Data Classification
Implementing data classification workflows to identify, categorize, and protect sensitive information in sovereign cloud environments.
Overview
Section titled “Overview”Data classification is the foundation of data sovereignty. Before you can protect sensitive data, you must first understand what data you have, where it resides, and its sensitivity level. This module covers automated and manual classification approaches.
Learning Objectives
Section titled “Learning Objectives”After completing this section, you will be able to:
- ✅ Design a data classification taxonomy
- ✅ Implement automated classification with Microsoft Purview
- ✅ Apply protection policies based on classification
- ✅ Monitor classification compliance across the organization
Data Classification Flow
Section titled “Data Classification Flow”The following diagram illustrates the complete data classification workflow from discovery to protection:
flowchart TB
subgraph Discovery ["1️⃣ Discovery Phase"]
A[Data Sources] --> B[Microsoft Purview<br/>Data Map]
B --> C[Automated Scanning]
C --> D[Content Inspection]
end
subgraph Classification ["2️⃣ Classification Phase"]
D --> E{Classification<br/>Engine}
E -->|PII Detected| F[Personal Data]
E -->|Financial| G[Confidential]
E -->|Health| H[PHI/HIPAA]
E -->|Public| I[Non-Sensitive]
end
subgraph Labeling ["3️⃣ Labeling Phase"]
F --> J[Apply Sensitivity<br/>Label]
G --> J
H --> J
I --> J
J --> K[Encryption Policy]
J --> L[Access Policy]
J --> M[Retention Policy]
end
subgraph Protection ["4️⃣ Protection Phase"]
K --> N[Azure RMS<br/>Encryption]
L --> O[Conditional<br/>Access]
M --> P[Data Lifecycle<br/>Management]
end
subgraph Monitoring ["5️⃣ Monitoring Phase"]
N --> Q[Activity Logs]
O --> Q
P --> Q
Q --> R[Compliance<br/>Dashboard]
R --> S{Compliant?}
S -->|No| T[Alert &<br/>Remediate]
S -->|Yes| U[Audit Report]
end
style Discovery fill:#E8F4FD,stroke:#0078D4
style Classification fill:#FFF4E6,stroke:#FF8C00
style Labeling fill:#F3E8FF,stroke:#5C2D91
style Protection fill:#FFE4E1,stroke:#D13438
style Monitoring fill:#D4E9D7,stroke:#107C10_
*Figure 1: Data classification workflow from discovery to continuous monitoring_
Classification Taxonomy
Section titled “Classification Taxonomy”Sensitivity Levels
Section titled “Sensitivity Levels”| Level | Description | Examples | Protection |
|---|---|---|---|
| Public | No confidentiality requirements | Marketing materials, public docs | None required |
| Internal | Business-only information | Policies, procedures | Basic access control |
| Confidential | Business-sensitive data | Financial data, contracts | Encryption + access control |
| Highly Confidential | Restricted access | Trade secrets, M&A data | CMK encryption + MFA |
| Regulated | Legal/compliance requirements | PII, PHI, PCI data | Full DLP + audit |
Regulatory Classifications
Section titled “Regulatory Classifications”For sovereignty compliance, additional regulatory labels may apply:
- GDPR Personal Data — EU data subject information
- HIPAA PHI — Protected health information
- PCI DSS — Payment card data
- ITAR/EAR — Export controlled data
- Classified — Government security classifications
Microsoft Purview Integration
Section titled “Microsoft Purview Integration”Data Map Configuration
Section titled “Data Map Configuration”# Register data sources with Microsoft PurviewRegister-AzPurviewDataSource ` -AccountName "contoso-purview" ` -DataSourceType "AzureBlob" ` -ResourceId "/subscriptions/{sub-id}/resourceGroups/data-rg/providers/Microsoft.Storage/storageAccounts/sensitivedata"
# Configure scanning rule set for PII detectionNew-AzPurviewScanRuleSet ` -AccountName "contoso-purview" ` -Name "EU-PII-Ruleset" ` -Kind "AzureBlob" ` -SystemClassificationRuleName @("GDPR", "EU.SSN", "EU.Passport")Automated Classification Rules
Section titled “Automated Classification Rules”| Rule Type | Detection Method | Examples |
|---|---|---|
| Built-in | Regex + ML | Credit cards, SSN, email |
| Custom | Regex patterns | Employee IDs, custom codes |
| Trainable | Machine learning | Document types, contracts |
| Dictionary | Word lists | Project names, locations |
Protection Policies
Section titled “Protection Policies”Label-Based Protection
Section titled “Label-Based Protection”When a sensitivity label is applied, automatic protection policies activate:
# Example: Confidential Label Policylabel: name: "Confidential" tooltip: "Business-sensitive information"protection: encryption: enabled: true keySource: "customer-managed" keyVault: "/subscriptions/{sub}/resourceGroups/keys-rg/..." access: requireMFA: true allowedLocations: ["EU West", "EU North"] watermark: enabled: true text: "CONFIDENTIAL - ${user.name}" dlp: blockExternalSharing: true preventCopy: trueImplementation Checklist
Section titled “Implementation Checklist”- Define classification taxonomy
- Deploy Microsoft Purview account
- Register all data sources
- Configure scanning schedules
- Create custom classification rules
- Define sensitivity labels
- Assign protection policies
- Enable continuous monitoring
- Train users on classification
Next Steps
Section titled “Next Steps”- Incident Response Workflow → — Handle security incidents
- Encryption & Key Management → — Protect classified data
Reference: Microsoft Purview Data Classification — Microsoft Learn