Strictly limit access

Only give access to people who really need it, and only for as long as they need it.

Even trusted users shouldn’t have open-ended access. Keep permissions tight and time-limited, so the system stays protected from misuse or mistakes.

Contoso’s challenge

• Contoso Rise Up is known for great customer support. To help troubleshoot quickly, the support team has full access to customer data.
• The support team is regularly trained on ethical access.
• Unfortunately, one upset employee broke that trust. They copied and publicly shared a donor list. The person was fired, but the damage to Contoso Rise Up’s reputation was already done.

Applying the approach and outcomes

• Contoso Rise Up strictly grouped users in Microsoft Entra ID and set up role-based access (RBAC) to control who can access what.
• All data access now requires approval, is time-limited, and gets logged.
• These rules apply across the workload and customer support teams, so there’s no more standing access to customer data.

Identify confidential data through classification

Figure out what kind of data you have, how sensitive it is, and what could go wrong if it got out. Label the data accordingly so that you can apply the right level of protection where needed.

This evaluation helps you rightsize security measures. You can also identify high-risk data and components that might affect your workload or be exposed. This exercise helps get everyone on the same page about how to handle different types of data.

Contoso’s challenge

• The donor management system stores many different types of data:
  • Internal information like Contoso Rise Up’s customer list
  • Customer-owned data like donor lists
  • Donor-specific data like mailing addresses
  • Nonsensitive data like stock images and document templates
• The workload team hasn’t classified the data. They’ve applied security broadly across the dataset.

Applying the approach and outcomes

• The workload team follows Contoso’s data classification guidelines and flags data stores, columns, storage accounts, and other storage resources with metadata to indicate the type and sensitivity of the data.
• This activity helps make sure that each level of sensitive data is properly handled throughout the entire system, including logging statements and backups.
• The team finds relatively sensitive data in a lower security database and nonsensitive data in a higher security database. They’re reorganizing the data to match security levels with the data type.
• They also plan to use data masking on key fields to better protect data confidentiality, so even authorized users only see what they need.