Asset Protection: Encryption in Microsoft Office 365

April 25, 2018

Learn how data is protected in the cloud, specifically Office 365 and Azure, using the latest encryption technologies.

encryption technologies

Part one of a series.

While this is not a technical paper on ciphers or cryptography, I’ve included a small bit of background here for the sake of historical reference.

I will follow that by explaining how encryption technologies work to protect assets in your Office 365 platform and what your responsibilities and options are.

But first:

Vigenère. Playfair. Enigma. Sha. MD5. RSA. AES. Perhaps you have heard of these ciphers, especially the later ones like RSA and AES. Today, RSA and AES are the safest, but with every advance in computing power comes the need to update this cipher technology. With the rapidly approaching era of available DNA and Quantum computing, soon we’ll be able to easily decode the final Enigma and Zodiac ciphertexts that have remained uncracked for many years.

RSA is the cipher used for the current implementation of today’s public key cryptography and the public key infrastructure widely in use. In order to facilitate the secure transfer of information, a message sender uses a known public key to encode a message and the recipient uses a private key, known only to them, to decode the message. Handshakes and agreements between sender and receiver ensure the quality of the encoding or decoding.

Okay, that’s a little background for you. I find cryptography fascinating but not everyone is so interested in cryptographic pursuits!

Fascinating or not, we will now address the ways your data is protected in the cloud, specifically Office 365 and Azure, using the latest encryption technologies.

Your Data At Rest (Infrastructure)

When it is not being sent, received or used, your organization’s data is stored on a server in a datacenter. Find out where.

Your data is replicated for security and high availability, but while it is at rest in any Microsoft facility, it resides on a storage mechanism that is encrypted using Bitlocker.

Sample Data Center Map. Source: Microsoft

Be sure to gather information in the links above for reference to the location of your organization’s data. This is extremely important for topics like GDPR and High Availability.

Your Data In Transit (Information)

This is the most customer-involved, decision-making piece of the Office 365 encryption solution. It is why we work so hard to provide updated guidance and support throughout the life of your Office 365 investment.

Dozens upon dozens of endpoints are available from any device and any location in the world, providing information ingress and egress paths to and from the various services offered by Office 365 and Azure.

Protecting the information flowing through these points is critical, especially since users are historically unreliable when it comes to classifying and encrypting messages and files on their own.

At the application layer (OSI 7), Microsoft provides TLS (currently version 1.2) encryption, the successor to SSL and a means of negotiating a handshake between sender and receiver in order to generate agreed upon keys to encrypt data being sent – this is also known as symmetric cryptography.

The sender and recipient must both agree on the encryption method from what is available to them and in common between them. As a result, this does not always guarantee the highest level of security but it does guarantee the highest level of security in common between both parties.

Additionally, all internet transport in Office 365 is performed using an encrypted IPSec (OSI 3)/IKE (Internet Key Exchange) tunnel whether the data within is encrypted or not.

Some of the customer tasks involved with information security by data encryption are outlined below:

Avoid accidental and malicious data deletion by configuring:
- Data Loss Prevention (DLP) and Labels
  - This is not encryption related, but important nonetheless
- Avoid accidental and malicious data exfiltration using:
  - Rights Management Service (RMS)
    - Applies protection and encryption to messages and data
  - Information Rights Management (IRM)
    - Applies protection and classification to messages and SharePoint libraries
  - Azure Information Protection (AIP)
    - Applies classification, encryption, and permissions for use through policies for data and messages
  - Exchange Online Protection (EOP) along with other Exchange settings
    - Strengthens your basic messaging stance with rules and malware policies, to name a few
  - Avoid accidental and malicious data contamination using:
    - Advanced Threat Protection (ATP)
      - Send messages through an isolated channel to a detonation chamber to thoroughly test any message links and attachments, and remove where necessary
      - Also not specifically encryption related, but important nonetheless

Your Data In Use (Identity)

When you and your colleagues collaborate on a document using Microsoft Teams, the source document resides in SharePoint by default. Whether it is OneNote, OneDrive, or a SharePoint document repository, opened in Teams or Office online or client, all communications between the client and the data source are encrypted using HTTPS in a an IPSec/IKE tunnel.

If the information encryption options previously mentioned have been configured and deployed, they will also be in use during the collaborative transport of data.

If, or when, you receive an encrypted email, your identity is verified and permissions for the message and its attachments are maintained using AIP in concert with RMS. This information is only visible with a protected viewer (client or browser) and otherwise encrypted at all times.

Users can set the encryption or it can be done automatically using various criteria set in the AIP control panel. My colleague Veenus Maximiuk does a much more thorough job of explaining this in her blogs, so I’ll leave the details to her.

(In a future blog, I’ll cover the default Office 365 and Azure key rotation implementation or the Azure Key Vault and its uses).

Final Thoughts

These topics may not be the most fascinating to discuss, but they’re necessary because they impact your organization’s asset protection when using Office 365 subscriptions and EM+S features.

Your organization’s discussions around the encryption technologies in this blog will depend on what features of EM+S are being deployed and what hybrid design elements are in place. The solution will not be single-sized and will differ, sometimes drastically, between organizations.

About the Author

Tad Yoke

Solutions Architect and Senior Consultant | Modern Workplace

Tad has over 20 years of experience assessing, designing and deploying technical solutions for Microsoft 365, Office 365, and Enterprise Mobility + Security (EMS); Azure directory and network management, Microsoft SharePoint and Microsoft SQL Server.

He is particularly passionate about developing Roadmaps, performing Security Assessments, and configuring Microsoft Teams Governance and Policy for our clients. Tad has numerous Microsoft certifications including his most recent accomplishment as a Microsoft Certified Security Customer Immersion Experience(CIE) facilitator. Follow Tad on Twitter.

Contact Centric | More Articles

Interested in learning how we can help your organization get the most out of your Microsoft 365 investment and how your employees can work together better?

Talk TO an expert