update timings

Author: ceperezb

learn-pr/wwl-sci/design-solutions-secure-organization-data/1-introduction-data-security.yml

@@ -9,6 +9,6 @@ metadata:
   ms.author: ceperezb
   ms.topic: unit
   ai-usage: ai-assisted
-durationInMinutes: 5
+durationInMinutes: 3
 content: |
   [!include[](includes/1-introduction-data-security.md)]

learn-pr/wwl-sci/design-solutions-secure-organization-data/3-design-solution-data-protection.yml

@@ -9,6 +9,6 @@ metadata:
   ms.author: ceperezb
   ms.topic: unit
   ai-usage: ai-assisted
-durationInMinutes: 10
+durationInMinutes: 8
 content: |
   [!include[](includes/3-design-solution-data-protection.md)]

learn-pr/wwl-sci/design-solutions-secure-organization-data/4-design-data-security-azure-workloads.yml

@@ -9,6 +9,6 @@ metadata:
   ms.author: ceperezb
   ms.topic: unit
   ai-usage: ai-assisted
-durationInMinutes: 10
+durationInMinutes: 12
 content: |
   [!include[](includes/4-design-data-security-azure-workloads.md)]

learn-pr/wwl-sci/design-solutions-secure-organization-data/4a-design-security-data-ai-workloads.yml

@@ -9,6 +9,6 @@ metadata:
   ms.author: ceperezb
   ms.topic: unit
   ai-usage: ai-assisted
-durationInMinutes: 10
+durationInMinutes: 8
 content: |
   [!include[](includes/4a-design-security-data-ai-workloads.md)]

learn-pr/wwl-sci/design-solutions-secure-organization-data/5-design-security-azure-storage.yml

@@ -9,6 +9,6 @@ metadata:
   ms.author: ceperezb
   ms.topic: unit
   ai-usage: ai-assisted
-durationInMinutes: 10
+durationInMinutes: 7
 content: |
   [!include[](includes/5-design-security-azure-storage.md)]

learn-pr/wwl-sci/design-solutions-secure-organization-data/6-design-security-defender-sql-storage.yml

@@ -9,6 +9,6 @@ metadata:
   ms.author: ceperezb
   ms.topic: unit
   ai-usage: ai-assisted
-durationInMinutes: 10
+durationInMinutes: 8
 content: |
   [!include[](includes/6-design-security-defender-sql-storage.md)]

learn-pr/wwl-sci/design-solutions-secure-organization-data/includes/2-design-solution-data-discovery-classification-microsoft-purview.md

@@ -16,21 +16,60 @@ A comprehensive discovery solution must provide visibility across this entire es
 
 ### Classification taxonomy design
 
+Classification taxonomy is a hierarchical depiction of data categorization. There isn't a universal standard for classification—it's driven by your organization's motivation for protecting data. Taxonomy might capture compliance requirements, promised features for workload users, or other criteria driven by business needs.
+
+As a workload owner, rely on your organization to provide a well-defined taxonomy. All workload roles must have a shared understanding of the structure, nomenclature, and definition of the sensitivity levels. Don't define your own classification system that conflicts with organizational standards.
+
 Your classification scheme should:
 
 - **Align with business requirements**: Classifications should reflect how your organization thinks about data sensitivity
 - **Support regulatory compliance**: Include classifications that map to GDPR, HIPAA, PCI-DSS, and other relevant regulations
 - **Enable automation**: Design classifications that can be applied automatically based on content patterns
 - **Scale across the organization**: Use consistent classifications that work for all business units
 
-The WAF Security pillar recommends defining data classifications that enable risk-based controls. Common classification levels include:
+The WAF Security pillar recommends defining data classifications that enable risk-based controls. Example classification labels cover sensitivity levels, information types, and compliance scope:
+
+| Category | Example labels |
+|----------|----------------|
+| **Sensitivity levels** | Public, General, Confidential, Highly Confidential, Secret |
+| **Information types** | Financial, Credit Card, Credentials, Health fields, Intellectual Property, Personal data |
+| **Compliance scope** | HIPAA, PCI, CCPA, SOX |
+
+### Defining classification scope
+
+Be granular and explicit when defining what's in scope for classification. The WAF Security pillar emphasizes that classification should extend beyond primary data stores to related components:
+
+- **Data store granularity**: Classify at the table level or even column level for tabular systems
+- **Backup systems**: Has your highly sensitive data store's backup been classified?
+- **Caching layers**: If you're caching user-sensitive data, is the cache in scope?
+- **Analytical data stores**: How is aggregated or derived data classified?
+- **Preproduction environments**: Do you need to classify data in development and test systems?
+
+Start with these questions to define your scope:
+
+1. What's the origin of data and information type?
+2. What's the expected restriction based on access (public, regulatory, internal use)?
+3. What's the data footprint—where is it stored and how long should it be retained?
+4. Which architecture components interact with the data?
+5. How does data move through the system?
+6. What information is expected in audit reports?
+
+### Designing architecture based on classification labels
+
+Classification should influence your architectural decisions. The WAF Security pillar identifies key areas where classification drives design:
 
