How Microsoft 365 encryption helps safeguard data and maintain compliance
Published Jun 22 2021 09:00 AM 12.8K Views

Meeting the demands of a hybrid workplace 


While the increase in work-from-anywhere capabilities have been crucial to enabling productivity, they can be met with concerns from Security Operations (SecOps) teams around data protection and governance. Employees need to have frictionless collaboration, both inside and outside the company, as well as being empowered to access internal resources from endpoints outside organization boundaries. With organizational data and files roaming across devices, apps, and services, IT admins and SecOps teams must ensure it remains protected and meets the organization’s security and compliance requirements. An effective security and compliance strategy protects people, data, and endpoints across the organization without restricting end user productivity. 


The importance of a robust data protection and governance strategy 


Data protection and governance is critical for organizations – it helps keep sensitive business information from being improperly shared while also ensuring external compliance obligations are met. To formulate a robust data protection and governance strategy, business stakeholders need to adequately assess both internal and external data requirements. For many organizations, this means involving IT, SecOps, legal, human resources, apps and tooling, and various other teams to ensure all stakeholders have shared any data handling requirements they operate under. This effort can be complex and challenging to understand how to create strong internal security standards, while meeting external compliance obligations without impacting end user productivity. In this blog, we'll discuss some helpful tips on how to take advantage of data protection and governance across Microsoft 365 to meet your business needs. 


Encryption and how it works in Microsoft 365 


Encryption is a key component to protecting files and organizational information, but it’s important to understand the details of how encryption works. Encryption by itself doesn’t prevent content interception. Organizations need to have a larger data protection strategy to ensure only authorized parties can use the encrypted data. Encryption can, and more importantly should, co-exist in multiple layers operating at the same time - such as encrypting both the email message and the channel it flows through. Different layers of encryption can help achieve different business goals, such as safeguarding sensitive content or helping meet regulatory obligations. A robust business strategy uses multiple layers of encryption together enabling the business to meet both internal and external data protection requirements. 


Microsoft uses industry standard technologies such as Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP) to encrypt all data in transit between users’ devices and Microsoft datacenters, and between Microsoft datacenters. Data in transit includes, mail messages in the process of being delivered, files shared and in transit between users, and conversations in online meetings. Microsoft also helps keep data safe by encrypting it while at rest in Microsoft datacenters, starting with volume-level encryption enabled through BitLocker while service encryption ensures that content at rest is encrypted at the application layer. In order to help organizations meet security and compliance obligations, data encrypted at rest in Microsoft datacenters is done in a way that enables organizations to decrypt the content if needed. On top of our standard encryption in transit and at rest, Microsoft also provides additional encryption solutions and layers that customers can manage and control to ensure security and compliance requirements are met.  


Meeting security and compliance requirements with Microsoft 365 


One of the top questions we hear from organizations is – what type of encryption does my organization need? The answer depends on many factors, such as the type of business information being handled, sensitivity of the data, industry or regional requirements, and even internal standards. While the answer may seem complex, Microsoft provides a portfolio of encryption and compliance solutions that help businesses meet their data protection and governance needs while being in full control. Let’s dive into how Microsoft supports customers with additional security and compliance needs. 


Microsoft 365 Customer Key – including Microsoft Teams! 


Customer Key is built on service encryption, providing a layer of encryption at the application level for data-at-rest and allows the organization to provide and control the encryption keys used to encrypt customer data in Microsoft’s datacenters. Customer Key assists customers in meeting regulatory or compliance obligations for controlling root keys. After providing the keys, the organization can create a data encryption policy (DEP) and assign it to encrypt the following data for all tenant users: 

  • Teams chat messages (1:1 chats, group chats, meeting chats and channel conversations) 
  • Teams media messages (images, code snippets, video messages, audio messages, wiki images) 
  • Teams call and meeting recordings stored in Teams storage 
  • Teams chat notifications, Teams chat suggestions by Cortana, Teams status messages 
  • User and signal information for Exchange Online 
  • Exchange Online mailboxes that aren't already encrypted using mailbox-level DEPs 
  • Microsoft Information Protection exact data match (EDM) data – (data file schemas, rule packages, and the salts used to hash the sensitive data)

For customers currently using Customer Key for Exchange Online and SharePoint, data encryption policies add broader control and now includes support for Microsoft Teams! You can create multiple DEPs per tenant, but only one DEP can be assigned at a time. When a DEP is assigned, encryption begins automatically, but will take some time to complete depending on size of the tenant.  


For more details on using Customer Key for tenant-level encryption, please see the following articles: 


Customer Lockbox 


Customer Lockbox is a solution that provides an extra layer of control to customers by offering the ability to give explicit access authorization for service operations. This additional control can help customers meet certain compliance obligations, such as Health Insurance Portability and Accountability Act (HIPAA) and Federal Risk and Authorization Management Program (FedRAMP), and supports requests to access data in Exchange Online, SharePoint, and OneDrive. A foundational principle of Microsoft 365 is that the service operates without Microsoft access to customer content. However, a Microsoft engineer may need access to customer content when the customer makes a support request. While issues are usually fixed through extensive telemetry and debugging tools, some cases may require a Microsoft engineer to access customer content to determine the root cause and fix the issue. Customer Lockbox requires the engineer to request access from the customer as a final step in the approval workflow, giving organizations the option to approve or deny these requests and providing direct-access control to the customer. Customer Lockbox is included with Microsoft 365 E5 subscriptions and can be added to other plans.  


