Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Your data, their cloud? Bring your own encryption keys

J. Peter Bruzzese | May 11, 2016
As governments and others increasingly seek the keys from your vendors to unlock your encrypted data, you should consider using self-provisioned keys

"Are you the Key Master?" "I am the Key Master, are you the Gate Keeper?" Those aren't merely lines from the "Ghostbusters" movie, but the question IT has to ask more and more about protecting even encrypted data.

The goal of encryption is clear: To prevent unauthorized people from reading what they should not. Even if someone intercepts your messages or a cloud provider's engineer opens your data stores, that encrypted data should be worthless without the key. Encrypted data must have a key (aka a cypher) to be unlocked.

Thus, protecting those keys -- who has access to them -- is the biggest challenge in safeguarding that data. Although your technology provider may offer tools to encrypt your data, you might need to do more to protect those keys and perhaps even bring your own.

What Microsoft offers to safeguard your data

Office 365 offers multiple encryption tools:

  • BitLocker (for AES encryption) for drive-level encryption (for data at rest)
  • Content-level, per-file encryption for Skype for Business, SharePoint Online, and OneDrive for Business (also for data at rest)
  • FIPS 140-2 Level 2 encryption for email (for data at rest)
  • TLS (Transport Layer Security) for emails in transit between servers and SSL (Secure Sockets Layer) encryption for email in transit between the email client and server
  • OME (O365 Message Encryption), which is built on Azure Rights Management (Azure RMS), for encrypting the email itself whether it is at rest or in transit, using transport-controlled cryptography and keys.
  • S/MIME, for encrypting the email itself, using client-controlled cryptography and keys

It sounds like all our bases are covered, right? Yes, if your goal is security. However, privacy is another major concern with data stored in or moved via the cloud. If someone -- the police, a government, a competitor, a hacker, a spy -- has the key or can re-create it, that entity can read that data and any corporate or personal information contained within, even if they cause you no explicit harm.

To satisfy that need for customers to have more control over their own content, Microsoft offers several technologies. One is the Customer Lockbox feature, which basically makes it so that the only way a Microsoft engineer can gain access to customer data stored in Office 365 is by requesting permission. No permission? No access. (Keep in mind that Customer Lockbox is available only as part of an E5 license.)

Microsoft announced last year it's working on additional security features that build on the content-level encryption capabilities in Office 365, including the ability for customers to generate and control their own keys.

The case for BYOK

The ability to bring your own key (BYOK) is huge. Office 365 MVP Dan Holme said, "It's the Holy Grail for a service like Office 365. Effectively, it means that Microsoft itself cannot access your data at all. The customer holds the key." (This is the same approach BlackBerry has long taken in its BlackBerry Enterprise Service management server and that Apple takes on its iPhones and iPads, but not yet in its iCloud service.)

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.