Aug 14 2019 07:59 AM
Aug 14 2019 07:59 AM
I am aware that Microsoft Teams has data encryption at rest and in transit. But is there a way to use E2EE? If not is metadata at least encrypted?
Thanks
- Hayden
Nov 17 2019 04:04 AM
Nov 17 2019 09:25 AM
@Jleebiker All Teams data is encrypted "in transit and at rest" see https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview.
I'm not really sure what E2EE would mean in a Teams context, it's typically for consumer type apps where the data is only decrypted on the end client devices. Teams can't be this, the data resides in Office 365 and is subject to retention and ediscovery.
Nov 17 2019 09:41 AM
Nov 18 2019 01:30 AM
Solution@Jleebiker The mobile client supports App Protection Policies from InTune that would ensure that it's content is encrypted and users are authenticated on the end point device.
E2EE means something different. It means that the messages are encrypted on the senders device and can only be decrypted on the recipients device. All of the infrastructure in the middle is irrelevant as it can not decrypt the content at all. This is not how Teams works, while every stage of the journey is encrypted the service in the middle can decrypt content if it needs, for example to store data within the retention records or if you add a new person to the conversation. E2EE is only really relevant in apps which don't have any central services.
Nov 18 2019 01:35 AM
Nov 19 2019 03:22 AM
@Jleebiker More on App Protection Policies here -> https://docs.microsoft.com/en-us/intune/apps/app-protection-policy
Feb 12 2020 09:04 AM
Are there any plans for a service like EKM (Enterprise Key Management)? Enterprise-side keys allow businesses to be 100% assured of confidentiality and can enable direct control and data portability. Otherwise, customers may have to limit their usage of the platform.
Feb 13 2020 02:08 AM
Feb 13 2020 08:32 AM
Thanks, I wasn't aware that this level of encryption was available!
It says "Office 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM). Office 365 offers an added layer of encryption at the application level for your content. This content includes data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files. This added layer of encryption is called service encryption."
Also, although this is a robust system of end to end encryption, Microsoft retains an availability key, which means that Microsoft could access all customer data (https://docs.microsoft.com/en-us/microsoft-365/compliance/customer-key-availability-key-understand)
The lack of encryption of Teams messages as well as the existence of an availability key for all services would be a concern for a customer that wants 100% security.
It would be nice if Teams messages were also encrypted and if there were a tier of service that could provide that only the customer had the key to access (even though if the customer loses the key/password, they would be out of luck).
Sep 10 2020 09:00 AM
@StevenC365 Ecnryption in a teams context would look like this:
- end users would have keys that could be used to decrypt data
- data would live encrypted in sharepoint
- users would decrypt at the time of reading/opening/viewing data
- content scanning, monitoring, indexing would be done on the endpoint, at the time of content creation/editing
- certain features may not be available for content encrypted this way
I think the lack of sound custody is probably the #1 reason organizations choose not to use cloud services in general, Teams included. E2E encryption would go a long way toward alleviating that.
Sep 10 2020 02:20 PM
@cto-erik for your theoretical search index to work every client would need to download every message in every channel. Also not really sure how any web UI would work.
Feb 19 2021 04:21 AM
@StevenC365 Webex teams and Symphony both have end to end encryption which are not cunsomer types apps. Also for banking clients like us E2EE is more and more important . We moved from SFB to Webex teams our 100 K users and we also use symphony.
I don't see why MS teams cannot offer E2EE encryption , I am pretty sure even Zoom meetings and Chat along with Webex meetings offers E2EE now.
Feb 21 2021 12:22 PM
In banking you'll almost certainly have a requirement to retain messages for your regulators, for example in the US FINRA Rule 4511. If you had 'end-to-end' encryption of your messages only the sender and recipient could decrypt the messages, so you couldn't retain this data.
Meeting media could be E2E encrypted as long as there was no need to create a recording, If you look at Zoom as soon as you use their preview of E2E all recording is disabled, along with a whole pile of other features.
If you take a look at Teams, which is used by a number of Global Banks, it offers full encryption in transit and at rest, has a robust Customer Lockbox capability and now has a preview to allow organisations to BYOK.
Feb 21 2021 03:18 PM - edited Feb 21 2021 03:26 PM
You can still retain the data even if it is end to end encrypted, we are doing this today. You just need appropriate privilege to allow that integration between your archival platform and the application.
@StevenC365 thanks for the insights on other banks using teams. I am curious if you can help me clarify few things as I am trying to learn more on teams security .
1) for data at rest , does Microsoft engineers has access to the encryption keys?
2) does Microsoft stores the data in shared database instance and have a common key?
3) how often does the key rotation happens?
Feb 21 2021 05:45 PM - edited Feb 21 2021 05:46 PM
@Deepak_Mehta @StevenC365 Hi customer key encryption at the tenant level which covers Teams chats and channel conversations is in public preview and due to be launched soon according to the roadmap feature id 68732
Here are the details of the public preview Customer Key for Microsoft 365 at the tenant level (public preview) - Microsoft 365 Compliance | Mic...
Feb 22 2021 01:49 PM
@Deepak_Mehta wrote:
You can still retain the data even if it is end to end encrypted, we are doing this today. You just need appropriate privilege to allow that integration between your archival platform and the application.
If you are choosing to define your archival system as an endpoint then you are taking a fairly non standard definition of E2EE.
1) for data at rest , does Microsoft engineers has access to the encryption keys?
Microsoft engineers do not have standing access to any customer data, they have to use a process call LockBox to request access. This would normally be approved by suitably separated manager, but if you license the Customer Lockbox feature then you are part of that approval process as well.
2) does Microsoft stores the data in shared database instance and have a common key?
I've no idea, the internal architecture of how the service works are not part of how the service is described. This is a global service serving 115M daily active Teams users across the biggest companies in the world. There is not an 'instance' for each company, just like there is no an instance of Exchange or SharePoint per client.
3) how often does the key rotation happens?
No idea, again this is an operation process.
Microsoft make all the assessments and penetration test reports for Office 365 available to customers at https://servicetrust.microsoft.com/, read up on what you need. If you aren't a customer yet ask a Microsoft account team who will ensure the appropriate NDA is in place.
Nov 18 2019 01:30 AM
Solution@Jleebiker The mobile client supports App Protection Policies from InTune that would ensure that it's content is encrypted and users are authenticated on the end point device.
E2EE means something different. It means that the messages are encrypted on the senders device and can only be decrypted on the recipients device. All of the infrastructure in the middle is irrelevant as it can not decrypt the content at all. This is not how Teams works, while every stage of the journey is encrypted the service in the middle can decrypt content if it needs, for example to store data within the retention records or if you add a new person to the conversation. E2EE is only really relevant in apps which don't have any central services.