updates to address pr issues

Author: ceperezb

learn-pr/wwl-sci/design-solutions-secure-organization-data/includes/2-design-solution-data-discovery-classification-microsoft-purview.md

@@ -47,12 +47,12 @@ Be granular and explicit when defining what's in scope for classification. The W
 
 Start with these questions to define your scope:
 
-1. What's the origin of data and information type?
-2. What's the expected restriction based on access (public, regulatory, internal use)?
-3. What's the data footprint—where is it stored and how long should it be retained?
-4. Which architecture components interact with the data?
-5. How does data move through the system?
-6. What information is expected in audit reports?
+- What's the origin of data and information type?
+- What's the expected restriction based on access (public, regulatory, internal use)?
+- What's the data footprint—where is it stored and how long should it be retained?
+- Which architecture components interact with the data?
+- How does data move through the system?
+- What information is expected in audit reports?
 
 ### Designing architecture based on classification labels
 
@@ -97,10 +97,10 @@ The MCRA emphasizes that labels should persist with data as it moves across your
 
 This control requires organizations to:
 
-1. **Establish a data classification scheme** that defines sensitivity levels and handling requirements
-2. **Implement automated discovery** to find sensitive data across cloud and on-premises environments
-3. **Apply sensitivity labels** that persist with data and enable downstream protection
-4. **Maintain data inventories** that track where sensitive data resides
+- **Establish a data classification scheme** that defines sensitivity levels and handling requirements
+- **Implement automated discovery** to find sensitive data across cloud and on-premises environments
+- **Apply sensitivity labels** that persist with data and enable downstream protection
+- **Maintain data inventories** that track where sensitive data resides
 
 ### DP-2: Monitor anomalies and threats targeting sensitive data
 

learn-pr/wwl-sci/design-solutions-secure-organization-data/includes/3-design-solution-data-protection.md

@@ -18,10 +18,10 @@ The MCSB and WAF Security pillar provide guidance for prioritizing data protecti
 
 The CAF Secure methodology recommends implementing layered controls:
 
-1. **Encryption layer**: Protect data confidentiality through encryption at rest and in transit
-2. **Access control layer**: Limit who can access data through identity and authorization
-3. **Network layer**: Isolate data through private endpoints and network segmentation
-4. **Monitoring layer**: Detect anomalies and threats through logging and alerting
+- **Encryption layer**: Protect data confidentiality through encryption at rest and in transit
+- **Access control layer**: Limit who can access data through identity and authorization
+- **Network layer**: Isolate data through private endpoints and network segmentation
+- **Monitoring layer**: Detect anomalies and threats through logging and alerting
 
 ## MCSB controls for data protection
 
@@ -71,10 +71,10 @@ Key management requires:
 
 When designing encryption at rest:
 
-1. **Identify encryption requirements** based on data classification and compliance needs
-2. **Choose encryption scope** at account, container, or object level
-3. **Determine key management approach** between platform-managed and customer-managed
-4. **Enable infrastructure encryption** for double encryption when required
+- **Identify encryption requirements** based on data classification and compliance needs
+- **Choose encryption scope** at account, container, or object level
+- **Determine key management approach** between platform-managed and customer-managed
+- **Enable infrastructure encryption** for double encryption when required
 
 #### Double encryption
 
@@ -88,10 +88,10 @@ For highly sensitive workloads, implement [double encryption](/azure/security/fu
 
 Design considerations for data in transit:
 
-1. **Enforce HTTPS** for all web traffic and API calls
-2. **Configure minimum TLS version** to 1.2 across all services
-3. **Use private connectivity** through Private Link where possible
-4. **Encrypt within virtual networks** using VPN or ExpressRoute with encryption
+- **Enforce HTTPS** for all web traffic and API calls
+- **Configure minimum TLS version** to 1.2 across all services
+- **Use private connectivity** through Private Link where possible
+- **Encrypt within virtual networks** using VPN or ExpressRoute with encryption
 
 ## Azure Key Vault for key management
 

learn-pr/wwl-sci/design-solutions-secure-organization-data/includes/4-design-data-security-azure-workloads.md

@@ -31,10 +31,10 @@ Apply Zero Trust principles consistently across all data services:
 
 When designing security for any Azure data workload, address these questions:
 
-1. **Network access**: Should the service be accessible from the internet, or only through private endpoints?
-2. **Authentication method**: Can you use Microsoft Entra ID, or do legacy requirements mandate other methods?
-3. **Key management**: Are platform-managed keys sufficient, or do regulations require customer-managed keys?
-4. **Threat detection**: What level of monitoring and alerting does the workload require?
+- **Network access**: Should the service be accessible from the internet, or only through private endpoints?
+- **Authentication method**: Can you use Microsoft Entra ID, or do legacy requirements mandate other methods?
+- **Key management**: Are platform-managed keys sufficient, or do regulations require customer-managed keys?
+- **Threat detection**: What level of monitoring and alerting does the workload require?
 
