MicrosoftCybersecuritySecurity ArchitectureIntermediate26 min read

What Is Threat Modeling for Azure? Security Definition

Also known as: threat modeling azure, stride azure, sc-100 exam threat modeling, azure security threat model, microsoft threat modeling tool

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Threat modeling for Azure helps security and development teams find and fix weaknesses in cloud systems before attackers can exploit them. You look at your Azure application, draw a diagram of how data moves, and then think about what could go wrong at each step. The goal is to build security into the design from the start, not bolt it on later.

Must Know for Exams

Threat modeling for Azure is a critical topic for the Microsoft SC-100 exam, Microsoft Cybersecurity Architect, as well as related exams like AZ-500 (Azure Security Engineer) and SC-200 (Security Operations Analyst). The SC-100 exam specifically tests your ability to design security solutions, which includes selecting appropriate threat modeling methodologies and interpreting threat models to recommend controls. The exam objectives under ‘Design a security strategy for cloud infrastructure’ explicitly mention threat modeling, data flow diagrams, and STRIDE.

In SC-100, you may be asked to evaluate a scenario where a company is migrating an on-premises application to Azure. You must identify which threats are most relevant based on the architecture description and then choose the correct Azure service to mitigate each threat. For instance, a question might describe a web application using Azure App Service with an Azure SQL database backend, and ask which STRIDE threats are most applicable to the data flow between the app and the database, and what countermeasure to implement. You would need to recognize that tampering and information disclosure are primary concerns, and that enabling SQL Always Encrypted or Transparent Data Encryption is the correct response.

The exam also expects you to know the strengths and limitations of various threat modeling frameworks. You might be asked to compare STRIDE to PASTA or OCTAVE, or to identify which framework is best suited for a cloud-native application. Additionally, you must understand how to use the Microsoft Threat Modeling Tool and interpret its output. Questions could present a partially completed threat model and ask you to identify missing threats or improperly categorized threats. The exam may also test your knowledge of risk scoring methods like DREAD or CVSS and how they feed into remediation prioritization. Mastery of threat modeling terminology and the ability to apply it to Azure architectures is essential for passing the architecture-focused exams.

Simple Meaning

Imagine you are designing a new office building where important documents and valuable equipment will be stored. Before you build, you sit down with a team to consider every possible way someone could break in or cause trouble. You think about doors that might be left unlocked, windows that could be forced open, the delivery entrance where a stranger could slip in, and even the air conditioning vents that might provide a hidden path. You also consider insiders — what if a disgruntled employee copies files or a cleaner accidentally leaves a door ajar? That is exactly what threat modeling does, but for software and cloud systems on Azure.

Threat modeling for Azure is a systematic process where you map out your application’s architecture — much like drawing a floor plan — and then methodically examine each component and data flow for potential threats. Azure provides specific tools, such as the Microsoft Threat Modeling Tool, which helps you create diagrams and automatically generates a list of threats based on common attack patterns. The process often follows a structured methodology like STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Each letter represents a category of threat you check against every part of your system.

For example, think of your Azure application as a secure vault inside a large office complex. The entrance is the user login screen, the hallways are the network connections, and the vault door is the database authentication. Threat modeling asks: Can someone fake their identity to get in? (Spoofing). Can someone alter the data in transit? (Tampering). Can someone deny they performed an action? (Repudiation). Can someone read data they should not see? (Information Disclosure). Can someone overload the system to make it unusable? (Denial of Service). Can a regular user gain admin privileges? (Elevation of Privilege). By asking these questions early, you can add safeguards such as multi-factor authentication, encryption, audit logs, rate limiting, and strict role-based access controls before the system goes live. This saves time, money, and reputation compared to patching holes after an attack.

Full Technical Definition

Threat modeling for Azure is a disciplined engineering practice that identifies, communicates, and documents security risks within cloud-based solutions built on the Azure platform. It integrates directly into the software development lifecycle, typically beginning during the design phase and continuing through iterative reviews. The process leverages established methodologies, primarily STRIDE, which was developed by Microsoft, and relies on a detailed understanding of system architecture, trust boundaries, data flows, and attack surfaces.