-| Classification | Description | Example controls |
-|----------------|-------------|------------------|
-| **Public** | Information intended for public disclosure | No restrictions |
-| **Internal** | Information for internal business use | Basic access controls |
-| **Confidential** | Sensitive business information | Encryption, restricted access |
-| **Highly Confidential** | Most sensitive data | Strong encryption, audit logging, DLP |
+**Segmentation strategy**: Classification labels influence traffic isolation boundaries. Critical flows might require end-to-end TLS, while other traffic can use different encryption standards.
+
+**Encryption choices**: Sensitivity levels affect encryption decisions:
+- Highly sensitive data might require double encryption
+- Different secrets might require varied levels of protection (HSM vs. standard secret stores)
+- Compliance labels dictate protection standards (for example, PCI-DSS mandates FIPS 140-2 Level 3, requiring HSMs)
+
+**Data in use protection**: For the most sensitive classifications, consider confidential computing to protect data during processing.
+
+**Classification persistence**: Classification information should move with the data as it transitions through the system. Data labeled as confidential should be treated as confidential by all components that interact with it—including removing or obfuscating personal data from application logs.
+
+**Reporting and masking**: Classification impacts how data is exposed in reports. Based on information type labels, you might need to apply data masking algorithms for obfuscation. Define which roles should have visibility into raw data versus masked data.
 
 ### Sensitive information type detection
 
@@ -110,18 +149,6 @@ For Azure workloads, [Microsoft Defender for Cloud](/azure/defender-for-cloud/de
 - **Built-in recommendations**: Suggested classifications based on column names and data patterns
 - **Microsoft Purview integration**: Sync classifications with your enterprise labeling strategy
 
-## Design recommendations
-
-When designing your data discovery and classification solution:
-
-1. **Start with data governance goals**: Define what you're trying to protect and why before selecting tools
-
-2. **Implement a unified classification taxonomy**: Use consistent classifications across all data sources and tools
-
-3. **Prioritize automated discovery**: Manual processes don't scale—invest in automated scanning
-
-4. **Integrate with protection mechanisms**: Classification provides value when it triggers protection actions
-
-5. **Plan for multi-cloud and hybrid**: Ensure your solution covers all locations where data resides
+## Bringing it together
 
-6. **Enable monitoring and reporting**: Track classification coverage and identify gaps in your data estate
+Effective data discovery and classification requires a unified organizational taxonomy applied consistently across your data estate. Start by defining what you need to protect and why, then be explicit about scope—extending classification to backups, caches, and analytical stores. Prioritize automated discovery with tools like Microsoft Purview, but validate results through manual verification. Classification provides value when it triggers protection actions, so design your architecture so that labels influence encryption choices, access controls, and segmentation. Build classification maintenance into operations, because stale metadata leads to compliance issues and erroneous risk assessments.

learn-pr/wwl-sci/design-solutions-secure-organization-data/includes/3-design-solution-data-protection.md

@@ -142,16 +142,6 @@ Labels applied through classification can trigger protection:
 - **Watermarking**: Apply visual markings to indicate sensitivity
 - **Expiration**: Set time limits on document access
 
-## Design recommendations
+## Bringing it together
 
-1. **Encrypt by default**: Enable encryption for all data stores even if not explicitly required
-
-2. **Standardize on TLS 1.2+**: Disable all legacy protocols across your environment
-
-3. **Centralize key management**: Use Azure Key Vault for all cryptographic operations
-
-4. **Implement key rotation**: Establish policies for regular key rotation based on compliance requirements
-
-5. **Enable HSM protection**: Use Key Vault HSM for keys protecting the most sensitive data
-
-6. **Document key recovery procedures**: Ensure you can recover from key loss scenarios
+Effective data protection requires a defense-in-depth approach that combines encryption, access controls, network isolation, and monitoring. Encrypt all data by default—both at rest and in transit—using TLS 1.2 or higher and AES-256 encryption. Centralize key management in Azure Key Vault, using HSM protection for the most sensitive workloads and implementing key rotation policies based on compliance requirements. Classification labels should trigger protection actions through DLP policies and Azure Information Protection, ensuring that sensitivity levels drive the appropriate encryption choices and access restrictions throughout your environment.

learn-pr/wwl-sci/design-solutions-secure-organization-data/includes/5-design-security-azure-storage.md

@@ -163,32 +163,6 @@ Use immutable storage for:
 - Healthcare records under HIPAA retention rules
 - Legal documents subject to litigation hold
 
