With so many encryption technologies available in Office 365, knowing the best choice for your organization – let alone configuring it – is a taxing job for any IT admin.
That’s why ENow teamed up with Office 365 MVP Nathan O’Bryan to host a webinar that breaks down some common encryption technologies available in Exchange Online. Due to the complexity around encryption technology, most messages today are sent in plain text that maybe shouldn’t be. But you need to ensure sensitive messages are protected when sending them out over the web – not only for compliance reasons, but also to protect organizational intellectual property and for security’s sake.
So which is the right option for your organization? Let’s recap the encryption technologies Nathan mentions in the webinar and when an organization should use it.
Transport Layer Security
Transport Layer Security (TLS) is an encryption protocol that creates a secure communication tunnel over the Internet to ensure all email traffic is encrypted. It informs both parties that a message has been securely delivered.
If you have many users sending a high volume of messages to partner organizations that contain proprietary information, transport layer security is a great option. Other good use cases include when message traffic between two separate organizations is considered internal, when you need encryption set up between two separate Office 365 tenants, or when your organization needs to ensure that all email is sent securely to another organization without the need for user action.
Office 365 Message Encryption
Office 365 message encryption (OME) offers a simple way for users to send secure messages over any messaging platform. Using transport rules, OME will secure messages that meet specific conditions, and OME-encrypted messages can be sent to users on any platform. OME is the easiest encryption technology to set up and use, which makes it especially helpful for users who aren’t technically savvy. As another bonus, OME works for recipients on any platform. If your users need to send secure emails to recipients outside of your organization, OME would be your best bet.
While there are a few ways to trigger OME for specific messages, Nathan recommends using transport rules, which enable tenant administrators to define a set of circumstances that will apply OME protection to messages through a key word in the subject line or messages going to a specific user or domain.
Information Rights Management Services
Information rights management services (RMS) leverages encryption to allow you to set and enforce usage rights for messages and Office documents within your Office 365 tenant. Using controls in Office applications, users can also apply templates that detail the rights to access content (e.g., “Do not forward”) to messages and documents and use them in other Office 365 applications.
Most functionality of RMS works best within the same organization. With the RMS sharing app, you can also see who has opened your RMS-protected documents and revoke access. However, Nathan notes that RMS doesn’t offer foolproof protection against violations.
If you have sensitive documents and messages that need to be protected internally, recipients need time-limited access to documents and messages, or you need to ensure that recipients cannot forward emails, RMS can work for your organization. But rather than an iron-clad barrier against malicious behavior, consider it a tool to assist users in following policy.
Secure/Multipurpose Internet Mail Extensions
Secure/Multipurpose Internet Mail Extenstions (S/MIME) is a client-side encryption technology that works backward, meaning when you set it up, other people can send you encrypted messages.
Nathan begins the conversation on S/MIME by discussing a few distinct obstacles. First, not all email software supports S/MIME. And because S/MIME encryption and decryption is done at the client, message traffic isn’t inspected by the transport stack. Using S/MIME also requires you to install an SSL certificate on each client machine, which can become troublesome when you’re using multiple (and likely personal) machines that could be out of your organization’s purview. While the technology does provide confidentiality and data integrity, as Nathan outlines, it does not enable authentication or nonrepudiation.
Despite the obstacles, S/MIME can be a logical choice in a few different scenarios. If you have a small number of sophisticated users (not hundreds) who send and receive many highly sensitive messages, a dedicated IT staff that has the knowledge to manage complex encryption, and sensitive messages that need to be secured from end to end, it can be useful.
Finally, Nathan mentions a few features that won’t work in Exchange Online, including journal report decryption, Outlook protection rules and domain security, which notifies when an outgoing message will be routed over a TLS-encrypted connection.
For more thorough explanations of these technologies and how to configure each, check out Nathan’s full webinar recording.