 ## Design security for Azure SQL Database and Azure SQL Managed Instance
 
@@ -54,13 +54,11 @@ Firewalls prevent network access to the server until you explicitly grant access
 
 ### Authentication for Azure SQL
 
-Azure SQL Database and SQL Managed Instance support authentication with Microsoft Entra ID and SQL authentication. SQL Managed Instance additionally supports Windows authentication for Microsoft Entra principals.
+Azure SQL Database and SQL Managed Instance support multiple authentication methods:
 
-| Authentication type | Description | Best practice |
-|---------------------|-------------|---------------|
-| **Microsoft Entra authentication** | Centrally manage identities and permissions of database users along with other Azure services. Supports multifactor authentication, Integrated Windows authentication, and Conditional Access. | Preferred method for all new deployments |
-| **Windows authentication (Kerberos)** | Enables Windows authentication for Azure SQL Managed Instance. Empowers customers to move existing services to the cloud while maintaining a seamless user experience. | Use for hybrid environments with Managed Instance |
-| **SQL authentication** | Authenticate using username and password. | Avoid for new deployments; use only for legacy applications |
+- **Microsoft Entra authentication**: Centrally manage identities and permissions using Microsoft Entra ID. Supports multifactor authentication, Integrated Windows authentication, and Conditional Access. This is the preferred method for all new deployments.
+- **Windows authentication (Kerberos)**: Available for Azure SQL Managed Instance only. Enables Windows authentication for Microsoft Entra principals, allowing customers to move existing services to the cloud while maintaining a seamless user experience.
+- **SQL authentication**: Username and password authentication. Avoid for new deployments; use only for legacy applications that can't support Microsoft Entra authentication.
 
 ### Authorization and access management
 
@@ -96,8 +94,6 @@ Azure SQL provides comprehensive encryption capabilities:
 
 **Advanced Threat Protection**: Analyzes logs to detect unusual behavior and potentially harmful attempts to access or exploit databases:
 
-:::image type="content" source="../media/advanced-threat-detection.png" alt-text="Diagram showing SQL Threat Detection monitoring access to the SQL database for a web app from an external attacker and malicious insider.":::
-
 Advanced Threat Protection creates alerts for:
 
 - SQL injection attempts
@@ -113,32 +109,41 @@ Advanced Threat Protection creates alerts for:
 
 ## Design security for Azure Synapse Analytics
 
-[Azure Synapse Analytics](/azure/synapse-analytics/guidance/security-white-paper-introduction) is a PaaS analytics service that brings together dedicated SQL pools, serverless SQL pools, Apache Spark pools, and data integration pipelines. Azure Synapse implements a multi-layered security architecture for end-to-end protection.
+[Azure Synapse Analytics](/azure/synapse-analytics/guidance/security-white-paper-introduction) is a PaaS analytics service that brings together dedicated SQL pools, serverless SQL pools, Apache Spark pools, and data integration pipelines. Azure Synapse implements a multi-layered security architecture for end-to-end protection of your data.
 
 ### Security layers for Synapse
 
 Azure Synapse implements five security layers:
 
-:::image type="content" source="../media/azure-synapse-security-layers.png" alt-text="Image showing the five layers of Azure Synapse security architecture: Data protection, Access control, Authentication, Network security, and Threat protection.":::
+:::image type="content" source="../media/azure-synapse-security-layers.png" alt-text="Diagram of the five layers of Azure Synapse security architecture: Data protection, Access control, Authentication, Network security, and Threat protection.":::
+
+### Data protection
+
+Data protection in Synapse covers data classification and encryption:
+
+- **At rest (storage)**: Azure Storage encryption with SSE and optional CMK
+- **At rest (database)**: TDE with service-managed or customer-managed keys
+- **In transit**: TLS 1.2 with AES-256 encryption
+- **Double encryption**: Infrastructure encryption at storage layer
 
-1. **Data protection**: Identify and classify sensitive data; encrypt data at rest and in motion
-2. **Access control**: Determine a user's right to interact with data using RBAC, row-level security, and column-level security
-3. **Authentication**: Prove the identity of users and applications through Microsoft Entra integration
-4. **Network security**: Isolate network traffic with private endpoints and virtual private networks
-5. **Threat protection**: Identify potential security threats such as unusual access locations, SQL injection attacks, and authentication attacks
+### Access control
 
-### Component architecture
+Synapse provides granular access controls to determine a user's right to interact with data:
 
-Each individual component of Azure Synapse provides its own security features:
+- **Synapse RBAC roles**: Manage workspace and resource access
+- **SQL permissions**: Control data access in SQL pools using row-level security and column-level security
+- **Azure RBAC**: Manage control plane access
+- **Data exfiltration protection**: Prevent unauthorized data export to external locations
 
-:::image type="content" source="../media/azure-synapse-components.png" alt-text="Diagram of Azure Synapse components showing dedicated SQL pools, serverless SQL pools, Apache Spark pools, and pipelines.":::
+### Authentication
 
