Customers are increasingly asking for better controls to secure their data as it moves across platforms and organizational boundaries. For example, financial institutions are turning towards public cloud services and big data analytics to store, aggregate and analyze investment data for improved decision making. IoT sensors in cars and trucks are starting to transmit telemetry data over public infrastructure to power cloud-based AI to predict equipment failures, improve operational efficiencies, or provide assistance in case of emergencies. In both scenarios, securing the data to prevent theft, misuse, and to protect user privacy remains challenging. In this presentation we show how we can combine column-level encryption provided by Always Encrypted, SQL’s industry-leading encryption technology, data classification, centrally managed encryption policies, and Active Directory identities to extend protection of data across multiple SQL instances. Encryption policies, which are bound to columns in a database via classification labels and which contain a list of authorized users, control the release of the encryption keys to Always Encrypted enabled client drivers where encryption/decryption of the data happens. The combination of centrally managed policies with policy enforcement at the point of database access provides reliable protection of data irrespective of where the data resides, on premises, on the edge, or in Azure.