Technically, the process begins by defining the scope of the model and creating a Data Flow Diagram (DFD). The DFD maps all external entities, processes, data stores, and data flows within the Azure environment. For instance, an Azure Function App that reads from a Cosmos DB database would include the external user, the authentication endpoint (Azure AD), the function itself, and the database as a data store. Each element is assigned a trust level, and trust boundaries are drawn wherever data crosses from a lower trust zone to a higher one. These boundaries are where threats most often surface.

Once the DFD is complete, the modeler applies the STRIDE threat classification to each element. Spoofing threats are countered with authentication mechanisms such as Azure AD managed identities. Tampering threats require data integrity controls like Azure Storage service-side encryption or HTTPS for all API calls. Repudiation threats demand auditing capabilities, which can be implemented using Azure Monitor and Activity Logs to record all administrative actions. Information disclosure threats call for encryption at rest and in transit, using Azure Key Vault to manage secrets and certificates. Denial of Service threats are mitigated through Azure DDoS Protection and auto-scaling configurations. Elevation of Privilege threats are addressed through role-based access control (RBAC) with Azure AD least-privilege policies.

The Microsoft Threat Modeling Tool provides a drag-and-drop interface to create DFDs and automatically generates a threat report based on the Stride-per-Element algorithm. The tool uses a knowledge base of common threats and offers mitigation suggestions specific to Azure services. Real-world implementations often supplement this tool with manual analysis and structured reviews, such as using the PASTA (Process for Attack Simulation and Threat Analysis) framework, which adds business impact analysis and attack simulation.

In enterprise settings, threat modeling for Azure is not a one-time activity. It is updated whenever the architecture changes — for example, when a new API endpoint is added, a different database service is chosen, or a third-party integration is introduced. Security teams prioritize threats using a risk rating system like DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) or CVSS (Common Vulnerability Scoring System) scores. Mitigations are tracked as backlog items in tools like Azure DevOps, ensuring they are addressed before production deployment. Compliance standards such as ISO 27001, SOC 2, and FedRAMP explicitly require threat modeling as part of secure development practices, making it essential for regulated industries.

Real-Life Example

Think of threat modeling for Azure like planning security for a large public library. The library has many entry points: the main front door, a back door for staff, a loading dock for book deliveries, and a window in the children’s section. Patrons can browse freely, but some rooms — like the rare book vault and the server room — are locked. Before the library opens, a security team walks through the entire building, creates a map, and asks questions about every possible risk.

First, the librarian draws a floor plan showing each area, who can access it, and how people move between sections. This is like creating a Data Flow Diagram in Azure. The front door is the public login page, the staff entrance is the admin portal, and the loading dock is a third-party API integration. The team then applies STRIDE to each part. For the front door, they ask: Can someone fake a library card? (Spoofing) — solution: require a photo ID and a PIN, which is like multi-factor authentication. For the rare book room, they ask: Can a visitor tamper with a book? (Tampering) — solution: only staff with special badges can enter, and every transaction is logged, similar to using Azure RBAC and audit logs.

The team also considers the book checkout system — an automated terminal where patrons scan their card and take a book. Could a hacker overload the terminal so it stops working? (Denial of Service) — solution: limit the number of scans per minute and have a backup manual system, akin to Azure DDoS protection and redundancy. Could a staff member deny that they let a friend into the vault? (Repudiation) — solution: require two staff members to unlock the vault and record all entries on camera, which maps to non-repudiation through Azure Activity Logs.

Finally, the team prioritizes threats. A broken window in the children’s section might be a low threat if it is small and high up, but the loading dock door left unlocked is a high threat because anyone could walk in with a delivery truck. This is like using DREAD scoring to decide whether to fix a minor vulnerability now or focus on a critical authentication flaw. By doing this mapping and questioning before the library opens, the team avoids costly retrofits like adding a security guard after a theft. In the same way, threat modeling for Azure prevents expensive security patches and data breaches after an application is live.

Why This Term Matters

Threat modeling for Azure matters because cloud environments are shared responsibility models, and misconfigurations in Azure are a leading cause of security incidents. You cannot rely solely on the cloud provider to secure your application — Microsoft secures the infrastructure, but you must secure what you build on top of it. Without threat modeling, teams often discover critical vulnerabilities during penetration testing or, worse, after a breach. Fixing a security flaw in production can cost 100 times more than addressing it during design. Threat modeling forces you to think like an attacker early, saving money, reputation, and customer trust.

