In-Depth

For Microsoft Partners, What Are the Paths to Encryption?

Demand has never been higher for ways to protect data from prying eyes. Solutions abound for partners looking to encrypt their customers' data in Microsoft environments.

• By Scott Bekker
• December 09, 2015

When privacy and data security are in the news, encryption solutions seem like an obvious sale.

And for the past two years-plus, barely a month has gone by without major news on the privacy front involving government snooping on the one hand or significant data breaches (see "Top Security Hacks, Breaches and Cyber Scams of 2015" on) on the other.

As of this writing, the most recent example of a major data privacy issue involved the collapse of the European Union-United States Safe Harbor legal agreement.

"If we're going to ensure that data more broadly can move across the Atlantic on a sustainable basis, we need to put in place a new type of trans-Atlantic agreement," Microsoft President and Chief Legal Officer Brad Smith wrote in a late-October blog post arguing for a quick resolution to the crisis. "This agreement needs to protect people's privacy rights pursuant to their own laws, while ensuring that law enforcement can keep the public safe through new international processes to obtain prompt and appropriate access to personal information pursuant to proper legal standards."

Smith's recent elevation to the role of a president at Microsoft itself reflects Microsoft's tight focus on privacy and data security. Microsoft took a major credibility hit with the release of the Edward Snowden trove of documents starting in mid-2013 and has been fighting to regain its reputation, especially internationally, ever since.

Those issues of trust have extra significance in Microsoft's strategic quest to be one of the handful of megavendors hosting the world's data in the cloud.

In addition to the promotion, Smith for the first time spoke to partners about privacy issues earlier in the year at the Microsoft Worldwide Partner Conference, and the company has been making high-profile moves to push back against government access attempts and to integrate encryption technology throughout its on-premises and cloud technology stacks.

So does that mean the encryption business is booming for Microsoft partners? Not so fast. The market is growing, but encryption opens up complicated questions and is therefore a complicated sale.

"Despite its long history and deep value, adoption inside datacenters and applications has been relatively -- even surprisingly -- low," noted Rich Mogull and Adrian Lane of analyst firm Securosis LLC in a white paper (PDF) published earlier this year, "Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers and Applications."

"Today we see encryption growing at an accelerating rate in data centers, for a confluence of reasons. A trite way to summarize them is 'compliance, cloud and covert affairs.' Organizations need to keep auditors off their backs; keep control over data in the cloud; and stop the flood of data breaches, state-sponsored espionage, and government snooping (even by their own governments)," Mogull and Lane argued. "Thanks to increasing demand we have a growing range of options, as vendors and even free and Open Source tools address this opportunity. We have never had more choice, but with choice comes complexity -- and outside your friendly local sales representative, guidance can be hard to come by."

Partners in certain verticals have mature businesses around encryption already. Industries with compliance requirements or that involve bank accounts or credit-card data -- health care, finance, retail -- have a head start on encryption, although the growing list of high-profile data breaches is evidence that there's much more work to be done.

For partners who are generalists, or who do business in other verticals, taking advantage of the encryption opportunity can be daunting.

There are a few technologies from Microsoft that allow partners to quickly get into an encryption conversation. They present opportunities for partners to differentiate themselves for customers who have concerns about data security and privacy. For those customers who aren't thinking about security and privacy, the technologies are another opportunity for partners to show themselves to be the kind of trusted advisors who help customers navigate technological dangers they might not recognize on their own.

BitLocker Drive Encryption
BitLocker is Microsoft's technology for full-disk encryption of all the data stored on a Windows OS volume. The traditional usage example for BitLocker is an employee with a laptop who travels or works remotely. If the laptop is lost or stolen, and the user isn't logged in, all the company data on the system is encrypted and inaccessible to anyone who finds it.

As a technology that's been around since Windows Vista, it seems that the BitLocker opportunity would be played out. But BitLocker use is less common than you might think. OPSWAT Inc., an endpoint security-focused company based in San Francisco, released a report in late-2013 based on results returned from real-world usage of its security tools that found that fewer than 3 percent of laptops and fewer than 1 percent of desktops with encryption software installed had a drive encrypted.

