Microsoft Encryption: Helping Financial Services Stay in Control of Their Data and Compliance

The financial services industry is subject to some of the most stringent and complex regulations, stemming from lessons learned from financial failures over the past 10 years. The industry is regulated for anti-money laundering, fraud protection, customer data protection, and much more with regulations such as MiFID, SEPA, ISAE3402, and industry standards like PCI-DSS. Compounded by the realization among industry leaders that cyberthreats will continue to plague their organizations and that future data breaches are inevitable, encryption has become an important focus in financial services institution’s goal of safeguarding sensitive data.

It is no surprise that heavily regulated industries report the highest use of encryption technologies. But research suggests[1] that the extensive usage of encryption is starting to slow among financial services: just 57% of organizations reported use in 2017, compared to 56% the year before.

Now is not the time to slow down encryption adoption efforts in the financial services industry. Sensitive client data, as well as a financial team’s own proprietary market or competitive research, are perpetually under attack from cybercriminals. As this amount of data grows – so too does the importance of including encryption as a part of a broader data protection strategy.

The encryption technologies offered or supported in Office 365 can help reduce a variety of risks, and help customers meet regulatory requirements for financial services organizations. And while encryption is a useful technology to help customers meet their compliance and data protection needs, not all data should be treated equally; creating a data governance strategy can identify what data pieces will be sufficiently protected with baseline encryption capabilities and what data requires additional protection mechanisms. Some of the capabilities delivered in Microsoft 365 are Transport Layer Security (TLS), BitLocker, Office 365 Customer Key, Office 365 Message Encryption, Bring Your Own Key in Azure Information Protection (BYOK in AIP), and S/MIME. For customers that need specific key arrangements with their cloud service provider, we provide several key management options:

• Microsoft Managed Keys. The service manages the encryption keys and takes the burden of provisioning and managing the keys on behalf of the customer, do not require encryption expertise, and is provided with no additional subscriptions.
• Customer Managed Keys in Azure Key Vault. Office 365 provides customers with the option to provide and control their encryption keys for their Office 365 data at-rest with Customer Key. Customers have the control to revoke their asymmetric private keys to make the data unreadable to the service.
• Bring Your Own Key in Azure Information Protection. For data in-transit, customers may provide and control their own encryption keys for their Office 365 data at the content level. In addition to BYOK, Microsoft helps ensure the confidentiality and integrity of data as it travels over the network with TLS which can help reduce the risk of data compromise due to snooping or man-in-the-middle attacks if data is intercepted.

• Customer Managed Keys On-Premises. In the event customers have compliance obligations that require them to have physical access and possession of their keys so that the data is inaccessible to a cloud service, Microsoft 365 supports Hold Your Own Key (HYOK) with Azure Information Protection. However, supporting these stricter compliance requirements can result in this data being opaque to the cloud – Data Loss Prevention will not be able to look at this data, and other Office 365 security and compliance features will not be applied to any data that is protected in this manner.

To get a better understanding of encryption, and how you can use it to protect your growing data, read this whitepaper “Introduction to Encryption in Office 365”.

- Susan Kim (@iam_susankim)

[1]Ponemon Institute, 2017