I had an interesting discussion recently with a customer about email encryption in Office 365. The customer wanted to know the pros and cons of each encryption option in Office 365. This customer’s main goal was encrypting email messages so Microsoft can’t access them. Here's a summary of the different encryption options in Office 365, and how to encrypt your data (and why you would want to) so Microsoft can’t access it inside Office 365.
Email encryption options included in Office 365
Exchange Online in Office 365 includes several different encryption options. One of the best parts about Exchange Online is that the encryption options are set up and ready to use with minimal effort.
It’s impossible to go into detail for every encryption option. There’s too much to talk about, and I've written about encryption in Exchange Online extensively elsewhere. Here’s a brief rundown of the available options, and when you might use each type of encryption.
Transport Layer Security (TLS) is an evolution of SSL originally developed by Netscape for their Navigator browser. In Exchange, TLS is used to create an organization-to-organization encryption pipeline that secures message traffic between two different Exchange deployments.
TLS is best when your organization frequently sends sensitive messages to another organization that you don't want in plain text on the internet.
Office 365 Message Encryption (OME) is what most people think of when you say "email encryption." OME is a service that intercepts messages matching specific parameters and transport rules, and replaces them with a HTTPS link to a Microsoft server. The original recipient of the message uses the HTTPS link to access the original message in their web browser with the standard SSL encryption that we all use on the internet every day.
The recipient of an OME encrypted message can reply using the same encryption, ensuring the whole conversation is encrypted without the recipient needing an Office 365 license.
OME is best when your organization needs to send email to people outside your organization who could be on any messaging platform.
Information Rights Management (IRM) is not encryption, but a tool that uses encryption to enforce rights usage on email messages and documents. IRM allows the author of a message to specify who can do what with a message after they receive it. For instance, the CEO of your company might need to send a company email about an upcoming merger, but she doesn’t want employees to forward or screen shot that message. IRM is the tool to make that happen.
IRM is best used to remind end users to comply with organizational information use policies. It can’t prevent all misuse of organizational information, but it can help honest end users follow existing policies.
Secure/Multipurpose Internet Mail Extensions (S/MIME) is an encryption solution that provides client to client encryption between Outlook or OWA clients.
S/MIME is difficult to configure even in Office 365. The reason for this is that S/MIME requires a SSL certificate configuration for each client using S/MIME. OME and IRM don’t have this requirement, so they tend to be much more widely used.
S/MIME is best for technically advanced end users who need high levels of security and send a small number of messages to known parties. The recipient of S/MIME messages needs the technical ability to decrypt S/MIME messages.
Do you need another encryption option?
Exchange Online includes a lot of encryption options. They cover almost every scenario except one — data isn’t protected from Microsoft.
I’m not saying that Microsoft snoops in Office 365 customers’ data. I’m sure the exact opposite is true. With administrator audit logging and customer lockbox, you can be sure that Microsoft is not poking around in your data.
However, the U.S. government is keenly interested in accessing data stored in cloud services like Office 365 at any time, without notifying the customer. My understanding is that the U.S. government asserts that the fourth amendment protections against search and seizure cannot be extended though a third party. (I’m not a lawyer, so don’t take my word for it.) There are circumstances where Office 365 customers may not want Microsoft to have access to the data stored in Office 365. The only way to ensure that is encrypting your data before your it gets into Office 365.
Which brings us to PGP
PGP is an open source encryption option that encrypts data outside of Office 365 before it enters the Microsoft systems. I wouldn’t recommend this option for most Office 365 customers for several reasons:
Using PGP outside of Office 365 means the eDiscovery, data loss prevention and compliance features of Office 365 won’t work.
Using PGP outside of Office 365 means you must maintain the certificates used to encrypt your data. Lose a certificate and your data is gone forever.
Using PGP outside of Office 365 is difficult to do correctly. There are several vendors who have developed PGP based solutions that make it easier, but none of them are what I would call “easy,” especially from an end user perspective.
There are several different ways you can implement PGP. If this is the road your organization wants to go down, I recommend finding a solution that offers a plug-in for Outlook and a good certificate management system. I don’t have a specific recommendation, but if there is enough interest from the community I’d be happy to put together a guide for a future blog post.
Let me know what you think!
Nathan O'Bryan MCSM
Nathan is a five time former Microsoft MVP and he specializes in Exchange, Microsoft 365, Active Directory, and cloud identity and security.