2. Understand your security responsibilities<\/h2>\n\n\n\n
When you move your data to cloud services, it’s important to understand who is responsible for securing it. In most cases, the cloud provider is responsible for securing the infrastructure, while the customer is responsible for securing the data stored on that infrastructure. Make sure you know your responsibilities and take the necessary steps to secure your data. The below picture shows how the responsibility shifts from the customer to the cloud provider as the customers move their applications to cloud services. While customers maintain end-to-end responsibility of maintaining the environment on-premises, as they move to cloud services, more and more responsibilities are taken over by the cloud provider. However, maintaining and securing data, devices, and identities is always the customer\u2019s responsibility.<\/p>\n\n\n\n Figure 1. Shared responsibility model in the cloud.<\/em><\/p>\n\n\n\n While passwords are the first line of defense against unauthorized access, we are aware that passwords can be stolen, leaked, or compromised. Using strong authentication methods, such as multifactor authentication, can significantly reduce the risk of unauthorized access to data. Multifactor authentication requires users to provide multiple forms of authentication, such as a password and a code sent to a mobile app, before gaining access to the cloud environment. However, the best defense is provided by passwordless technologies like facial recognition, fingerprints, or mobile apps. Microsoft provides a host of such technologies like Windows Hello, Microsoft Authenticator, or FIDO2 Security keys. Using these methods, you can mitigate the risk of password theft.<\/p>\n\n\n\n Figure 2. Authentication methods.<\/em><\/p>\n\n\n\n Encryption is a critical component of cloud security. It involves encoding data in such a way that only authorized users can access it. Implementing encryption for data in transit and data at rest can help protect sensitive data from unauthorized access and data breaches<\/a>. In the Microsoft Cloud, data is always encrypted at rest, in transit, and in use. Microsoft Azure Storage Service Encryption<\/strong> provides encryption for data at rest with 256-bit AES using Microsoft Manage Keys. It encrypts data in Azure Managed Disks, blob storage, Azure files, Azure queues and table storage. Azure Disk Encryption<\/strong> provides encryption for data at rest in Windows and Linux VMs using 256-AES encryption. Transparent Data Encryption <\/strong>provides encryption for Microsoft Azure SQL Database and Azure Data Warehouse. <\/p>\n\n\n\n The biggest problem faced by businesses today is discovering where their sensitive data is. With more than 80 percent of corporate data \u201cdark\u201d, organizations need tools to help them discover this data. Microsoft Purview Information Protection<\/a> helps you scan data at rest across Microsoft 365 applications, SharePoint Online, Exchange Online, Teams, non-Microsoft Cloud apps, and on-premises file shares and SharePoint servers using the Microsoft Purview Information Protection scanner tool, to discover sensitive data. Identifying the data is not enough. Organizations need to be aware of the risk associated with this data and protect the data by applying things such as encryption, access restrictions, and visual markings. With Microsoft Purview Information Protection you can automatically apply sensitivity labels to identify the data as highly confidential, confidential, or general, depending on your label schema by using more than 300 Sensitive Information Types and Trainable Classifiers.<\/p>\n\n\n\n Organizations also suffer from inadvertent or malicious data loss. They need to have controls in place to prevent sensitive data from being accessed by unauthorized individuals. Microsoft Purview Data Loss Prevention<\/a> helps prevent data loss by identifying and preventing risky or inappropriate sharing, transfer, or use of sensitive information across cloud, apps, and on endpoint devices. It is a cloud-native solution with built-in protection so that you no longer need to deploy and maintain costly on-premises infrastructure or agents.<\/p>\n\n\n\n Data doesn\u2019t move itself; people move data. That is why understanding the user context and intent behind data movement is key to preventing data loss. Microsoft Purview Insider Risk Management<\/a> offers built-in, ready-to-use machine learning models to detect and mitigate the most critical data security risks around your data. And by using Adaptive Protection, organizations can automatically tailor the appropriate data loss prevention controls based on a user\u2019s risk level, ensuring that the most effective policy\u2014such as blocking data sharing\u2014is applied only to high-risk users, while low-risk users can maintain their productivity. The result: your security operations team is now more efficient and empowered to do more with less.<\/p>\n\n\n\n Learn more about data protection for businesses<\/a>.<\/p>\n\n\n\n Figure 3. Microsoft’s approach to data security.<\/em><\/p>\n\n\n\n Implementing access controls can help limit access to sensitive data in cloud services. Access controls should be based on the principle of least privilege, where users are granted the minimum access required to perform their tasks. Role-based access control can be used to assign roles and permissions to users based on their job responsibilities. Microsoft Entra<\/a> encompasses all such Identity and Access capabilities from Microsoft.