Communication Compliance 


Organizations need to be able to manage risk in communications to protect company assets and identify concerning content that may violate internal code of conduct standards. Communication Compliance is an insider risk solution in Microsoft 365 that helps minimize communication risks by helping detect, capture, and act on inappropriate messages within the organization. Communication Compliance helps organizations remain compliant with regulatory requirements and detect internal violations without disrupting the business. 

Communication Compliance policies can assist with detecting policy matches in several important compliance areas, such as corporate policies, risk management, and regulatory compliance. IT admins can take advantage of pre-defined policies or build custom policies to detect violations in both internal and external communications covering email, Microsoft Teams, Yammer, or even third-party communications. Since there may be a separation of duties between IT admins and the team that manages organizational compliance, Communication Compliance supports the separation between configuration of policies and the investigation of messages through rules based access controls.


Microsoft recently announced some exciting new Communication Compliance capabilities, including a deeper integration with Microsoft Teams. In accordance with helping customers meet privacy and compliance obligations, strong safeguards and controls are built into the solution by default on all the new features highlighted in the article above. This includes items like, pseudonymization, rules-based access control, admin explicit opt-in of users, and audit trails. 


Selection of optical character recognition to extract printed or handwritten text from imagesSelection of optical character recognition to extract printed or handwritten text from images


Compliance Manager 


Available in the Microsoft 365 Compliance Center for all Microsoft enterprise customers, Compliance Manager helps simplify compliance and reduce risks. Compliance Manager translates complex regulatory requirements to specific controls, and through compliance score, provides a quantifiable measure of compliance. It offers intuitive compliance management, a vast library of scalable assessments, and built-in automation. Customers can see step-by-step implementation guidance, recommended solutions to implement controls, and the controls with most impact – empowering them to act quickly to improve their organization compliance. Customers can select from 300+ out-of-box assessments for common industry, regional, and global standards and regulations, or create custom assessments to meet specific organizational needs. Compliance Manager is available for all Microsoft 365 customers – get started today!  


Compliance Manager dashboardCompliance Manager dashboard


Using content encryption for sensitive data protection 


As previously mentioned, encryption is a component of a larger data protection strategy that should include using multiple encryption layers working in parallel. Part of an effective data protection and governance strategy includes safeguarding sensitive business information by classifying and protecting content itself. Office 365 Message Encryption (OME) and sensitivity labels are a core part of Microsoft Information Protection, enabling organizations to protect organizational data without interrupting end user productivity. Sensitivity labels help protect content in Microsoft 365 apps across platforms and devices, third-party apps and services, and even common collaboration containers, like Teams and SharePoint. When a sensitivity label is assigned to content, it acts as a stamp enforcing the conditions of the label wherever the content goes. While a document or email can only have a single sensitivity label applied, they can have both a sensitivity label and a retention label applied to support compliance obligations. Sensitivity labels can be configured to apply watermarks to content, encrypt the content restricting access to specific groups, and protect content in site and group containers. As organizations continue to push the boundaries of external collaboration, another great capability sensitivity labels provide is the ability to restrict access for external members in Teams and SharePoint containers. For instance, the finance department may have a team for internal employees only that has a sensitivity label applied restricting guest access to the team.  


Sensitivity labels and message encryption are important tools to help protect sensitive business data and are designed to not disrupt the way end users work. Now available in preview, documents encrypted with sensitivity labels fully support co-authoring across devices and platforms, making it easy to collaborate in encrypted documents in real time. For even greater proactive data protection and governance, organizations with a Microsoft 365 E5 subscription can take advantage of automatic labeling with sensitivity labels to automatically assign a label to content that matches specified conditions. 


Example of a Highly Confidential sensitivity label applied to an Excel fileExample of a Highly Confidential sensitivity label applied to an Excel file


Additional considerations for data protection and governance 


Microsoft’s encryption in transit and at rest is the service-layer protection needed for most organizations who don’t face key arrangement requirements. Organizations should develop and put in place a content encryption strategy leveraging Microsoft Information Protection to safeguard content. Some additional data protection and governance capabilities customers should consider in their strategy are:  

  • Microsoft 365 Multi-Geo assists customers in meeting data residency requirements by enabling IT admins to provision and store data at rest in the geo location of their choice. 
  • Data loss prevention works across Microsoft 365 workloads to detect sensitive information using deep content analysis, helping organizations meet regulatory and compliance obligations. 
  • Conditional Access and multi-factor authentication (MFA) are access and authorization control capabilities to help keep corporate data secure while enabling end users to work on any device in any location.


Next Steps: 

  1. Assess security and compliance obligations with business stakeholders, including both internal and external requirements to form an organizational data protection and governance strategy. 
  2. Leverage Compliance Manager for insights and guidance on managing your organization’s compliance with regulations, policies, and standards. 
  3. Start protecting and governing data across Microsoft 365 with Message Encryptionsensitivity labels, and data loss prevention (DLP).  
  4. Set-up and enable advanced compliance features to help minimize insider risk such as, content retentioneDiscoveryauditing, and communication compliance

Continue the conversation by joining us in the Microsoft 365 Tech Community! Whether you have product questions or just want to stay informed with the latest updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected! 

Version history
Last update:
‎Jun 24 2021 02:28 PM
Updated by: