5. …the FBI recovered a blue 16GB SanDisk SD card…
…the SD card was wrapped in plastic and placed between two
slices of bread on half of a peanut butter sandwich….
Picture and information curtesy of: How a Navy veteran
allegedly stole classified submarine docs (taskandpurpose.com)
7. Encryption for
Microsoft 365
• Data at rest
• Data in transit
• Specific functions:
• Microsoft Information Protection
• Information Rights Management
• Office 365 Message Encryption
8. Licensing considerations
• Office/Microsoft 365 E3
• Microsoft 365 E5 Compliance
• E5 eDiscovery & Audit:
• Advanced eDiscovery
• E5 Information Protection & Governance:
• Customer Key
• Double Key Encryption
• Advanced Message Encryption
Notes
• Auto-classification is included in E5
Information Protection & Governance
9. Microsoft 365
Data at rest
• Bitlocker (many levels)
• Per-file encryption (every file and file-
update uses a unique encryption key)
• Data encryption policies (DEP)
• SharePoint Online and OneDrive for
Business
• Exchange Online
• All other Microsoft 365 services and
Microsoft Information Protection
10. Microsoft 365
Data in transit
• (Mutual) Transport Layer Security
(MTLS/TLS)
• Secure Real-Time Transport Protocol
(SRTP)
• Exchange IRM – s/MIME – OME
11. Encryption keys for
Microsoft 365
• Microsoft managed
• Customer Key / Bring Your Own Key (BYOK)
• Double Key (Microsoft Information
Protection)
12. Customer Key for
Microsoft 365
• Organization provides and controls
encryption keys
• Does not prevent access to data from
Microsoft personnel
• Can be set for different DEP’s
• Uses Azure Key Vault and Hardware
Security Modules (HSM) – requires at
least 1024 bits for MIP.
13. Double Key for
Microsoft Information
Protection
• For specific compliance reasons
• Can be set on the label
• Complex to implement and maintain
• Content is encrypted using the tenant key
and your own key
Notes
• Only works for Office apps and the
labeling client
• Restricts transport | Microsoft Delve |
eDiscovery | Content search/indexing |
Office Web Apps & co-authoring
15. Information Rights
Management (IRM)
• Only works for Office and PDF documents
• Works for documents in library and lists
• Requires AD RMS
• Somewhat limited (introduced in SP2010!)
• Use sensitivity labels instead
Notes
• Does not allow for co-authoring in the
Office apps
• Does not support Office Online
• https://<SPADMIN>.sharepoint.com/_layouts
/15/online/TenantSettings.aspx
18. Documents and e-mails
• Label applied to document/e-mail
• Label added as metadata, stays with document
• Can be configured to:
- Apply visual markings
- Encrypt the document
- Allow offline access
- Work within DLP policies
• Works with a hierarchy, parents and sublabels
• Does not provide retention!
19. Encryption and labels
• Uses Azure Rights Management and Azure AD accounts
• RMS Connector for Exchange on-premises
Microsoft Managed (Azure) key details
• Symmetric AES 128/256 bit
• Key protection: Asymmetric RSA 2048 bit
• Certificate signing: SHA-256
Notes
• Licensing requirements
• Limitations (Double Key: only Office apps)
• Azure AD accounts and B2B (OTP/guest account)
• Co-authoring and auto-save for Office
21. File-types are important
• Some types only support labeling (no
encryption)
• Office and PDF files: native clients
• Office and PDF files: Microsoft Edge
• Other supported files: AIP Viewer client
• Watch out for the file extension
22. Accounts are important
• Azure AD account is required
• Can also be a guest account | Microsoft
Live account | free RMS account
• One Time Passcode will not work
Notes
• Note the Azure AD B2B settings
• Note the All authenticated label setting
Set-SPOTenant -
EnableAzureADB2BIntegration
23. Co-authoring and auto-save
• No possible in Office apps when
encryption is enabled
• Can be enabled using GUI or PowerShell
• Changes labeling metadata
24. Beware of the integrated client…
It does not support
• Label inheritance from e-mail
• On-premises scanner
• Custom permissions independently from label
• Bar in Office
• File explorer integration
• PPDF support
• Powershell labeling cmdlets
Client V2.x Integrated client
Build into Office Apps
Unified Labeling client
• BYOK/Double Key encryption
• Usage logging event viewer
• Do not forward button Outlook
• Document tracking/revoking
• Protection only mode
27. Secure e-mail
• Exchange IRM or s/MIME (not for today)
• Sensitivity labels
• Encryption options Outlook - Do-not-forward
and Encrypt only (Options | Encrypt) or as
part of a label
Notes
• Known as Office 365 Message Encryption
• Mind working with attachments
• Encrypt only using a label is only
available in integrated client
28. Office 365 Message
Encryption (OME)
• Works with any email client
• Does not require a specific account for
the recipient (or does it?)