In real IT work, Azure threat modeling is a standard part of secure development practices, especially for organizations handling sensitive data like healthcare, finance, or government. It helps security architects justify investments in controls such as Azure Firewall, Network Security Groups, Azure Key Vault, and just-in-time access. It also feeds directly into compliance programs — auditors routinely ask to see threat models as evidence of a proactive security posture. For a cloud architect designing a multi-tier application with Azure App Service, Azure SQL Database, and Azure Redis Cache, threat modeling reveals that the Redis cache might be exposed to the internet if not placed inside a virtual network, or that the connection string for SQL is stored in application settings in plain text. These are real-world mistakes that lead to data breaches.

Threat modeling also improves team communication. Developers, operations staff, and security professionals all look at the same diagram and discuss risks in a common language. It breaks silos. For example, a developer might focus on functionality, while threat modeling brings attention to the fact that the API accepts unauthenticated requests. The process creates a shared understanding that leads to better architectural decisions, such as using Azure API Management with OAuth2 instead of exposing raw endpoints. Ultimately, threat modeling moves security left, meaning earlier in the lifecycle, which is a core principle of DevSecOps.

How It Appears in Exam Questions

In the SC-100 and related exams, threat modeling for Azure appears primarily in scenario-based questions that test your ability to analyze an architecture and recommend security controls. These questions are not about memorizing facts but about applying concepts to realistic situations.

A common pattern is the architecture analysis question. You are given a diagram description — for example, a microservices application running on Azure Kubernetes Service (AKS), with an ingress controller, a backend API, and a Cosmos DB database. The question asks: ‘Which STRIDE threats are most relevant to the data flow between the ingress controller and the backend API?’ You would need to identify spoofing (if the ingress doesn’t validate the caller), tampering (if the traffic is not encrypted), and information disclosure (if sensitive data passes in plain text). You then select the correct mitigations: Azure AD Pod Identity for authentication, TLS for encryption, and Azure Policy for enforced configurations.

Another pattern is the gap identification question. The question presents a threat model report that lists threats but lacks mitigations. You are asked to choose the best Azure service or configuration to close each gap. For instance, a threat of ‘Unauthenticated access to storage account’ would be mitigated by configuring firewall rules and enabling Azure AD authentication on the storage account. A threat of ‘Log tampering’ would point to enabling Azure Sentinel with immutable log storage or using locks on Log Analytics workspaces.

Configuration questions appear less frequently but still matter. You might be asked to configure the Microsoft Threat Modeling Tool — for example, given a DFD with an external web service and an Azure SQL database, which trust boundaries should be drawn? The answer would show boundaries between the internet and the web service, and between the web service and the database. Troubleshooting questions might involve interpreting why a threat was generated incorrectly — perhaps because the modeler forgot to mark the database as a data store or mislabeled a trust level. Finally, you may see architecture design questions where you must propose changes to an architecture to reduce threats, such as adding a Web Application Firewall (WAF) or moving sensitive data to Azure Key Vault. Being comfortable with these question patterns will help you approach them with confidence.

Study sc-100

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Your company, Contoso Finance, is building a new online banking application on Azure. The application allows customers to view balances, transfer money, and pay bills. The architecture includes a public-facing web app running on Azure App Service, a REST API hosted on Azure Functions, and a backend database using Azure SQL Database. Customer authentication is handled by Azure Active Directory (Azure AD). The team has not yet performed any security review. You are tasked with conducting a threat modeling session.

You start by creating a Data Flow Diagram. You draw the external entity (the customer’s browser) connecting to the Azure App Service over the internet. That app service then calls the Azure Functions API, which queries the Azure SQL Database. You draw a trust boundary around the internet zone, another around the Azure App Service, and another around the database. Then you apply STRIDE to each data flow. For the flow from the browser to the app service, you identify spoofing (what if an attacker steals a session cookie?), tampering (what if someone intercepts the HTTPS traffic and modifies the request?), and information disclosure (if HTTPS is not enforced, the password could be seen). For the flow from Azure Functions to SQL Database, you identify tampering and information disclosure again, plus elevation of privilege (what if a function is compromised and tries to run SQL commands as admin?).

