption in Microsoft 365 Microsoft Defender for Cloud Apps Integrate Purview Information Protection with Defender for Cloud Apps to apply sensitivity labels automatically, enforce encryption policies, and prevent data loss. See Microsoft guidance in 4.3.4. |
Target 4.4.3 File Activity Monitoring Pt1DoD Organizations utilize File Monitoring tools to monitor the most critical data classification levels in applications, services, and repositories. Analytics from monitoring are fed into the SIEM with basic data attributes to accomplish ZT Target functionality. Outcomes: - Data and files of critical classification are actively being monitored - Basic Integration is in place with monitoring system such as the SIEM |
Microsoft Purview Data Loss Prevention DLP alerts appear in Microsoft Defender XDR. File activity about creation, labeling, printing, and sharing is in the Unified Audit Log, and in activity explorer in the Microsoft Purview compliance portal. - DLP alerts - Activity explorer - Export, configure, and view audit log records Microsoft Defender XDR and Microsoft Sentinel Integrate Microsoft Defender XDR with Sentinel to view and investigate data loss prevention (DLP) alerts in an enterprise security incident and event management (SIEM) system. - Integrate SIEM tools - Information Protection connector for Sentinel - Connect Defender XDR data to Sentinel - DLP investigations |
Target 4.4.4 File Activity Monitoring Pt2DoD Organizations utilize File Monitoring tools to monitor all regulatory protected data (e.g., CUI, PII, PHI, etc.) in applications, services, and repositories. Extended integration is used to send data to appropriate inter/intra-pillar solutions such as Data Loss Prevention, Data Rights Management/Protection and User & Entity Behavior Analytics. Outcomes: - Data and files of all regulated classifications are actively being monitored - Extended integrations are in place as appropriate to further manage risk |
Microsoft Sentinel Determine needed sensitivity labels and configure custom Sentinel analytics rules. Create an incident when DLP alerts trigger for critical file events. Critical file events include detection of sensitive information, policy violations, and other suspicious activity. - Custom analytics rules to detect threats - Threat response with playbooks |
Advanced 4.4.5 Database Activity MonitoringDoD Organizations procure, implement, and utilize Database Monitor solutions to monitor all databases containing regulated data types (CUI, PII, PHI, etc.). Logs and analytics from the database monitoring solution are fed to the SIEM for monitoring and response. Analytics are fed into cross pillar activities such as "Enterprise Security Profile" and "Real Time Access" to better direct decision making. Outcomes: - Appropriate Database are being actively monitored - Monitoring technology is integrated with solutions such as SIEM, PDP, and Dynamic Access Control mechanisms |
Microsoft Defender for SQL Defender for SQL protects databases in Azure and other clouds. - Defender for SQL - Security alerts Microsoft Sentinel Connect Microsoft Defender for Cloud, and Microsoft Defender XDR data connectors to Sentinel. - Connected Defender for Cloud alerts to Sentinel - Connect Defender XDR to Sentinel Conditional Access Require authentication context for sensitive SharePoint sites and protect Azure SQL database sign-in using Conditional Access. - Sensitivity labels - Authentication context - Conditional Access with Azure SQL Database and Azure Synapse Analytics |
Advanced 4.4.6 Comprehensive Data Activity MonitoringDoD Organizations expand monitoring of data repositories including databases as appropriate based on a methodical risk approach. Additional data attributes to meet the ZT Advanced functionalities are integrated into the analytics for additional integrations. Outcomes: - Data Activity monitoring mechanisms are integrated to provide a unified view of monitoring across data repositories - Appropriate integrations exist with solutions such as SIEM and PDP |
Microsoft Graph API Use Microsoft Graph activity logs for an audit trail of requests received by Microsoft Graph service and processed by the tenant. - Activity logs Microsoft Purview Data Map Configure Purview Data Map to scan for sensitive files in the organization’s data estate. - Manage data sources Microsoft Sentinel To integrate with a security information and event management (SIEM) system, configure Sentinel data connectors for Microsoft Defender for Cloud, Microsoft Defender XDR, and Purview. See Microsoft guidance in 4.4.5. Conditional Access Detections for unusual file access, found by Microsoft Defender XDR, raise the user risk level. User risk is a condition in Conditional Access, the policy decision point (PDP) for Microsoft Entra ID. Define a Conditional Access authentication context with the user risk condition no risk. Protect labeled SharePoint sites; require Conditional Access authentication context. - Risk detections - Unusual file access - Authentication context example |
4.5 Data encryption and rights management
