News

Office 365's E-Mail Encryption Service Hits General Availability

• By Kurt Mackie
• February 20, 2014

Microsoft's Office 365 Message Encryption service, unveiled in November, is now commercially available, the company announced this week.

The service is available at no additional cost via Office 365 E3 and E4 subscription plans, or via a Windows Azure Rights Management subscription at $2 per user per month.

"It's high time that commercial-grade consumer products started emphasizing better cryptographic capability," said Gary McGraw, chief technology officer at Cigital, a Dulles, Va.-based software security consulting firm, via e-mail. "It's up to users to make use of it."

Microsoft describes Office 365 Message Encryption as an enhancement to its Exchange Hosted Encryption service, and users of that service will get upgraded to the new service sometime this quarter. Organizations using Exchange Hosted Encryption will get a notice about four weeks before the upgrade, according to Microsoft's upgrade page.

The Office 365 Message Encryption service is also available for Exchange Server 2013 users. The service gets accessed either through Microsoft's recently updated Exchange Online Protection service or "by using hybrid mail-flow," according to Microsoft's announcement.

Office 365 Message Encryption features "policy-based encryption," according to Microsoft's description. It lets IT pros set the rules for when e-mails will get encrypted, using either a graphical user interface or PowerShell. Microsoft claims that the encrypted e-mail is "delivered directly to [the] recipient's inbox and not to a Web service." In addition, Microsoft claims that the service "eliminates the need for certificate maintenance."

Microsoft's Q&A on Office 365 Message Encryption explains that the service uses five security elements. It uses the Secure/Multipurpose Internet Mail Extensions (S/MIME) standard, which generates client-side encryption keys, although Microsoft takes away the trouble of an organization having to set up S/MIME. It uses the Transport Layer Security (TLS) protocol that's typically used for Internet transactions, as well as Secure Sockets Layer encryption. Microsoft's own Information Rights Management service is used to prevent information designated as sensitive from being "printed, forwarded or copied." It also includes Microsoft's BitLocker hard-drive encryption technology.

The service is rolling out in the context of massive U.S. National Security Agency electronic spying details leaked by whistle-blower Edward Snowden, including the notion that widely used cryptographic standards can be cracked by that agency. In addition, U.S.-based Microsoft is subject to U.S. laws that make information stored on Microsoft's servers in the United States subject government disclosure without a public legal process or notification to the user of the service, in some cases. Microsoft, hoping to expand its cloud operations abroad, apparently has reacted to that circumstance by promising European Union countries that their data can be stored outside the United States.

Microsoft has received bad publicity on the cloud privacy front by allegations from Snowden-leaked documents that it was one of the first of many service provider companies to join the NSA's PRISM program, which purportedly allows NSA agents to simply take information from Microsoft's servers, although Microsoft and other cloud service providers have repeatedly denied that capability. The FBI also reportedly approached a Microsoft engineer to create a backdoor to BitLocker.

It's also not clear what happens to encrypted messages using the Office 365 Message Encryption service when they get routed through Microsoft's server infrastructure. Brad Smith, Microsoft's general counsel and executive vice president of Legal and Corporate Affairs, has promised that traffic for Office 365, Windows Azure, Outlook.com and SkyDrive (now called "OneDrive") will get Perfect Forward Secrecy encryption by default sometime by the end of this year.