Based on the threats, you recommend specific mitigations. For the browser-to-app flow, you enforce HTTPS, implement Azure AD authentication with conditional access, and use Azure Front Door with WAF. For the function-to-database flow, you use managed identities to access the database, enforce least privilege through database roles, and enable Transparent Data Encryption and Always Encrypted for sensitive columns like account numbers. You also add audit logging with Azure Monitor. By threat modeling early, Contoso avoids several vulnerabilities that would have been expensive to fix after launch. This scenario directly mirrors what the SC-100 exam expects you to analyze and propose.

Common Mistakes

Thinking threat modeling is only needed after the application is built.

Threat modeling is most effective during the design phase, before any code is written. Waiting until after deployment means changes are costly and time-consuming. It is a proactive activity, not a reactive one.

Always schedule a threat modeling session when you create the architecture diagram for a new Azure solution, before writing the first line of code or deploying any resources.

Only focusing on external attackers and forgetting about internal threats.

Threat models must consider all trust levels, including authenticated users, administrators, and third-party integrations. Insider threats or compromised admin accounts can cause severe damage. STRIDE includes repudiation and elevation of privilege specifically for these scenarios.

Include internal components and administrative interfaces in your DFD. Do not assume internal users are trustworthy — model threats from all angles.

Creating a single threat model for the entire Azure subscription instead of per application.

A subscription-wide threat model becomes too high-level and misses application-specific details like data flows, API endpoints, and service dependencies. Threat modeling works best at the system or application level where the architecture is concrete.

Create a separate threat model for each application or significant workload. Group smaller services that share the same trust boundaries into one model, but keep it focused.

Believing that using the Microsoft Threat Modeling Tool automatically produces a complete and accurate threat model.

The tool is a guide and a generator of suggestions, but it relies entirely on the accuracy and completeness of the DFD you draw. If you leave out a data store or mislabel a trust boundary, the tool will miss threats. It also cannot understand business context or prioritization.

Use the tool as a starting point, but always perform a manual review with the team. Validate each generated threat, challenge assumptions, and assign realistic risk scores based on your environment.

Treating threat modeling as a one-time checkbox activity for compliance.

Cloud architectures change frequently — services are added, moved, or decommissioned. A threat model created six months ago is likely outdated. Attackers continuously find new techniques, so the model must evolve.

Schedule threat model reviews as part of your change management process. Every time you modify the architecture or deploy a new feature, revisit the relevant parts of the threat model and update it.

Exam Trap — Don't Get Fooled

In an exam question, you might be given a scenario where a company has already deployed an application to Azure and now wants to perform threat modeling. The question asks: ‘Which step should the team take first?’ A common distractor answer is ‘Run a vulnerability scanner on the running application.

’ Remember that threat modeling is a design-time activity. Even on a deployed application, the first step is to recreate the architecture diagram and understand the design intent. You must map the system before you can analyze threats.

Vulnerability scanning comes later, after you know what threats exist and have planned mitigations. In the exam, look for the option that says ‘Create a data flow diagram’ or ‘Document the architecture.’ That is always the first step in threat modeling.

Commonly Confused With

Threat Modeling for AzurevsVulnerability Assessment

Vulnerability assessment uses automated tools to scan running systems for known weaknesses (like missing patches or misconfigurations). Threat modeling is a manual, design-focused process that predicts unknown threats based on architecture. Vulnerability assessment finds what is wrong now; threat modeling prevents what could go wrong later.

A vulnerability scan might tell you your Azure VM is missing a critical security update. Threat modeling, on the other hand, would have identified that the VM should not be exposed to the internet in the first place, preventing the risk entirely.

Threat Modeling for AzurevsPenetration Testing

Penetration testing actively exploits vulnerabilities in a live environment to see if a real attack would succeed. Threat modeling is a theoretical analysis that does not involve any exploitation. Pen tests are performed after development; threat modeling is performed during design. They complement each other but are not the same.

A penetration tester might try to brute-force your Azure admin portal and succeed. Threat modeling would have earlier flagged that multi-factor authentication was missing and recommended it as a mitigation before the pen test even started.

Threat Modeling for AzurevsRisk Assessment

Risk assessment is a broader business process that evaluates the likelihood and impact of all types of risks (financial, operational, compliance) across the organization. Threat modeling focuses specifically on technical security threats within a system. A risk assessment might decide that a small risk is acceptable; a threat model helps you understand what the technical threat is, so the risk assessment can be informed.

A risk assessment for the Azure banking app might conclude that the business can tolerate a 5-minute downtime. Threat modeling would identify that the database has no backup, making downtime much longer than 5 minutes. The threat model feeds data into the risk assessment.

Step-by-Step Breakdown

1

Define Scope and Objectives

Identify the system or application you will model. Know its boundaries — what is included (e.g., the web app, API, database) and what is out of scope (e.g., third-party payment gateway you do not control). Also understand the business context: what data is most sensitive, who the users are, and what compliance requirements exist. This step sets the foundation for the entire model.

2

Create a Data Flow Diagram (DFD)

Draw a diagram that shows every external entity (users, systems), process (web server, function app), data store (database, blob storage), and data flow between them. Label each element with its trust level (e.g., internet is untrusted, internal network is trusted). Draw trust boundaries (dashed lines) wherever data crosses from one trust level to another. The DFD becomes the visual representation of your architecture.

3

Decompose the System

Break each component down into its key interactions. For each data flow, identify the protocol (HTTPS, AMQP), the authentication mechanism (SAS token, OAuth), and the data sensitivity. Note entry points like user input forms and API endpoints. Also note assets like customer PII, encryption keys, and connection strings. This detailed decomposition helps you see where threats can hide.

4

Identify Threats Using STRIDE

For every element in your DFD, ask the six STRIDE questions: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. You can use the Microsoft Threat Modeling Tool to automate this or do it manually. Document each threat you find, even if it seems unlikely. This step transforms your architecture diagram into a list of potential security problems.

5

Rate and Prioritize Threats

Assign a risk score to each threat using a method like DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) or use CVSS scores. Prioritize threats that have high damage potential, are easily exploitable, and affect many users. This helps your team decide where to invest security resources first — not all threats are equal.

6

Define Mitigations

For each high-priority threat, select a specific Azure control or architectural change that eliminates or reduces the risk. For example, against spoofing, implement Azure AD authentication and MFA. Against tampering, enable HTTPS and storage encryption. Against denial of service, enable Azure DDoS Protection and auto-scaling. Document the mitigation and reference the Azure service that provides it.

7

Document and Iterate

Formalize the threat model in a document that includes the DFD, the threat list, risk scores, and mitigations. Store it in your project repository. Schedule a review of the threat model whenever the architecture changes — whether it is a new feature, a different Azure service, or a shift in compliance requirements. Threat modeling is a living artifact, not a one-off deliverable.

Practical Mini-Lesson

Threat modeling for Azure is not just a theoretical exercise — it is a skill you will use regularly as a cloud security architect or engineer. The practical workflow starts before you write any infrastructure-as-code. When you design a new solution, open a shared whiteboard (physical or digital) and sketch the system with your team. Identify every component: the front-end service, the middleware, the database, the message queue, the cache, and any external dependencies. Then draw data flows with arrows and label the protocol and data sensitivity. This is your DFD.

Next, apply the STRIDE model systematically. Start with external entities — who or what is outside your trust boundary? A common real-world mistake is to forget that third-party APIs are external entities. For example, if your Azure Function sends payment data to a third-party processor, that flow is crossing a trust boundary. Threats here include information disclosure (if the API uses HTTP instead of HTTPS) and tampering (if the payment payload can be modified). For Azure environments, you must consider shared responsibility: Microsoft secures the hypervisor and physical network, but you must secure your application code, identity management, and data encryption.

A practical implementation often involves using the Microsoft Threat Modeling Tool to generate a baseline threat list, but then you must tailor it. The tool may flag that ‘An adversary could target the Azure SQL Database via the internet,’ but if you have configured the database firewall to block all public IPs and use Private Link, that threat is already mitigated — you can mark it as accepted. Conversely, the tool may miss a threat that is specific to your business logic, such as an API endpoint that allows unauthenticated bulk data extraction. That is a threat you must add manually.

