Security posture and security levels

Author: AbhishekMallick-MS

articles/backup/security-overview.md

@@ -2,7 +2,7 @@
 title: Overview of security features
 description: Learn about security capabilities in Azure Backup that help you protect your backup data and meet the security needs of your business.
 ms.topic: conceptual
-ms.date: 03/31/2023
+ms.date: 02/29/2024
 author: AbhishekMallick-MS
 ms.author: v-abhmallick
 ---
@@ -83,6 +83,25 @@ Azure Backup service uses the Microsoft Azure Recovery Services (MARS) agent to
 
 * For data backed up using the Microsoft Azure Recovery Services (MARS) agent, a passphrase is used to ensure data is encrypted before upload to Azure Backup and decrypted only after download from Azure Backup. The passphrase details are only available to the user who created the passphrase and the agent that's configured with it. Nothing is transmitted or shared with the service. This ensures complete security of your data, as any data that's exposed inadvertently (such as a man-in-the-middle attack on the network) is unusable without the passphrase, and the passphrase isn't sent over the network.
 
+## Security posture and security levels
+
+Azure Backup provides security features at the vault level to safeguard backup data stored in it. These security measures encompass the settings associated with the Azure Backup solution for the vaults, and the protected data sources contained in the vaults.
+
+Security levels for Azure Backup vaults are categorized as follows:
+
+- **Excellent (Maximum)**: This level represents the highest security, which ensures comprehensive protection. You can achieve this when all backup data is protected from accidental deletions and defends from ransomware attacks. To achieve this high level of security, the following conditions must be met:
+
+  - [Immutability](backup-azure-immutable-vault-concept,md) or [soft-delete](backup-azure-security-feature-cloud?tabs=azure-portal.md) vault setting must be enabled and irreversible (locked/always-on).
+  - [Multi-user authorization (MUA)](multi-user-authorization-concept.md) must be enabled on the vault.
+
+- **Good (Adequate)**: This signifies a robust security level, which ensures dependable data protection. It shields existing backups from unintended removal and enhances the potential for data recovery. To attain this level of security, you must enable either immutability with a lock or soft-delete.
+
+- **Fair (Minimum/Average)**: This represents a basic level of security, appropriate for standard protection requirements. Essential backup operations benefit from an extra layer of protection. To attain minimal security, you must enable Multi-user Authorization (MUA) on the vault.
+
+- **Poor (Bad/None)**: This indicates a deficiency in security measures, which is less suitable for data protection. In this level, neither advanced protective features nor solely reversible capabilities are in place. The None level security gives protection primarily from accidental deletions only.
+
+You can [view and manage the security levels across all datasources in their respective vaults through Azure Business Continuity Center](./business-continuity-center/security-levels-concept.md).
+
 ## Compliance with standardized security requirements
 
 To help organizations comply with national/regional and industry-specific requirements governing the collection and use of individuals' data, Microsoft Azure & Azure Backup offer a comprehensive set of certifications and attestations. [See the list of compliance certifications](compliance-offerings.md)