<\/p>\n\n\n\n Monitoring cloud activity can help detect and prevent unauthorized access to data. Cloud service providers offer monitoring services that can alert administrators when suspicious activity is detected. Regularly reviewing cloud logs and audit trails can help identify potential security threats. Microsoft Defender for Cloud<\/a>\u00a0is a cloud-native application protection platform that combines the capabilities of Cloud Security Posture Management with integrated data-aware security posture and Cloud Workload Protection Platform<\/a> to help prevent, detect, and respond to threats with increased visibility into and control over the security of multicloud and on-premises resources such as Azure Storage, Azure SQL, and open-source databases.<\/p>\n\n\n Figure 4. Microsoft Defender for Cloud.<\/em><\/p>\n\n\n\n In addition, Microsoft Sentinel<\/a>, Microsoft\u2019s AI-enriched, cloud-native security information and event management, can uncover sophisticated threats and automate response. It acts as a centralized hub across multicloud environments to monitor attackers as they move across vectors.<\/p>\n\n\n\n Figure 5. Microsoft Sentinel.<\/em><\/p>\n\n\n\n APIs are used to access cloud services, and they can be vulnerable to attacks if not secured properly. Secure APIs should be implemented with strong authentication and encryption to prevent unauthorized access to cloud services.<\/p>\n\n\n\n Conducting regular security assessments can help identify security vulnerabilities and assess the effectiveness of security measures. Regular security assessments can be conducted internally or by third-party security experts.<\/p>\n\n\n\n Ensure that your employees are aware of the security risks associated with storing data in cloud services and are trained on best practices for securing data. This includes regular security awareness training and policies for reporting suspicious activity.<\/p>\n\n\n\n Zero Trust is a security strategy. It is not a product or a service, but an approach in designing and implementing the following set of security principles:<\/p>\n\n\n\n A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy. This is done by implementing Zero Trust controls and technologies across six foundational elements of identity, endpoints, data, apps, infrastructure, and network.<\/p>\n\n\n Figure 6. Zero Trust across the vectors.<\/em><\/p>\n\n\n\n Each of these is a source of signal, a control plane for enforcement, and a critical resource to be defended. Here is Microsoft\u2019s guide to securing data with Zero Trust<\/a>.<\/p>\n\n\n\n In conclusion, securing data in cloud services is essential for businesses to protect their sensitive information from unauthorized access and data breaches. End-to-end security design and implementation is the foundation of securing data in cloud services. Microsoft recommends a defense in depth approach implementing the principles of Zero Trust across identity, endpoints, data, apps, infrastructure, and network.<\/p>\n\n\n\n To learn more about Microsoft Security solutions, visit our website.<\/a> Bookmark the Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security<\/a>) and Twitter (@MSFTSecurity<\/a>) for the latest news and updates on cybersecurity.<\/p>\n","protected":false},"excerpt":{"rendered":" This blog explores the importance and best practices for securing data in the cloud. It discusses concepts such as authentication, zero trust, and encryption, among others.<\/p>\n","protected":false},"author":165,"featured_media":130817,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3659],"topic":[3667,3669,4121,3689],"products":[3690,3691,3702,3710,3717,3715,3726],"threat-intelligence":[],"tags":[],"coauthors":[3890,2390],"class_list":["post-130709","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-best-practices","topic-cloud-security","topic-data-protection","topic-data-security","topic-zero-trust","products-microsoft-defender","products-microsoft-defender-for-cloud","products-microsoft-entra","products-microsoft-purview","products-microsoft-purview-data-loss-prevention","products-microsoft-purview-information-protection","products-microsoft-sentinel","review-flag-1694638265-576","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-5-1694638266-171","review-flag-6-1694638266-691","review-flag-7-1694638266-851","review-flag-8-1694638266-352","review-flag-9-1694638266-118","review-flag-alway-1694638263-571","review-flag-anywh-1694638264-237","review-flag-facia-1694638269-218","review-flag-machi-1694638272-641","review-flag-percent"],"yoast_head":"\n![\"Image](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/SecurityPicture1.jpg\")
<\/figure>\n\n\n\n3. Use strong authentication<\/h2>\n\n\n\n
![\"Image](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/SecurityPicture2.jpg\")
<\/figure>\n\n\n\n4. Implement encryption<\/h2>\n\n\n\n
5. Protect data wherever it lives or travels<\/h2>\n\n\n\n
![\"Microsoft's](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/SecurityPicture3.jpg\")
<\/figure>\n\n\n\n6. Implement access control<\/h2>\n\n\n\n
7. Monitor cloud activity and know your security posture<\/h2>\n\n\n\n
![\"Graphic](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/SecurityPicture4.webp\")
<\/figure>\n\n\n\n![\"Image](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/SecurityPicture5.jpg\")
<\/figure>\n\n\n\n8. Use secure APIs<\/h2>\n\n\n\n
9. Conduct regular security assessments<\/h2>\n\n\n\n
10. Train your employees<\/h2>\n\n\n\n
11. Implement principles of Zero Trust<\/h2>\n\n\n\n
\n
![\"Graph](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/SecurityPicture6.webp\")
<\/figure>\n\n\n\nWhat’s next <\/h2>\n\n\n\n
Learn more<\/h2>\n\n\n\n