Encryption for Exchange Online Mailboxes
Exchange Online mailbox data encryption can be increased beyond the default Microsoft provided level. When you first use Exchange Online for your mailboxes, the data is encrypted with a Microsoft encryption key that protects your data. This is similar to having your laptop protected by Bitlocker.
However, the master key used to protect your Exchange Online mailboxes is owned by Microsoft, and is also shared between other Tenancies.
This means that Microsoft employees can technically access your Exchange Online data. A good example of this access is from Microsoft support staff when you log a support request.
Private Key Protection for Exchange Online Data At Rest
A little publicized feature available if you use an E5 license is to further encrypt your Exchange Online mailbox data with a private key that belongs to you. You can choose to place the master key in your own secure storage area.
The technical processes related to encrypting your mailboxes this way are reasonably straightforward and can be applied to all mailboxes, or only some mailboxes.
If your data-at-rest is encrypted with a private key, then this will not prevent any forensic investigation by an expert email witness. This is because any expert will be provided with an appropriate Office 365 Tenant admin account.
Microsoft offer the Azure Key Vault service to allow you to store your master key within your Azure subscription. However, that Azure Key Vault is also accessible by Microsoft support personnel.
The recommendation here would be secure your master key away from your M365 Tenant in an alternative secure location. Key Management is a separate topic outside of this blog post, but we can provide advice on that topic if required.
Bring Your Own Key (BYOK) for Exchange Online
Bring Your Own Key (BYOK) is the technology behind this, and prevents Microsoft support staff from accessing your Exchange Online mailbox data without your consent. Consent can be granted for a limited time frame via a Customer Key feature that lets restricted access by a Microsoft support person if requested.
Summary | Encrypt Exchange Online with BYOK
If your business has high data protection standards as part of a compliance policy, then applying the highest level of data at rest encryption to your Exchange Online mailbox data is recommended.
There are various 3rd party providers who will help you setup a private/public key pair, and advise on how to protect the master key.
Contact us today if you need more information on securing your Exchange Online mailbox data to the highest level.
If you need consulting help to migrate your email platform to Office 365, so you can use BYOK encryption, then we recommend office365migrate.com.
Leave a Reply