DoD Zero Trust Strategy for the data pillar
The DoD Zero Trust Strategy and Roadmap outlines a path for Department of Defense components and Defense Industrial Base (DIB) partners to adopt a new cybersecurity framework based on Zero Trust principles. Zero Trust eliminates traditional perimeters and trust assumptions, enabling a more efficient architecture that enhances security, user experiences, and mission performance.
This guide has recommendations for the 152 Zero Trust activities in the DoD Zero Trust Capability Execution Roadmap. The sections correspond with the seven pillars of the DoD Zero Trust model.
Use the following links to go to sections of the guide.
- Introduction
- User
- Device
- Applications and workloads
- Data
- Network
- Automation and orchestration
- Visibility and analytics
4 Data
This section has Microsoft guidance and recommendations for DoD Zero Trust activities in the data pillar. To learn more, see Secure data with Zero Trust for more information.
4.1 Data catalog risk alignment
Microsoft Purview solutions help discover, identify, govern, protect, and manage data where it resides. Microsoft Purview provides three to identify items so that they can be classified. Items can be classified manually, by users, via automated pattern recognition, as with sensitive information types, and via machine learning.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 4.1.1 Data AnalysisDoD Organizations update the service and application catalog(s) with data classifications. Data tags are also added to each service and application. Outcome: - The service catalog is updated with data types for each application and service based on data classification levels |
Microsoft PurviewReview sensitive information types in Microsoft Purview compliance portal and define custom, sensitive information types.- Custom sensitive info types in Purview compliance portalUse Purview content explorer or activity explorer to view a snapshot of labeled Microsoft 365 content and view associated user activities.- Content explorer- Activity explorerMicrosoft Defender for Cloud AppsIntegrate Microsoft Purview Information Protection to apply sensitivity labels to data that matches policies. Investigate potential sensitive data exposure across cloud applications.- Integrate Information ProtectionMicrosoft Purview Data CatalogBrowse the Purview Data Catalog to explore the data in your data estate.- Purview Data Catalog |
4.2 DoD enterprise data governance
Microsoft Purview Information Protection uses sensitivity labels. You can create sensitivity labels relevant to your organization, control which labels are visible for users, and define the label scope. Scope labels to files, emails, meetings, Microsoft Teams, SharePoint sites, and more. Labels protect content with encryption, limit external sharing, and prevent data loss.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 4.2.1 Define Data Tagging StandardsThe DoD Enterprise works with organizations to establish data tagging and classification standards based on industry best practices. Classifications are agreed upon and implemented in processes. Tags are identified as manual and automated for future activities. Outcomes: - Enterprise data classification and tagging standards are developed- Organizations align to enterprise standards and begin implementation |
Microsoft PurviewCreate and publish sensitivity labels in Microsoft Purview, according to data tagging standards you define.- Sensitivity labels and policies- Sensitivity labels in Microsoft 365 |
Target 4.2.2 Interoperability StandardsThe DoD Enterprise collaborating with the organizations develops interoperability standards integrating mandatory Data Rights Management (DRM) and Protection solutions with necessary technologies to enable ZT target functionality. Outcome: - Formal standards are in place by the enterprise for the appropriate data standards |
Azure Rights ManagementUse Azure RMS for data rights management (DRM) and protection interoperability across DoD entities collaborating with Microsoft 365 services.- Azure RMS- Apps that support sensitivity labels |
Target 4.2.3 Develop Software Defined Storage (SDS) PolicyThe DoD enterprise working with organizations establishes a software define storage (SDS) policy and standards based on industry best practices. DoD organizations evaluate current data storage strategy and technology for implementation of SDS. Where appropriate storage technology is identified for SDS implementation. Outcomes: - Determine need for SDS tool implementation- Policy for SDS is created at the enterprise and org levels |
SharePoint OnlineUse SharePoint Online and OneDrive for Business as a standard interoperable software design storage (SDS) solution. Restrict access to sensitive SharePoint Online sites and content with site access restriction policies. Prevent guest access to files while data loss prevention (DLP) rules are applied.- Restrict site access to group members- Prevent guest access to files with DLP rules- Secure guest sharingMicrosoft Defender for Cloud AppsUse Defender for Cloud Apps to block access to unauthorized cloud storage services.- Govern discovered apps |
4.3 Data labeling and tagging
Microsoft Purview Information Protection automatically classifies data based on sensitive information types you define. Policies for service- and client-side labeling ensure Microsoft 365 content created by your users is labeled and protected.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 4.3.1 Implement Data Tagging & Classification ToolsDoD organizations utilize the enterprise standard and requirements to implement data tagging and classification solution(s). Organizations ensure that future ML and AI integrations are supported by solutions through DoD enterprise requirements. Outcomes: - A requirement of Data classification and tagging tools must include integration and/or support of Machine Learning (ML)- Data classification and tagging tools are implemented at org and enterprise levels |
Microsoft Purview Information ProtectionUse Microsoft Purview Information Protection to classify data based on sensitive information types, and classifiers trained by machine learning (ML).- Sensitive data and Purview- Label policies |
Target 4.3.2 Manual Data Tagging Pt1Using the DoD enterprise data tagging and classification policy and standards, manual tagging starts using basic data level attributes to meet ZT target functionality. Outcome:- Manual data tagging begins at the enterprise level with basic attributes |
Microsoft PurviewCreate and publish sensitivity labels in Microsoft Purview, according to data tagging standards you define.See Microsoft guidance in 4.2.1.Configure a labeling policy to require users to apply sensitivity labels to emails and documents.- Users apply labels to email and documents |
Advanced 4.3.3 Manual Data Tagging Pt2DoD organizational specific data level attributes are integrated into the manual data tagging process. DoD enterprise and organizations collaborate to decide which attributes are required to meet ZTA advanced functionality. Data level attributes for ZTA advanced functionality are standardized across the enterprise and incorporated. Outcome:- Manual data tagging is expanded to the program/org levels with specific attributes |
Microsoft PurviewReview the sensitive information types in the Microsoft Purview compliance portal. Define custom sensitive information types as needed.See Microsoft guidance in 4.1.1. |
Advanced 4.3.4 Automated Data Tagging & Support Pt1DoD organizations use data loss prevention, rights management, and/or protection solutions to conduct scanning of data repositories. Standardized tags are applied to supported data repositories and data types. Unsupported data repositories and types are identified. Outcome:- Basic automation begins by scanning data repositories and applying tags |
Microsoft Purview Information ProtectionConfigure client-side labeling for files and emails created in Microsoft Office applications.- Autolabeling for Office appsConfigure service-side labeling for content stored in Office 365.- Autolabeling policy for SharePoint, OneDrive, and ExchangeApply sensitivity labels to containers: Microsoft Teams sites, Microsoft 365 Groups, and SharePoint sites.- Sensitivity labels for Teams, Microsoft 365, groups, and SharePoint sitesTo find documents and emails in your environment, scan it for data matching values in defined sensitive information types.- Data-match sensitive info typesUse document fingerprinting to find and label content that matches document templates and standard forms.- Document fingerprintingMicrosoft PurviewRegister data sources, scan, ingest, and classify data in the Microsoft Purview governance portal.- Data sources in Purview- Scans and ingestion- Data classificationMicrosoft Defender for Cloud AppsIntegrate Purview Information Protection with Defender for Cloud Apps to apply sensitivity labels automatically, enforce encryption policies, and prevent data loss.- Integrate Information Protection- Apply sensitivity labels- DLP content inspection |
Advanced 4.3.5 Automated Data Tagging & Support Pt2Remaining supported data repositories have basic and extended data tags which are applied using machine learning and artificial intelligence. Extended data tags are applied to existing repositories. Unsupported data repositories and data types are evaluated for decommissioning using a risk based methodical approach. Approved exceptions utilize manual data tagging approaches with data owners and/or custodians to manage tagging. Outcomes:- Full automation of data tagging is completed- Results of data tagging are fed into ML algorithms. |
Microsoft Purview Information ProtectionTrainable classifiers in Purview help you recognize content by using machine learning (ML). Create and train classifiers with human picked and positively matched samples.- Trainable classifiers |
4.4 Data monitoring and sensing
Microsoft Purview Data Loss Prevention (DLP) policies prevent data from leaving your organization. You can apply DLP policies to data at rest, in use, and in motion. DLP policies are enforced where data resides in cloud services, on-premises file shares, also on Windows and macOS devices.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 4.4.1 DLP Enforcement Point Logging and AnalysisDoD Organizations identify data loss prevention (DLP) enforcement points such as specific services and user endpoints. Using the established DoD Enterprise cybersecurity incident response standard, DoD organizations ensure the appropriate detail of data is captured. Additionally, protection, detection, and response use cases are developed to better outline solution coverage. Outcomes:- Enforcement points are identified- Standardized Logging schema is enforced at the enterprise and org levels |
Microsoft Purview Data Loss PreventionCreate DLP policies in Purview compliance. Enforce DLP for Microsoft 365 applications, Windows, and macOS endpoints, also non-Microsoft cloud apps.- Plan for DLP- Design DLP policy- Audit log activities- Office 365 Management Activity API schemaMicrosoft Defender for Cloud AppsIntegrate Purview Information Protection with Defender for Cloud Apps to apply sensitivity labels automatically, enforce encryption policies, and prevent data loss.See Microsoft guidance in 4.3.4. |
Target 4.4.2 DRM Enforcement Point Logging and AnalysisDoD Organizations identify data rights management (DRM) enforcement points such as specific services and user endpoints. Using the established DoD Enterprise cybersecurity incident response standard, DoD organizations ensure the appropriate detail of data is captured. Additionally, protection, detection, and response use cases are developed to better outline solution coverage. Outcomes:- Enforcement points are identified- Standardized Logging schema is enforced at the enterprise and org levels |
Microsoft Purview Information ProtectionPurview data rights management (DRM) enforcement points include Microsoft 365 and third-party applications and services integrated with the Microsoft Information Protection (MIP) SDK, online apps, and rich clients.- Protect sensitive data- Restrict content access with sensitivity labels- MIP SDK- Encryption in Microsoft 365Microsoft Defender for Cloud AppsIntegrate Purview Information Protection with Defender for Cloud Apps to apply sensitivity labels automatically, enforce encryption policies, and prevent data loss.See Microsoft guidance in 4.3.4. |
Target 4.4.3 File Activity Monitoring Pt1DoD Organizations utilize File Monitoring tools to monitor the most critical data classification levels in applications, services, and repositories. Analytics from monitoring are fed into the SIEM with basic data attributes to accomplish ZT Target functionality. Outcomes:- Data and files of critical classification are actively being monitored- Basic Integration is in place with monitoring system such as the SIEM |
Microsoft Purview Data Loss PreventionDLP alerts appear in Microsoft Defender XDR. File activity about creation, labeling, printing, and sharing is in the Unified Audit Log, and in activity explorer in the Microsoft Purview compliance portal.- DLP alerts- Activity explorer- Export, configure, and view audit log recordsMicrosoft Defender XDR and Microsoft SentinelIntegrate Microsoft Defender XDR with Sentinel to view and investigate data loss prevention (DLP) alerts in an enterprise security incident and event management (SIEM) system.- Integrate SIEM tools- Information Protection connector for Sentinel- Connect Defender XDR data to Sentinel- DLP investigations |
Target 4.4.4 File Activity Monitoring Pt2DoD Organizations utilize File Monitoring tools to monitor all regulatory protected data (e.g., CUI, PII, PHI, etc.) in applications, services, and repositories. Extended integration is used to send data to appropriate inter/intra-pillar solutions such as Data Loss Prevention, Data Rights Management/Protection and User & Entity Behavior Analytics. Outcomes:- Data and files of all regulated classifications are actively being monitored- Extended integrations are in place as appropriate to further manage risk |
Microsoft SentinelDetermine needed sensitivity labels and configure custom Sentinel analytics rules. Create an incident when DLP alerts trigger for critical file events. Critical file events include detection of sensitive information, policy violations, and other suspicious activity.- Custom analytics rules to detect threats- Threat response with playbooks |
Advanced 4.4.5 Database Activity MonitoringDoD Organizations procure, implement, and utilize Database Monitor solutions to monitor all databases containing regulated data types (CUI, PII, PHI, etc.). Logs and analytics from the database monitoring solution are fed to the SIEM for monitoring and response. Analytics are fed into cross pillar activities such as "Enterprise Security Profile" and "Real Time Access" to better direct decision making. Outcomes:- Appropriate Database are being actively monitored- Monitoring technology is integrated with solutions such as SIEM, PDP, and Dynamic Access Control mechanisms |
Microsoft Defender for SQLDefender for SQL protects databases in Azure and other clouds.- Defender for SQL- Security alertsMicrosoft SentinelConnect Microsoft Defender for Cloud, and Microsoft Defender XDR data connectors to Sentinel.- Connected Defender for Cloud alerts to Sentinel- Connect Defender XDR to SentinelConditional AccessRequire authentication context for sensitive SharePoint sites and protect Azure SQL database sign-in using Conditional Access.- Sensitivity labels- Authentication context- Conditional Access with Azure SQL Database and Azure Synapse Analytics |
Advanced 4.4.6 Comprehensive Data Activity MonitoringDoD Organizations expand monitoring of data repositories including databases as appropriate based on a methodical risk approach. Additional data attributes to meet the ZT Advanced functionalities are integrated into the analytics for additional integrations. Outcomes:- Data Activity monitoring mechanisms are integrated to provide a unified view of monitoring across data repositories- Appropriate integrations exist with solutions such as SIEM and PDP |
Microsoft Graph APIUse Microsoft Graph activity logs for an audit trail of requests received by Microsoft Graph service and processed by the tenant.- Activity logsMicrosoft Purview Data MapConfigure Purview Data Map to scan for sensitive files in the organization’s data estate.- Manage data sourcesMicrosoft SentinelTo integrate with a security information and event management (SIEM) system, configure Sentinel data connectors for Microsoft Defender for Cloud, Microsoft Defender XDR, and Purview.See Microsoft guidance in 4.4.5.Conditional AccessDetections for unusual file access, found by Microsoft Defender XDR, raise the user risk level. User risk is a condition in Conditional Access, the policy decision point (PDP) for Microsoft Entra ID. Define a Conditional Access authentication context with the user risk condition no risk. Protect labeled SharePoint sites; require Conditional Access authentication context.- Risk detections- Unusual file access- Authentication context example |
4.5 Data encryption and rights management
Microsoft 365 services encrypt data at rest and in transit. Microsoft Purview restricts access to content according to sensitivity-label encryption policy. Purview accomplishes the goal with another layer of encryption for email and files.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 4.5.1 Implement DRM and Protection Tools Pt1DoD Organizations procure and implement DRM and Protection solution(s) as needed following the DoD Enterprise standard and requirements. Newly implemented DRM and protection solution(s) are implemented with high risk data repositories using ZTA target level protections. Outcome:- DRM and protection tools are enabled for high-risk data repositories with basic protections |
Microsoft 365 encryptionMicrosoft 365 has baseline, volume-level encryption with the Windows security feature BitLocker and Distributed Key Manager (DKM).- Understand encryptionMicrosoft PurviewUse labeling policies to automatically apply more encryption for high-risk data in Microsoft 365, based on sensitivity label.- Restrict content access with sensitivity labels- Email encryption in Microsoft 365Microsoft Defender for Cloud AppsIntegrate Microsoft Purview Information Protection with Defender for Cloud Apps to apply sensitivity labels automatically, enforce encryption policies, and prevent data loss.See Microsoft guidance in 4.3.4.Azure PolicyUse Azure Policy to require a secure Transport Layer Security (TLS) version, implement Transparent Data Encryption (TDE), and require it with customer-managed keys to encrypt data at rest.- Azure Policy definitions for Azure SQL database and SQL Managed Instance |
Target 4.5.2 Implement DRM and Protection Tools Pt2DRM and protection coverage is expanded to cover all in scope data repositories. Encryption keys are automatically managed to meet best practices (e.g., FIPS). Extended data protection attributes are implemented based on the environment classification. Outcome:- DRM and protection tools are enabled for all possible repositories |
Azure Key VaultUse Azure Key Vault Managed Hardware Security Module (Azure Key Vault HSM) to safeguard application cryptographic keys using FIPS 140-2 Level 3 Validated Hardware Security Modules.- Azure Key Vault Managed HSMMicrosoft Purview Customer KeyMicrosoft 365 offers a layer of encryption for your content with Customer Key.- Service encryptionAzure Information Protection tenant keyAzure Information Protection supports Microsoft generated tenant root keys and bring your own key (BYOK).- Tenant key- Double Key Encryption- BYOK |
Target 4.5.3 DRM Enforcement via Data Tags and Analytics Pt1Data rights management (DRM) and protection solutions are integrated with basic data tags defined by the DoD Enterprise standard. Initial data repositories are monitored and have protect and response actions enabled. Data at rest is encrypted in repositories. Outcomes:- Data Tags are integrated with DRM and monitored repositories are expanded- Based on data tags, data is encrypted at rest |
Microsoft Purview Information ProtectionUse labeling policies to apply more encryption automatically for high-risk data, in Microsoft 365, based on sensitivity label.- Restrict content access with sensitivity labelsMicrosoft 365 encryptionMicrosoft 365 has baseline, volume-level encryption with BitLocker and Distributed Key Manager (DKM).See Microsoft guidance in 4.5.1. |
Advanced 4.5.4 DRM Enforcement via Data Tags and Analytics Pt2Extended data repositories are protected with DRM and Protection solutions. DoD Organizations implement extended data tags applicable to organizations versus mandated enterprise. Data is encrypted in extended repositories using additional tags. Outcomes:- All applicable data repositories are protected using DRM- Data is encrypted using extended data tags from the org levels |
Azure encryptionAzure uses encryption for data at rest and in transit.- Azure encryptionAzure PolicyEnable Azure Policy to secure Azure SQL databasesSee Microsoft guidance 4.5.1.Conditional AccessUse Conditional Access policies for users that connect to Azure SQL.See Microsoft guidance in 4.4.5. |
Advanced 4.5.5 DRM Enforcement via Data Tags and Analytics Pt3DRM and Protection solutions integrate with AI and ML tooling for encryption, rights management and protection functions. Outcomes:- Analytics from ML/AI are integrated with DRM to better automate protections- Encryption protection is integrated with AI/ML and updated encryption methods are used as needed |
Microsoft Purview Information ProtectionUse Microsoft Purview Information Protection to classify data, based on sensitive information types, and by classifiers trained by machine learning (ML).See Microsoft guidance in 4.3.5.Azure Machine LearningAzure Machine Learning and Azure OpenAI Service use the Azure Storage and Azure Compute services that encrypt data.- Data encryption- Azure OpenAI encryption of data at restConditional AccessDefine authentication context with Identity Protection risk signals. Require authentication context for labeled SharePoint sites and custom applications.- Authentication contextSee Microsoft guidance in 4.4.5. |
4.6 Data loss prevention (DLP)
Microsoft Purview Data Loss Prevention (DLP) policies prevent data from leaving your organization. You can apply DLP policies to data at rest, in use, and in motion. DLP policies are enforced where data resides in cloud services, on-premises file shares, also on Windows and macOS devices.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 4.6.1 Implement Enforcement PointsData loss prevention (DLP) solution is deployed to the in-scope enforcement points. DLP solution is set to "monitor-only" and/or "learning" mode limiting impact. DLP solution results are analyzed, and policy is fine tuned to manage risk to an acceptable level. Outcome:- Identified enforcement points have DLP tool deployed and set to monitor mode with standardized logging |
Microsoft Purview Data Loss PreventionMicrosoft 365 applications and Windows endpoints enforce DLP policies. Configure policies in DLP simulation mode.- Plan for DLP- DLP simulation modeCreate policies in DLP. Set policy state to test or test with policy tips. Set policy actions to Audit only or Block with override.- DLP policy deploymentOnboard Windows 10, 11, and macOS devices to Endpoint data loss prevention (Endpoint DLP)- Endpoint DLPDeploy Microsoft Purview Information Protection scanner. Label and enforce DLP policies for content in on-premises SQL databases, file shares, network attached storage (NAS), and SharePoint Server document libraries.- DLP on-premises repositories- Information Protection scannerMicrosoft Purview Data Loss PreventionIntegrate Microsoft Purview Information Protection with Defender for Cloud Apps to apply sensitivity labels automatically, enforce encryption policies, and prevent data loss.See Microsoft guidance in 4.3.4. Conditional AccessControl access to Office 365 and other Microsoft Entra-integrated applications. Use report-only mode to monitor the outcome before you enable policies with block access grant control.- Build policy- Report only mode- Session policies: monitor all |
Target 4.6.2 DLP Enforcement via Data Tags and Analytics Pt1The data loss prevention (DLP) solution is updated from monitor only mode to prevention mode. Basic data tags are utilized for the DLP solution and logging schema is integrated. Outcome:- Enforcement Points to set to prevent mode integrating the logging schema and manual tags environment classification. |
Microsoft Purview Data Loss PreventionCreate DLP policies in test mode. Change the state to On to enable Enforcement mode. If you set policy actions to Block, user activity that triggers DLP is prevented by the policy.- Actions in DLP policiesEnable just-in-time (JIT) protection to enforce Endpoint DLP for files created on offline devices.- Offline devicesMicrosoft Defender for Cloud AppsEnable content inspection in Defender for Cloud Apps.- DLP content inspectionConditional AccessAfter testing, enable Conditional Access policies that apply session controls, or use block access grant control. To avoid tenant lockout, exclude emergency-access accounts.- Emergency access accountsSee Microsoft guidance in 4.6.1. |
Advanced 4.6.3 DLP Enforcement via Data Tags and Analytics Pt2Data loss prevention (DLP) solution is updated to include extended data tags based on parallel Automation activities. Outcome:- Enforcement points have extended data tag attributes applied for additional prevention |
Microsoft Purview Information ProtectionDefine custom sensitive information types. Create labels and data loss prevention policies.See Microsoft guidance in 4.1.1. |
Advanced 4.6.4 DLP Enforcement via Data Tags and Analytics Pt3Data loss prevention (DLP) solution is integrated with automated data tagging techniques to include any missing enforcement points and tags. Outcome:- Automated tagging attributes are integrated with DLP and resulting metrics are used for ML |
Microsoft Purview Information ProtectionUse Microsoft Purview Information Protection to classify data, based on sensitive information types and by classifiers trained by machine learning (ML).See Microsoft guidance in 4.3.5. |
4.7 Data access control
Microsoft 365 and Azure Storage services are integrated with Microsoft Entra ID for identity-based authorization. Microsoft Entra ID supports role-based access control (RBAC) and attribute-based access control (ABAC).
Microsoft Entra roles and security groups provide organizations role-based access control. Dynamic security groups use attributes defined on user, group, and device objects to define membership, based upon rich expressions and rule sets.
Microsoft Entra ID attribute-based access control utilizes custom security attributes, which are business-specific attributes you can define and assign to Microsoft Entra objects. Custom security attributes store sensitive information. Access to view, or modify, custom security attributes is restricted to Attribute Administrator roles.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 4.7.1 Integrate DAAS Access w/ SDS Policy Pt1Utilizing the DoD enterprise SDS policy, organizational DAAS policy is developed with intended integration in mind. SDS implementation guide is developed by DoD organizations due to environment-specific nature. Outcomes:- Attribute based fine-grained DAAS policy is developed w/ enterprise and org level support- SDS Integration plan is developed to support DAAS policy |