Microsoft 365 services encrypt data at rest and in transit. Microsoft Purview restricts access to content according to sensitivity-label encryption policy. Purview accomplishes the goal with another layer of encryption for email and files.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 4.5.1 Implement DRM and Protection Tools Pt1DoD Organizations procure and implement DRM and Protection solution(s) as needed following the DoD Enterprise standard and requirements. Newly implemented DRM and protection solution(s) are implemented with high risk data repositories using ZTA target level protections. Outcome: - DRM and protection tools are enabled for high-risk data repositories with basic protections |
Microsoft 365 encryption Microsoft 365 has baseline, volume-level encryption with the Windows security feature BitLocker and Distributed Key Manager (DKM). - Understand encryption Microsoft Purview Use labeling policies to automatically apply more encryption for high-risk data in Microsoft 365, based on sensitivity label. - Restrict content access with sensitivity labels - Email encryption in Microsoft 365 Microsoft Defender for Cloud Apps Integrate Microsoft Purview Information Protection with Defender for Cloud Apps to apply sensitivity labels automatically, enforce encryption policies, and prevent data loss. See Microsoft guidance in 4.3.4. Azure Policy Use Azure Policy to require a secure Transport Layer Security (TLS) version, implement Transparent Data Encryption (TDE), and require it with customer-managed keys to encrypt data at rest. - Azure Policy definitions for Azure SQL database and SQL Managed Instance |
Target 4.5.2 Implement DRM and Protection Tools Pt2DRM and protection coverage is expanded to cover all in scope data repositories. Encryption keys are automatically managed to meet best practices (e.g., FIPS). Extended data protection attributes are implemented based on the environment classification. Outcome: - DRM and protection tools are enabled for all possible repositories |
Azure Key Vault Use Azure Key Vault Managed Hardware Security Module (Azure Key Vault HSM) to safeguard application cryptographic keys using FIPS 140-2 Level 3 Validated Hardware Security Modules. - Azure Key Vault Managed HSM Microsoft Purview Customer Key Microsoft 365 offers a layer of encryption for your content with Customer Key. - Service encryption Azure Information Protection tenant key Azure Information Protection supports Microsoft generated tenant root keys and bring your own key (BYOK). - Tenant key - Double Key Encryption - BYOK |
Target 4.5.3 DRM Enforcement via Data Tags and Analytics Pt1Data rights management (DRM) and protection solutions are integrated with basic data tags defined by the DoD Enterprise standard. Initial data repositories are monitored and have protect and response actions enabled. Data at rest is encrypted in repositories. Outcomes: - Data Tags are integrated with DRM and monitored repositories are expanded - Based on data tags, data is encrypted at rest |
Microsoft Purview Information Protection Use labeling policies to apply more encryption automatically for high-risk data, in Microsoft 365, based on sensitivity label. - Restrict content access with sensitivity labels Microsoft 365 encryption Microsoft 365 has baseline, volume-level encryption with BitLocker and Distributed Key Manager (DKM). See Microsoft guidance in 4.5.1. |
Advanced 4.5.4 DRM Enforcement via Data Tags and Analytics Pt2Extended data repositories are protected with DRM and Protection solutions. DoD Organizations implement extended data tags applicable to organizations versus mandated enterprise. Data is encrypted in extended repositories using additional tags. Outcomes: - All applicable data repositories are protected using DRM - Data is encrypted using extended data tags from the org levels |
Azure encryption Azure uses encryption for data at rest and in transit. - Azure encryption Azure Policy Enable Azure Policy to secure Azure SQL databases See Microsoft guidance 4.5.1. Conditional Access Use Conditional Access policies for users that connect to Azure SQL. See Microsoft guidance in 4.4.5. |
Advanced 4.5.5 DRM Enforcement via Data Tags and Analytics Pt3DRM and Protection solutions integrate with AI and ML tooling for encryption, rights management and protection functions. Outcomes: - Analytics from ML/AI are integrated with DRM to better automate protections - Encryption protection is integrated with AI/ML and updated encryption methods are used as needed |
Microsoft Purview Information Protection Use Microsoft Purview Information Protection to classify data, based on sensitive information types, and by classifiers trained by machine learning (ML). See Microsoft guidance in 4.3.5. Azure Machine Learning Azure Machine Learning and Azure OpenAI Service use the Azure Storage and Azure Compute services that encrypt data. - Data encryption - Azure OpenAI encryption of data at rest Conditional Access Define authentication context with Identity Protection risk signals. Require authentication context for labeled SharePoint sites and custom applications. - Authentication context See Microsoft guidance in 4.4.5. |
4.6 Data loss prevention (DLP)
Microsoft Purview Data Loss Prevention (DLP) policies prevent data from leaving your organization. You can apply DLP policies to data at rest, in use, and in motion. DLP policies are enforced where data resides in cloud services, on-premises file shares, also on Windows and macOS devices.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 4.6.1 Implement Enforcement PointsData loss prevention (DLP) solution is deployed to the in-scope enforcement points. DLP solution is set to "monitor-only" and/or "learning" mode limiting impact. DLP solution results are analyzed, and policy is fine tuned to manage risk to an acceptable level. Outcome: - Identified enforcement points have DLP tool deployed and set to monitor mode with standardized logging |
Microsoft Purview Data Loss Prevention Microsoft 365 applications and Windows endpoints enforce DLP policies. Configure policies in DLP simulation mode. - Plan for DLP - DLP simulation mode Create policies in DLP. Set policy state to test or test with policy tips. Set policy actions to Audit only or Block with override. - DLP policy deployment Onboard Windows 10, 11, and macOS devices to Endpoint data loss prevention (Endpoint DLP) - Endpoint DLP Deploy Microsoft Purview Information Protection scanner. Label and enforce DLP policies for content in on-premises SQL databases, file shares, network attached storage (NAS), and SharePoint Server document libraries. - DLP on-premises repositories - Information Protection scanner Microsoft Purview Data Loss Prevention Integrate Microsoft Purview Information Protection with Defender for Cloud Apps to apply sensitivity labels automatically, enforce encryption policies, and prevent data loss. See Microsoft guidance in 4.3.4. Conditional Access Control access to Office 365 and other Microsoft Entra-integrated applications. Use report-only mode to monitor the outcome before you enable policies with block access grant control. - Build policy - Report only mode - Session policies: monitor all |
Target 4.6.2 DLP Enforcement via Data Tags and Analytics Pt1The data loss prevention (DLP) solution is updated from monitor only mode to prevention mode. Basic data tags are utilized for the DLP solution and logging schema is integrated. Outcome: - Enforcement Points to set to prevent mode integrating the logging schema and manual tags environment classification. |
Microsoft Purview Data Loss Prevention Create DLP policies in test mode. Change the state to On to enable Enforcement mode. If you set policy actions to Block, user activity that triggers DLP is prevented by the policy. - Actions in DLP policies Enable just-in-time (JIT) protection to enforce Endpoint DLP for files created on offline devices. - Offline devices Microsoft Defender for Cloud Apps Enable content inspection in Defender for Cloud Apps. - DLP content inspection Conditional Access After testing, enable Conditional Access policies that apply session controls, or use block access grant control. To avoid tenant lockout, exclude emergency-access accounts. - Emergency access accounts See Microsoft guidance in 4.6.1. |
Advanced 4.6.3 DLP Enforcement via Data Tags and Analytics Pt2Data loss prevention (DLP) solution is updated to include extended data tags based on parallel Automation activities. Outcome: - Enforcement points have extended data tag attributes applied for additional prevention |
Microsoft Purview Information Protection Define custom sensitive information types. Create labels and data loss prevention policies. See Microsoft guidance in 4.1.1. |
Advanced 4.6.4 DLP Enforcement via Data Tags and Analytics Pt3Data loss prevention (DLP) solution is integrated with automated data tagging techniques to include any missing enforcement points and tags. Outcome: - Automated tagging attributes are integrated with DLP and resulting metrics are used for ML |
Microsoft Purview Information Protection Use Microsoft Purview Information Protection to classify data, based on sensitive information types and by classifiers trained by machine learning (ML). See Microsoft guidance in 4.3.5. |
4.7 Data access control
Microsoft 365 and Azure Storage services are integrated with Microsoft Entra ID for identity-based authorization. Microsoft Entra ID supports role-based access control (RBAC) and attribute-based access control (ABAC).
Microsoft Entra roles and security groups provide organizations role-based access control. Dynamic security groups use attributes defined on user, group, and device objects to define membership, based upon rich expressions and rule sets.
Microsoft Entra ID attribute-based access control utilizes custom security attributes, which are business-specific attributes you can define and assign to Microsoft Entra objects. Custom security attributes store sensitive information. Access to view, or modify, custom security attributes is restricted to Attribute Administrator roles.
