The requirements for utilizing Office 365 Advanced Message Encryption are roughly the same as for the other technical features listed both previously and that are forthcoming in this book. By way of a refresher, however, in order to implement Office 365 Advanced Message Encryption, you need one of the following subscriptions present in your Microsoft 365 tenant:
- Microsoft 365 E5
- Office 365 E5
- Microsoft 365 E5 (Nonprofit Staff Pricing)
- Office 365 Enterprise E5 (Nonprofit Staff Pricing)
- Office 365 Education A5
- Microsoft 365 E5 Compliance add-on for Microsoft 365 E3
- Office 365 Advanced Compliance add-on for Microsoft 365 E3
- Microsoft 365 E5 Information Protection and Governance add-on for Microsoft 365 E3
If you would like to delve deeper into the licensing requirements for Office 365 Advanced Message Encryption, you can refer to this link: https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-advanced-message-encryption?view=o365-worldwide.
With the technical requirements all sorted out, let’s now dive into our first topic, which will give us an introduction to encryption in Microsoft 365.
Introduction to encryption in Microsoft 365
Encryption is the common process of cryptographically encoding information in a way that only individuals or organizations with correct authorization are permitted to read it. The use of encryption greatly increases the resilience to the following threats:
- The theft of data.
- Failures in physical security.
- The interception of data while in transit.
- Within Microsoft 365, there are multiple layers of encryption working together to safeguard customer data both at rest and in transit.
Examples of data-at-rest include the following:
- Files uploaded to a SharePoint site
- Teams chat messages
- Files shared in Microsoft Teams meetings
- Attachments in email messages stored in a mailbox
- Files uploaded to OneDrive for Business
Examples of data-in-transit include the following:
- Conversations taking place in a Teams meeting
- Email messages in the process of being delivered
- Whenever a user’s laptop or other device is communicating with Microsoft 365 services.
When it comes to encryption, this is a topic not taken lightly by Microsoft in their efforts to keep their customer’s data as safe as possible. The data provided and uploaded by customers to Microsoft 365 is encrypted at rest and in transit using Federal Information Processing Standard (FIPS) 140-2-compatible encryption algorithms and technologies, including:
- Advanced Encryption Standard (AES)
- Transport Layer Security (TLS)
- Internet Protocol Security (IPSec)
These standard technologies are complemented by Microsoft technologies providing encryption for the following:
- Hard drives (BitLocker)
- Service encryption (Microsoft managed keys/customer-managed keys)
With that, we have covered the features available and the possibilities of encrypting data in the form of an overview. Let’s now take a deeper dive into the topics specifically relying on Microsoft technologies to improve our knowledge in this regard.
BitLocker and how it encrypts data at rest
In Microsoft 365, BitLocker is used to encrypt disk drives containing customer data at the volume level, making sure that all data at rest is encrypted and only available to authorized individuals.
The feature consists of several encryption processes, including Advanced Encryption Standard (AES) 256-bit encryption on the disks containing customer data, and disk sectors encrypted with Full Volume Encryption Key (FVEK), which itself is encrypted with a Volume Master Key (VMK), which is bound to the Trusted Platform Module in the server itself. This can be visualized in the following diagram:
Figure 6.1 – Describing the encryption flow using BitLocker on Microsoft 365 servers
With that, we have covered the basics of how BitLocker is used to encrypt data at rest in Microsoft 365. Let’s now move on to our next topic, which will provide insights into how service encryption works.
Leave a Reply