Office 365 email encryption options grow for enterprise needs

Consider what risks and threats to address

Office 365 email encryption enlists BitLocker to protect Exchange Online data at rest. Office 365 employs HTTPS encryption from the client to the servers that host the mailboxes. Exchange Online encrypts email from server to server with opportunistic Transport Layer Security (TLS). Administrators can also create encrypted email connections between partners using inbound and outbound connectors with forced TLS.

The main threat is that a third party, such as an attacker, will access that data. Encrypting messages or the mailbox won't provide any protection if someone gets a user's credentials to access their mailbox.

It's a common practice to implement multifactor authentication or conditional access -- or a combination of the two. This restricts access to people who can satisfy two or more criteria -- both something they know, such as a password, and something they have, such as a mobile phone or other registered device owned by the organization.

Some organizations want protection against unauthorized data leakage with technologies such as data loss prevention. Others might need retention policies to prevent permanent deletion until a certain amount of time has passed. Microsoft offers a range of Office 365 email encryption and data protection features to help fulfill different strategies.

Message encryption adds some challenges

Most organizations typically use message encryption, which enables the right users to read individual messages wherever they are.

The user assigned to the Exchange Online mailbox or the administrator can view the mailbox contents in an unencrypted state, even with BitLocker encryption. Similar to a workstation with full-disk encryption, the protection keeps someone from physically stealing the disk. However, it doesn't stop someone with access to the whole system.

A rogue administrator or someone with administrative access to the user's PC could export a copy of the mailbox and view its contents. That's no different from any other email system. Most companies consider this an acceptable risk.

Some messages should have an extra level of security. With Azure Information Protection, administrators configure rules or enable users to self-encrypt messages.

These policies determine permissions for the recipient, such as whether they can forward, reply all, screenshot or print the message. If admins use the Azure Information Protection (AIP) Premium 1 license rather than the built-in AIP provided with a base Office 365 subscription, they can also view and revoke access to messages. This enables IT to make messages self-destruct, or track where and when recipients access encrypted messages.

Recent improvements to AIP extend these capabilities to recipients outside Office 365. A third party will not see prompts to access the protected message if they use AIP. They will need to access the message on the web with a one-time code or with an external authentication provider, such as Google or Facebook.

Some messages should have an extra level of security. With Azure Information Protection, administrators configure rules or enable users to self-encrypt messages.

Ultimately, AIP and other third-party message technologies, such as PGP and S/MIME, ensure that the right people access certain messages in Office 365. However, there is a tradeoff. If the keys are lost, the messages are lost.

Encrypted messages hinder discovery capabilities and make it harder for users to search through their emails. Encryption also adds usability challenges for users, especially if they communicate with new people outside the organization regularly. An organization might want to remain with one particular encryption product, as it's difficult to undo message encryption when moving to another service.

Customer Key feature enables full mailbox encryption

A new option for Office 365 email encryption is a feature called Customer Key. This technology encrypts full mailboxes and files within the tenant with an encryption key the organization produces and controls.

From a user perspective, Customer Key doesn't offer additional functionality. Protecting individual messages once they leave Exchange Online requires message and transport encryption. The IT department must implement additional measures to keep the wrong people out of user mailboxes.

Instead, Customer Key works behind the scenes. It encrypts the mailbox with keys the business owns. The IT department manages encrypted mailboxes the same way. An admin grants permissions to access a mailbox either for a user or for delegate access as if there were no encryption. In certain circumstances, such as a support case, Microsoft can see the mailbox data -- with the organization's permission.

Customer Key hands full control of the mailbox data lifecycle to the organization. If the company leaves Microsoft for another vendor, the IT department can revoke access to the keys or destroy them. If an admin deletes the keys, even the organization cannot access the data. This includes any data held for retention or sitting on a disk.

Customer Key requires Microsoft support

Customer Key has several requirements. The organization needs an Office 365 E5 subscription associated with an Enterprise Agreement. Microsoft also recommends that the organization build new Azure subscriptions in the same Azure Active Directory tenant where IT plans to use data encryption policies.

Microsoft performs some of the setup work because if IT misses or misconfigures a prerequisite step, then all the organization's data will be at risk.

Customer Key uses two separate Azure subscriptions created and used solely for the keys that are stored within a premium Azure Key Vault. The configuration process sets up the subscriptions to prevent accidental key deletion.

After Microsoft approves the setup, admins create a data encryption policy that links the keys to Exchange Online, and then apply the policy to mailboxes. You'll find the full prerequisite steps on Microsoft's support site.

Apply the data encryption policy to a mailbox

Enabling full mailbox encryption is reasonably straightforward.

First, create a data encryption policy with Exchange Online PowerShell. Define the uniform resource identifier values used to connect to each Azure subscription. This policy has values for the name and description, and a parameter -- AzureKeyIDs -- used to specify each subscription. For example:

New-DataEncryptionPolicy -Name "SecureProject1" -Description "Root key for mailboxes within secure project 1" -AzureKeyIDs https://tenant_EastUSvault01.vault.azure.net/keys/Secure1_key_01, https://tenant_EastUS2vault01.vault.azure.net/keys/Secure1_Key_02

Next, apply the data encryption policy to a user mailbox.

Set-Mailbox -Identity "[email protected]" -DataEncryptionPolicy "SecureProject1"

After approximately 72 hours, check the encryption status of the mailbox.

Get-MailboxStatistics -Identity "[email protected]" | Select DisplayName,IsEncrypted

Customer Key enables IT to apply encryption where it is required rather than across the organization.

Each Azure Key Vault transaction adds to the organization's bill, so a selective administrator can help limit costs while meeting compliance requirements. Microsoft supports the use of multiple sets of keys if a project or contract requires it, or if the company needs to host keys in specific regions.