What can go wrong? Threat modeling is often skipped or done hastily because of time pressure. This leads to security gaps that are caught only during a post-deployment audit or, worse, a breach. Another pitfall is creating a threat model that is too high-level, covering an entire subscription without zooming into individual applications. That model is useless for engineers. Additionally, teams sometimes fail to update the threat model after changes, making it stale. To avoid this, integrate threat model updates into your change management process — for example, require a threat model review as part of every architecture design review meeting.

Threat modeling connects to broader IT concepts such as DevSecOps, where security is integrated into every pipeline stage. It also directly supports compliance with standards like SOC 2, where you are required to demonstrate that you have identified and mitigated security risks. As a professional, you can use threat modeling to communicate risk to non-technical stakeholders. For example, you can show a CISO a diagram with red arrows indicating where sensitive data flows over untrusted networks, making the need for encryption and segmentation visually clear. Mastering threat modeling makes you a more effective architect and a valuable member of any cloud security team.

Memory Tip

To recall the six STRIDE threat categories for Azure threat modeling, use the first letters as a mnemonic: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. Think of the word STRIDE itself — each step you take through the threat model helps you stride past vulnerabilities and toward secure Azure designs.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Do I need to threat model every single Azure resource I deploy?

No, you should focus on applications and systems that process sensitive data or are critical to your business. A single virtual machine used only for testing may not need a full threat model. However, any solution that handles customer information, financial data, or health records absolutely requires threat modeling.

What is the difference between STRIDE and PASTA in Azure threat modeling?

STRIDE is a threat classification framework that focuses on six technical threat types. PASTA is a more comprehensive risk-centric methodology that includes business impact analysis, attack simulation, and vulnerability mapping. For Azure, STRIDE is simpler and widely used for cloud applications, while PASTA may be better for complex enterprise solutions requiring deeper risk analysis.

Can threat modeling replace penetration testing?

No. Threat modeling identifies potential architectural weaknesses, while penetration testing validates whether those weaknesses are actually exploitable in the running system. They are complementary. You should do both: threat model during design and pen test after deployment.

How often should I update my Azure threat model?

Update the threat model whenever you make architectural changes — adding a new service, modifying data flows, or changing authentication methods. Also review it at least annually to account for new attack techniques and changes in the threat landscape, even if the architecture remains the same.

Does the Microsoft Threat Modeling Tool support all Azure services?

The tool supports many common Azure services, but its templates may not cover every new or niche service. You can manually add custom elements to the DFD. The tool is useful for generating initial threats, but manual analysis is still required for completeness.

Is threat modeling required for Azure certification exams like SC-100?

Yes, it is a core concept. The SC-100 exam explicitly covers threat modeling methodologies, data flow diagrams, and selecting mitigations based on identified threats. You should understand STRIDE, DREAD, and how to apply them to Azure architectures.

What if I find too many threats and feel overwhelmed?

Prioritize based on risk. Use a scoring system like DREAD to focus on the threats with the highest impact and easiest exploitability. Not every threat requires an immediate fix — some can be accepted, transferred, or mitigated with compensating controls.

Summary

Threat modeling for Azure is a structured, proactive approach to identifying and mitigating security vulnerabilities in cloud applications before they are exploited. It centers on creating a data flow diagram of your Azure architecture and then systematically applying the STRIDE threat classification to each component and data flow. The process is essential for cloud architects, security engineers, and developers because Azure operates on a shared responsibility model — you must secure your applications and data, not just rely on Microsoft.

Threat modeling saves significant time and cost by catching weaknesses early, and it is a key requirement for exams like SC-100, where you must analyze architectures and recommend appropriate Azure security controls. To succeed in both real-world practice and certification, remember the core steps: define scope, draw the DFD, identify threats using STRIDE, prioritize them with a risk score, and implement mitigations using Azure services. Do not treat threat modeling as a one-time checkbox — make it an ongoing practice that evolves with your architecture.

By mastering this skill, you equip yourself to design more resilient, secure cloud solutions that protect sensitive data and maintain customer trust.