-- **Dedicated SQL pools**: Provisioned clusters with enterprise data warehousing capabilities where compute is isolated from storage
-- **Serverless SQL pools**: On-demand clusters that query data directly over customer-managed Azure Storage accounts
-- **Apache Spark pools**: Spark instances provisioned on-demand based on metadata configurations
-- **Pipelines and Data flows**: Logical grouping of activities for data movement and transformation
+Prove the identity of users and applications through Microsoft Entra integration:
 
-### Network security for Synapse
+- **Microsoft Entra authentication**: Centralized identity management with support for multifactor authentication
+- **Managed identities**: Service-to-service authentication without credentials
+- **Service principals**: Application authentication for automated processes
+
+### Network security
 
 Associate your Synapse workspace with a [managed workspace virtual network](/azure/synapse-analytics/security/synapse-workspace-managed-vnet) to:
 
@@ -147,23 +152,13 @@ Associate your Synapse workspace with a [managed workspace virtual network](/azu
 - Ensure network isolation between workspaces for pipelines and Apache Spark workloads
 - Prevent data exfiltration through network controls
 
-### Data encryption in Synapse
-
-| Data state | Protection mechanism |
-|------------|---------------------|
-| **At rest (storage)** | Azure Storage encryption with SSE and optional CMK |
-| **At rest (database)** | TDE with service-managed or customer-managed keys |
-| **In transit** | TLS 1.2 with AES-256 encryption |
-| **Double encryption** | Infrastructure encryption at storage layer |
-
-### Access control for Synapse
+### Threat protection
 
-Synapse provides granular access controls:
+Identify potential security threats through monitoring and alerting:
 
-- **Synapse RBAC roles**: Manage workspace and resource access
-- **SQL permissions**: Control data access in SQL pools
-- **Azure RBAC**: Manage control plane access
-- **Data exfiltration protection**: Prevent unauthorized data export to external locations
+- **Microsoft Defender for SQL**: Detect unusual access locations, SQL injection attacks, and authentication attacks
+- **Auditing**: Track database activities and maintain compliance with security standards
+- **Vulnerability assessment**: Discover and remediate potential security weaknesses
 
 ## Design security for Azure Cosmos DB
 

learn-pr/wwl-sci/design-solutions-secure-organization-data/includes/4a-design-security-data-ai-workloads.md

@@ -50,10 +50,10 @@ Apply Zero Trust principles to AI service access:
 
 When grounding AI responses with organizational data (retrieval-augmented generation):
 
-1. **Data remains in your control**: Azure OpenAI doesn't copy your data; it retrieves from your designated sources
-2. **Access permissions flow through**: Users only receive responses based on data they're authorized to access
-3. **Encryption applies**: Data in Azure AI Search and storage maintains encryption at rest and in transit
-4. **Private connectivity**: Configure private endpoints between Azure OpenAI, AI Search, and storage accounts
+- **Data remains in your control**: Azure OpenAI doesn't copy your data; it retrieves from your designated sources
+- **Access permissions flow through**: Users only receive responses based on data they're authorized to access
+- **Encryption applies**: Data in Azure AI Search and storage maintains encryption at rest and in transit
+- **Private connectivity**: Configure private endpoints between Azure OpenAI, AI Search, and storage accounts
 
 ### Data residency and processing
 

learn-pr/wwl-sci/design-solutions-secure-organization-data/includes/5-design-security-azure-storage.md

@@ -19,10 +19,10 @@ The MCSB control [NS-2](/azure/cloud-adoption-framework/organize/cloud-security-
 
 When designing network security for Azure Storage:
 
-1. **Disable public blob access** at the storage account level for sensitive data
-2. **Configure private endpoints** for each storage service (blob, file, queue, table)
-3. **Use network security groups** to control traffic to private endpoints
-4. **Implement Azure Firewall** or NVA for centralized traffic inspection
+- **Disable public blob access** at the storage account level for sensitive data
+- **Configure private endpoints** for each storage service (blob, file, queue, table)
+- **Use network security groups** to control traffic to private endpoints
+- **Implement Azure Firewall** or NVA for centralized traffic inspection
 
 ### DNS considerations for private endpoints
 
@@ -99,11 +99,11 @@ Azure Storage supports [data plane RBAC](/azure/storage/blobs/authorize-access-a
 
 When SAS tokens are necessary, follow these best practices:
 
-1. **Use user delegation SAS** backed by Microsoft Entra credentials
-2. **Apply shortest practical validity periods**
-3. **Grant minimum required permissions**
-4. **Use stored access policies** for service SAS management
-5. **Implement secure SAS distribution** mechanisms
+- **Use user delegation SAS** backed by Microsoft Entra credentials
+- **Apply shortest practical validity periods**
+- **Grant minimum required permissions**
+- **Use stored access policies** for service SAS management
+- **Implement secure SAS distribution** mechanisms
 
 ### Blob access tiers and security