The percentage of encrypted drives should have increased a bit post-Windows 8.1, when Microsoft began offering device encryption by default with either domain accounts or Windows accounts.

For most business users of Windows clients, BitLocker is just a matter of turning on a feature that's already present. The Home edition of Windows 10 doesn't include BitLocker, but the Pro and Enterprise editions do. Higher-end editions of older versions of Windows back to Vista have the feature available, as well.

There's plenty of room for partner consultation with customers on the many approaches to disk encryption. Figuring out whether to use BitLocker versus the baseline-device encryption in newer versions of Windows or even a third-party encryption product will involve discussions about a company's threat model.

That conversation leads into questions about what the customer would worry about if a laptop were lost. The answers might range from no worries at all to frank discussions about the shady history of a competitor to a realization that the company has personally identifiable information on customers or employees on some laptops.

The discussion on encryption and laptops can open the door to more detailed conversations about the company's security posture overall.

Office 365 Message Encryption
Another piece of low-hanging encrypted fruit is Office 365 Message Encryption. Microsoft's Office 365 suites are a staple of conversations between partners and customers. Office 365 Message Encryption is another twist on that conversation or it could also arise out of a discussion of a customer's threat model.

Newer than BitLocker, Office 365 Message Encryption is a means for Office 365 users to exchange encrypted messages with any e-mail address. Announced in November 2013, it became generally available in February 2014.

At a high level, the technology allows Office 365 users to send encrypted messages via e-mail to users with Yahoo, Google or any e-mail address. The message includes an HTML attachment. Once the user clicks on the attachment, it presents a prompt to log in with a Microsoft account and view the message.

Later, Microsoft enhanced the feature set with support for one-time passcodes. In that instance, encrypted message recipients who don't have, or don't want to use, a Microsoft account can request another e-mail with a passcode to access the encrypted message.

Some of Microsoft's suggested use cases include a bank employee sending credit-card statements to customers, an insurance company representative providing policy details to customers, a mortgage broker requesting financial information from a customer for a loan application, a health-care provider sending health-care information to patients, or an attorney sending confidential information to a customer or another attorney.

In the first eight months of availability, Microsoft logged more than a million encrypted messages sent using Office 365 Message Encryption. It's a testament to Microsoft's scale to generate that kind of volume on a relatively little-known feature, but there's obviously a lot of untapped usage potential.

The main requirement to use Office 365 Message Encryption other than an Office 365 subscription is a subscription to a Microsoft Azure Rights Management (Azure RMS) plan. For some customers, that will be a $2 per user per month upsell. However, certain Office 365 plans, such as E3, already include Azure RMS, making it an example of a technology that a partner can light up for a customer without an additional ongoing expense.

Other partner opportunities surround customization of the service. It's possible to customize parts of the encryption portal, such as the default text at the top of encrypted e-mail messages, disclaimer text and corporate logos. Additionally, the system can be customized with rules to set conditions for when a message should be automatically encrypted or unencrypted.

As with full-disk encryption, a customer's threat model will determine whether the e-mail encryption is worth setting up in the first place, and whether it ultimately meets that customer's needs. For example, viewing of the encrypted messages occurs on a Microsoft Office 365 server. Microsoft notes that messages are stored on the recipient's e-mail system and are only temporarily posted, but not stored, on the Office 365 servers. Nonetheless, those whose threat model includes concerns that Microsoft servers are vulnerable to compromise or to so-called "blind subpoenas" from governments might want to consider third-party technologies for their encrypted messages.

Going Deeper
BitLocker and Office 365 Message Encryption merely scratch the surface of the Microsoft encryption technologies, let alone Microsoft ecosystem encryption options. Partners interested in going deeper will find opportunities in many places, such as the Azure Key Vault technology that entered general availability over the summer. Beyond Microsoft's own technologies, there are dozens of ways to protect elements of the Microsoft stack with hundreds of different products and scores of major technological approaches.

Encryption will only become more prevalent in the years ahead. Dedicating resources to understanding the technology now should unveil more business opportunities for Microsoft partners in the future.