You are designing a secure storage strategy for an Azure Storage account that will host sensitive financial data. The solution must protect data at rest, in transit, and during processing. Which three of the following security controls should you implement? (Choose three.)
Why this answer
Customer-managed keys (CMK) in Azure Key Vault provide an additional layer of protection for data at rest by allowing you to control the encryption keys used by Azure Storage. Azure Defender for Storage detects anomalous access patterns and potential threats, protecting data during processing. Configuring firewalls and virtual network service endpoints restricts network access, securing data in transit by ensuring only trusted networks can communicate with the storage account.
Exam trap
The trap here is that candidates often confuse operational features like logging or load balancing with direct security controls that protect data confidentiality, integrity, and availability during all three states (at rest, in transit, and during processing).