• Works with native Office functions and a
secure portal
• Standard options: Do-not-forward and
Encrypt only
Notes
• Does not offer any MFa-related options
(SMS for example)
• No easy “revoke” option
• Take encryption of attachments into
account!
29. Advanced Office 365 Message
Encryption
• Licensing: Microsoft/Office 365 E5 |
Microsoft 365 E5 Compliance | Microsoft
365 E5 Information Protection and
Governance
• Use mailrules based on sensitive
information types/keywords
• Message revocation and expiration
Notes
• For revocation and expiration to work,
you must restrict (force!) recipients to
work with the secure portal.
30. Encapsulated email message
• A protected e-mail becomes a .rpmsg file
• Outlook Apps (Windows, Mac, iOS/Android
and web) open natively
• Other (web) clients are redirected to the
secure portal
• File itself is always presented
Notes
• You cannot use the AIP Viewer to open
these files
• There’s a 25 MB limit per message
31. Office 365 Message Encryption -
Working with attachments
• Unprotected MS Office documents
• Protection is applied to the document
• Permissions differ between Do-not-forward and Encrypt
only (first is more restrictive)
• Mind the Azure AD (guest) account!
• Alternative: decrypt on download (PowerShell)
39. What about an e-mail with a
label?
• Email message and attachments are
protected
• Based on settings for the label
• If recipient is not part of the protection
– email will not be opened
• Emails can inherit the label of the
attachment, when higher
40. What about an e-mail with a
label?
• Email message and attachments are
protected
• Based on settings for the label
• If recipient is not part of the protection
– email will not be opened
• Emails can inherit the label of the
attachment, when higher
42. Advanced configurations PowerShell
Set-LabelPolicy -Identity “policyname” -AdvancedSettings
@{EnableCustomPermissions="False"}
Disable the custom permissions option in the Windows File Explorer
Set-LabelPolicy -Identity “Policyname” -AdvancedSettings
@{OutlookWarnUntrustedCollaborationLabel=“Labelid"}
Warn, justify or block labeled messages or messages with specific labeled
attachments using a default message
Set-LabelPolicy -Identity “policyname” -AdvancedSettings
@{OutlookJustifyTrustedDomains="contoso.com,fabrikam.com,litware.com"}
Disregard the warn, justify or block action for specific (trusted) domains
Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true
Remove the encryption from email attachments when downloaded using the browser
43. Keep in mind
• Sharing an encrypted file | working with
guests
• Label/encrypt using DLP rules
• Decrypt file in SPO: Unlock-
SensitivityLabelEncryptedFile
• Metadata change, MSIP_ cannot be used
anymore
44. Keep in mind
• eDiscovery and encryption
• Advanced eDiscovery supports all
• Content search and core eDiscovery only
support previewing and exporting
encrypted attachments
• Super User role
• Encrypted PDF’s (Adobe Acrobat | Microsoft
Edge) & Digitally signed PDF’s
45. Keep in mind
• Migrating content can be difficult
• Keep in mind your encrypted content