| DoD Activity Description and Outcome | Microsoft guidance and recommendations |
|---|---|
Target 4.7.1 Integrate DAAS Access w/ SDS Policy Pt1Utilizing the DoD enterprise SDS policy, organizational DAAS policy is developed with intended integration in mind. SDS implementation guide is developed by DoD organizations due to environment-specific nature. Outcomes: - Attribute based fine-grained DAAS policy is developed w/ enterprise and org level support - SDS Integration plan is developed to support DAAS policy |
Microsoft Entra ID Implement attribute-based data, assets, applications, and services (DAAS) policies with Microsoft Entra ID with mechanisms like Azure attribute-based access control (Azure ABAC), custom security-attribute filtering for applications, and dynamic security groups. - Attribute-based controls Custom security attributes Define custom security attributes and assign value to users. Configure role assignment conditions for Azure ABAC, for Azure roles. Currently, this feature is in preview for Azure Storage account permissions. - Azure ABAC - Manage access to custom security attributes - Manage attributes with delegation Use custom security attributes for fine-grained dynamic application authorization. Assign custom security attributes and use attribute filters (preview) for applications in Conditional Access policies. - Manage app custom security attributes Dynamic security groups Use dynamic security groups to assign access to resources that support Microsoft Entra ID groups to grant permissions. This includes Microsoft 365 role groups, app roles for Microsoft Entra ID applications, Azure roles, and application assignments. Conditional Access policies use dynamic groups and apply authorization levels for users with various attribute values. - Dynamic group membership rules - Emit claims from conditions |
Advanced 4.7.2 Integrate DAAS Access w/ SDS Policy Pt2DoD Organizations implement the DAAS policy in an automated fashion. Outcome: - Attribute based fine-grained DAAS Policy implemented in an automated fashion |
Microsoft Graph API Automate the configuration of Conditional Access policies, custom security attributes, dynamic security groups, and other Microsoft Entra ID features using the Microsoft Graph API. - Identity and access APIs |
Advanced 4.7.3 Integrate DAAS Access w/ SDS Policy Pt3Newly implemented SDS technology and/or functionalities are integrated with the DAAS policy in a risk-based fashion. A phased approach should be taken during implementation to measure results and adjust accordingly. Outcomes: - SDS is integrated with DAAS policy functionality - All data in all applications are protected with attribute based fine-grained DAAS policy. |
Microsoft Defender for Cloud Apps Integrate Microsoft Purview and Defender for Cloud Apps. Create File Policies to enforce automated processes using cloud provider APIs. - Integrate Information Protection - File policies |
Target 4.7.4 Integrate Solution(s) and Policy with Enterprise IDP Pt1DoD Organizations develop an integration plan using the SDS policy and technology/functionality with the enterprise Identity Provider (IdP) solution. Outcome: - Integration plan between SDS and authoritative Identity Provider is developed to support existing DAAS access |
Microsoft Entra ID Microsoft 365 storage services like SharePoint Online and OneDrive for Business are integrated with Microsoft Entra ID. Configure Azure Storage services for integration with Microsoft Entra ID for identity-based authorization of requests to Blob, File, Queue, and Table services. - Microsoft Entra ID - Authorize Azure Storage In the application gallery, integrate more software-defined storage (SDS) solutions with Microsoft Entra ID. - Application gallery |
Advanced 4.7.5 Integrate Solution(s) and Policy with Enterprise IDP Pt2Newly implemented SDS technology and/or functionalities are integrated with the Enterprise Identity Provider (IdP) following the integration plan. Identity attributes required to meet ZT Target functionalities are required for integration. Outcome: - Complete integration with Enterprise IDP and SDS tooling to support all attribute based fine-grained DAAS access |
Complete activities 4.7.1 and 4.7.4. |
Advanced 4.7.6 Implement SDS Tool and/or integrate with DRM Tool Pt1Depending on the need for a Software Defined Storage tool, a new solution is implemented or an existing solution is identified meeting the functionality requirements to be integrated with DLP, DRM/Protection, and ML solutions. Outcome: - If tooling is needed, ensure there is supported integrations with DLP, DRM and ML tooling |
Microsoft Purview Microsoft Purview Information Protection digital rights management (DRM) and Microsoft Purview Data Loss Prevention (DLP) features integrate natively with Office clients and Microsoft 365 services. Integrations are built-in and don’t require more deployment. - Purview overview Use the Microsoft Information Protection SDK (MIP SDK) to build custom tools to apply labels and protection to files. See Microsoft guidance in 4.4.2. |
Advanced 4.7.7 Implement SDS Tool and/or integrate with DRM Tool Pt2DoD Organizations configure the SDS functionality and/or solution to be integrated with the underlying DLP and DRM/Protection infrastructure as appropriate. Lower-level integrations enable more effective protection and response. Outcome: - Integrate SDS infrastructure with existing DLP and DRM infrastructure |
Microsoft 365 and Microsoft Purview Microsoft Purview protects Microsoft 365 content with data loss prevention (DLP) and data rights management (DRM) without more infrastructure. - Protect sensitive data |
Next steps
Configure Microsoft cloud services for the DoD Zero Trust Strategy: