Highly sensitive data

Table of Contents

• Highly sensitive data
  • Table of Contents
  • Introduction
  • Key Considerations
  • Guidance
    • Confidential Computing
    • BYOK and HYOK
    • Isolation Strategies
    • Data Masking and Access Policies
    • Compliance
  • Next Steps

---

Introduction

Managing highly sensitive data in Microsoft Fabric requires an in-depth understanding of both technical capabilities and regulatory compliance. Sensitive data can include personally identifiable information (PII), health records, financial information, or state secrets. Ensuring the confidentiality, integrity, and availability of such data in a cloud-native analytics platform like Microsoft Fabric requires a combination of architectural decisions, governance enforcement, and modern protection mechanisms.

Key Considerations

• Data Classification: Clearly label and classify data sensitivity levels across Fabric workspaces and storage accounts.
• Data Residency: Ensure compliance with data sovereignty requirements by deploying Fabric capacities in approved regions.
• Access Control: Enforce role-based access control (RBAC) and Just-In-Time (JIT) access for high-privilege operations using Microsoft Entra.
• End-to-End Encryption: Apply encryption in transit and at rest. For highly sensitive workloads, ensure support for customer-managed keys (BYOK) or customer-held keys (HYOK).
• Audit and Monitoring: Integrate Microsoft Purview and Microsoft Defender for Cloud for comprehensive auditing, lineage, and threat detection.

Guidance

Confidential Computing

For advanced protection of sensitive analytics processes, consider integrating Microsoft Fabric with Azure Databricks on Confidential Compute nodes (DCsv3-series VMs). These trusted execution environments (TEEs) ensure that data remains encrypted even during processing.

BYOK and HYOK

• Bring Your Own Key (BYOK): Use customer-managed keys with Fabric-supported services like Lakehouse and Warehouse (via Azure Key Vault integration). This ensures cryptographic control over your data at rest.
• Hold Your Own Key (HYOK): For the most sensitive workloads, consider services outside Fabric (e.g., Microsoft Purview or Azure Information Protection) that support HYOK and combine them with federated access strategies to maintain key custody.

Isolation Strategies

• Network Isolation: Use Private Links, VNet Integration (via supporting services like Synapse Link or Azure Data Factory), and controlled ingress points.
• Workspace Design: Isolate sensitive workloads into separate workspaces and capacities, and apply stricter governance policies through Fabric governance center.

Data Masking and Access Policies

• Use dynamic data masking and row-level security for downstream consumers (Power BI, Data Warehouse endpoints).
• Adopt Microsoft Purview's data access policies for declarative control over Fabric-connected data assets.

Compliance

• Ensure that all Fabric workloads handling highly sensitive data are assessed under Microsoft compliance offerings: Microsoft Compliance Offerings
• Regularly validate configurations against the Azure Security Benchmark and Microsoft Cloud Security Benchmark.

Next Steps

• Review your current Fabric architecture for sensitive data exposure risks.
• Establish a data classification and protection baseline in Microsoft Purview.
• Test confidential compute scenarios with Azure Databricks or trusted execution environments.
• Evaluate the feasibility of implementing BYOK/HYOK for key workloads.
• Conduct a Fabric-specific security and compliance review using the Microsoft Well-Architected Framework.