Update security-recommendations.md

Author: azarboon

articles/storage/blobs/security-recommendations.md

@@ -29,6 +29,7 @@ Microsoft Defender for Cloud periodically analyzes the security state of your Az
 | Turn on soft delete for containers | Soft delete for containers enables you to recover a container after it has been deleted. For more information on soft delete for containers, see [Soft delete for containers](./soft-delete-container-overview.md). | - |
 | Lock storage account to prevent accidental or malicious deletion or configuration changes | Apply an Azure Resource Manager lock to your storage account to protect the account from accidental or malicious deletion or configuration change. Locking a storage account does not prevent data within that account from being deleted. It only prevents the account itself from being deleted. For more information, see [Apply an Azure Resource Manager lock to a storage account](../common/lock-account-resource.md).
 | Store business-critical data in immutable blobs | Configure legal holds and time-based retention policies to store blob data in a WORM (Write Once, Read Many) state. Blobs stored immutably can be read, but cannot be modified or deleted for the duration of the retention interval. For more information, see [Store business-critical blob data with immutable storage](immutable-storage-overview.md). | - |
+| Use Encryption to Protect Data  | Azure Storage encrypts all data at rest by default using Microsoft-managed keys. For enhanced control, configure [customer-managed keys](../common/customer-managed-keys-overview.md) with Azure Key Vault to manage encryption keys directly. To further strengthen security, implement [client-side encryption](client-side-encryption.md) before uploading data. | - |
 | Require secure transfer (HTTPS) to the storage account | When you require secure transfer for a storage account, all requests to the storage account must be made over HTTPS. Any requests made over HTTP are rejected. Microsoft recommends that you always require secure transfer for all of your storage accounts. For more information, see [Require secure transfer to ensure secure connections](../common/storage-require-secure-transfer.md). | - |
 | Limit shared access signature (SAS) tokens to HTTPS connections only | Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of eavesdropping. For more information, see [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md). | - |
 | Disallow cross-tenant object replication | By default, an authorized user is permitted to configure an object replication policy where the source account is in one Microsoft Entra tenant and the destination account is in a different tenant. Disallow cross-tenant object replication to require that the source and destination accounts participating in an object replication policy are in the same tenant. For more information, see [Prevent object replication across Microsoft Entra tenants](object-replication-prevent-cross-tenant-policies.md). | - |