Microsoft Entra IDImplement attribute-based data, assets, applications, and services (DAAS) policies with Microsoft Entra ID with mechanisms like Azure attribute-based access control (Azure ABAC), custom security-attribute filtering for applications, and dynamic security groups.- Attribute-based controlsCustom security attributesDefine custom security attributes and assign value to users. Configure role assignment conditions for Azure ABAC, for Azure roles. Currently, this feature is in preview for Azure Storage account permissions.- Azure ABAC- Manage access to custom security attributes- Manage attributes with delegationUse custom security attributes for fine-grained dynamic application authorization. Assign custom security attributes and use attribute filters (preview) for applications in Conditional Access policies.- Manage app custom security attributesDynamic security groupsUse dynamic security groups to assign access to resources that support Microsoft Entra ID groups to grant permissions. This includes Microsoft 365 role groups, app roles for Microsoft Entra ID applications, Azure roles, and application assignments. Conditional Access policies use dynamic groups and apply authorization levels for users with various attribute values.- Dynamic group membership rules- Emit claims from conditions |
Advanced 4.7.2 Integrate DAAS Access w/ SDS Policy Pt2DoD Organizations implement the DAAS policy in an automated fashion. Outcome:- Attribute based fine-grained DAAS Policy implemented in an automated fashion |
Microsoft Graph APIAutomate the configuration of Conditional Access policies, custom security attributes, dynamic security groups, and other Microsoft Entra ID features using the Microsoft Graph API.- Identity and access APIs |
Advanced 4.7.3 Integrate DAAS Access w/ SDS Policy Pt3Newly implemented SDS technology and/or functionalities are integrated with the DAAS policy in a risk-based fashion. A phased approach should be taken during implementation to measure results and adjust accordingly. Outcomes:- SDS is integrated with DAAS policy functionality- All data in all applications are protected with attribute based fine-grained DAAS policy. |
Microsoft Defender for Cloud AppsIntegrate Microsoft Purview and Defender for Cloud Apps. Create File Policies to enforce automated processes using cloud provider APIs.- Integrate Information Protection- File policies |
Target 4.7.4 Integrate Solution(s) and Policy with Enterprise IDP Pt1DoD Organizations develop an integration plan using the SDS policy and technology/functionality with the enterprise Identity Provider (IdP) solution. Outcome:- Integration plan between SDS and authoritative Identity Provider is developed to support existing DAAS access |
Microsoft Entra IDMicrosoft 365 storage services like SharePoint Online and OneDrive for Business are integrated with Microsoft Entra ID. Configure Azure Storage services for integration with Microsoft Entra ID for identity-based authorization of requests to Blob, File, Queue, and Table services.- Microsoft Entra ID- Authorize Azure StorageIn the application gallery, integrate more software-defined storage (SDS) solutions with Microsoft Entra ID.- Application gallery |
Advanced 4.7.5 Integrate Solution(s) and Policy with Enterprise IDP Pt2Newly implemented SDS technology and/or functionalities are integrated with the Enterprise Identity Provider (IdP) following the integration plan. Identity attributes required to meet ZT Target functionalities are required for integration. Outcome:- Complete integration with Enterprise IDP and SDS tooling to support all attribute based fine-grained DAAS access |
Complete activities 4.7.1 and 4.7.4. |
Advanced 4.7.6 Implement SDS Tool and/or integrate with DRM Tool Pt1Depending on the need for a Software Defined Storage tool, a new solution is implemented or an existing solution is identified meeting the functionality requirements to be integrated with DLP, DRM/Protection, and ML solutions. Outcome:- If tooling is needed, ensure there is supported integrations with DLP, DRM and ML tooling |
Microsoft PurviewMicrosoft Purview Information Protection digital rights management (DRM) and Microsoft Purview Data Loss Prevention (DLP) features integrate natively with Office clients and Microsoft 365 services. Integrations are built-in and don’t require more deployment.- Purview overviewUse the Microsoft Information Protection SDK (MIP SDK) to build custom tools to apply labels and protection to files.See Microsoft guidance in 4.4.2. |
Advanced 4.7.7 Implement SDS Tool and/or integrate with DRM Tool Pt2DoD Organizations configure the SDS functionality and/or solution to be integrated with the underlying DLP and DRM/Protection infrastructure as appropriate. Lower-level integrations enable more effective protection and response. Outcome:- Integrate SDS infrastructure with existing DLP and DRM infrastructure |
Microsoft 365 and Microsoft PurviewMicrosoft Purview protects Microsoft 365 content with data loss prevention (DLP) and data rights management (DRM) without more infrastructure.- Protect sensitive data |
Next steps
Configure Microsoft cloud services for the DoD Zero Trust Strategy:
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for