-## Design recommendations for Azure Storage security
+## Bringing it together
 
-### Network security
-
-1. **Use private endpoints** for all storage accounts containing sensitive data
-2. **Disable public blob access** at the account level
-3. **Configure minimum TLS 1.2** for all accounts
-4. **Implement Azure Private DNS** for name resolution
-
-### Encryption
-
-1. **Enable infrastructure encryption** for regulated workloads
-2. **Use customer-managed keys** when key control is required
-3. **Configure automatic key rotation** in Key Vault
-4. **Require secure transfer** (HTTPS only)
-
-### Access control
-
-1. **Use Microsoft Entra authentication** with RBAC
-2. **Prefer user delegation SAS** over service or account SAS
-3. **Disable shared key access** when not needed
-4. **Implement just-in-time access** for administrative tasks
-
-### Monitoring
-
-1. **Enable Microsoft Defender for Storage** on all accounts
-2. **Configure diagnostic logging** to Log Analytics
-3. **Set up alerts** for anomalous activity
-4. **Implement malware scanning** for uploaded content
+Securing Azure Storage requires a layered approach across network, identity, encryption, and monitoring. Use private endpoints and disable public blob access for accounts containing sensitive data. Implement Microsoft Entra authentication with RBAC, preferring user delegation SAS over shared keys. Enable infrastructure encryption with customer-managed keys for regulated workloads, and require secure transfer (HTTPS only) with TLS 1.2 minimum. Enable Microsoft Defender for Storage with malware scanning for accounts accepting uploads, and configure diagnostic logging to detect anomalous activity.

learn-pr/wwl-sci/design-solutions-secure-organization-data/includes/6-design-security-defender-sql-storage.md

@@ -2,7 +2,7 @@ Microsoft Defender for Cloud provides workload protection plans specifically des
 
 ## Microsoft Defender for Storage
 
-[Microsoft Defender for Storage](/azure/defender-for-cloud/defender-for-storage-introduction) provides a comprehensive security layer for Azure Storage accounts, detecting unusual and potentially harmful attempts to access or exploit storage resources.
+[Microsoft Defender for Storage](/azure/defender-for-cloud/defender-for-storage-introduction) provides a comprehensive security layer for Azure Storage accounts, detecting unusual and potentially harmful attempts to access or exploit storage resources. This capability supports MCSB control LT-1 (Enable threat detection capabilities).
 
 ### Capabilities overview
 
@@ -16,7 +16,7 @@ Microsoft Defender for Storage includes three core capabilities:
 
 ### Activity monitoring
 
-Activity monitoring analyzes storage account operations to detect:
+Activity monitoring supports MCSB control DP-2 (Monitor anomalies and threats to sensitive data) by analyzing storage account operations to detect:
 
 - **Anomalous access patterns**: Unusual geographic locations or access times
 - **Permission-related anomalies**: Suspicious changes to access configurations
@@ -147,7 +147,7 @@ The MCSB recommends enabling workload protection for all production resources co
 
 ### Alert management
 
-Plan for alert handling:
+Alert management supports MCSB control IR-4 (Detection and analysis). Plan for alert handling:
 
 1. **Define alert routing**: Configure email notifications and webhook integrations
 2. **Establish response procedures**: Document investigation and remediation steps
@@ -171,40 +171,6 @@ Configure workflow automation for:
 - **SQL injection alerts**: Block suspicious IP addresses, notify application owners
 - **Access anomalies**: Require additional verification, initiate investigation
 
-## Design recommendations
+## Bringing it together
 
-### Microsoft Defender for Storage recommendations
-
-1. **Enable subscription-wide** for comprehensive protection
-2. **Configure malware scanning** for storage accounts accepting uploads
-3. **Integrate with sensitive data discovery** for alert prioritization
-4. **Set up Event Grid** for automated malware response
-5. **Review and tune alerts** to reduce false positives
-
-### Microsoft Defender for Databases recommendations
-
-1. **Enable Defender for SQL** on all production databases
-2. **Run regular vulnerability assessments** and track remediation
-3. **Configure alert notifications** for security team
-4. **Integrate with Microsoft Sentinel** for correlation and investigation
-5. **Review threat intelligence** to understand emerging attack patterns
-
-### Cross-service considerations
-
-1. **Unified monitoring**: Use Defender for Cloud dashboard for all data workloads
-2. **Consistent policies**: Apply similar protection levels across data services
-3. **Response playbooks**: Create standardized procedures for common alert types
-4. **Security posture review**: Regular assessment of recommendations and score
-
-## Aligning with MCSB controls
-
-Defender for Storage and Databases support multiple MCSB controls:
-
-| MCSB control | Defender capability |
-|--------------|---------------------|
-| **DP-2**: Monitor anomalies and threats | Activity monitoring, threat detection |
-| **LT-1**: Enable threat detection | Advanced Threat Protection |
-| **IR-4**: Detection and analysis | Security alerts, investigation tools |
-| **PV-5**: Perform vulnerability assessments | SQL vulnerability assessment |
-
-By implementing Defender for Storage and Databases, you establish comprehensive threat detection aligned with Microsoft security best practices and industry frameworks.
+Microsoft Defender for Storage and Defender for Databases provide the threat detection layer for your data security strategy. Enable subscription-wide protection for production resources, configure malware scanning for uploads, and run regular vulnerability assessments. Integrate with Microsoft Sentinel for alert correlation and automated response, establishing consistent procedures for common threats like SQL injection and access anomalies.