SOLVED

Encryption confusion

Brass Contributor

I do light Office 365 admin for a number of clients, always under Office 365 Business Premium subscriptions.  I'm confused about encryption, that either does exist, or not, and where it does and doesn't.  

I read the following link, and as is often the case, there's plenty about the technology, but nothing about where it is implemented, namely, which subscription level you need to get it. 

https://docs.microsoft.com/en-us/microsoft-365/compliance/email-encryption

 

So bottom line:  if a small business under Office 365 Business Premium asks the question:  "Is our email encrypted?", I find myself unable to be certain 100%.  I do know it is encrypted in transit between email servers, and presumably it is encrypted from sender to the Office 365 servers, due to Outlook having that Security tab under Account Settings with a (greyed out) checkmark saying "encrypt data between Microsoft Outlook and Microsoft Exchange".  If so, this means we're good from the sender, through to the far end of the Office 365 infrastructure, leaving only the recipient server and client end in question.  Is that all correct?  

 

Any pointers to a real description of this stuff and not the confusing (yet technically interesting) type of link as the one I put in above would be appreciated!  :)

 

Thank you.  

6 Replies

@ViProCon 

 

I currently have the same question and concern. From what I could understand is that outlook.com can or you have the opportunity to encrypts emails. From what I could have read from the following article: https://support.office.com/en-us/article/learn-about-encrypted-messages-in-outlook-com-3521aa01-77e3...

 

But I still don't know for business purposes if this also abides for us. We currently have Business Essential only licenses, but my question still resides: Are emails send using Outlook 2019 Desktop Client encrypted through office365 Exchange?

 

But when it comes to Office365 Exchange you get a whole different story. 

https://docs.microsoft.com/en-us/microsoft-365/compliance/set-up-new-message-encryption-capabilities...

https://docs.microsoft.com/en-us/microsoft-365/compliance/email-encryption?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/compliance/ome?view=o365-worldwide

best response confirmed by ViProCon (Brass Contributor)
Solution

Does this help, its the best explanation I have seen:

 

Exchange Online always attempts to use TLS first to secure your email but cannot always do this if the other party does not offer TLS security.

 

For Exchange Online, we use TLS to encrypt the connections between our Exchange servers and the connections between our Exchange servers and other servers such as your on-premises Exchange servers or your recipients' mail servers. Once the connection is encrypted, all data sent through that connection is sent through the encrypted channel. However, if you forward a message that was sent through a TLS-encrypted connection, that message isn't necessarily encrypted. This is because, in simple terms, TLS doesn't encrypt the message, just the connection.

 

If you want to encrypt the message you need to use an encryption technology that encrypts the message contents, for example, something like Office Message Encryption.”

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-c...

 

This provides how various measures help and where they are implemented

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-encryption-risks-and-protection...

 

This provides info on the broader topics:

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide#encryption-...

 

The licence requirements for OME are discussed here:

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-faq?view=o365-worldwide#what-subscript...

 

Hope that helps.

@cbraafhart 

 

I guess we'll count Cian's reply as our answer?  I have to do some reading, a lot of links provided by you guys !:) Thank you so much for taking the time.  I'll have to actually schedule say an hour to review all this because it's a lot, so if you have thoughts prior, please post.  Thanks again!  

It's saying encryption is applied during the transfer of information between clients and hosts which secures the connection and everything that travels through it.  The messages themselves aren't encrypted but they are protected during transit.  When sending emails externally, Exchange Online will always try to use a secure connection, but this won't always be possible depending on how the recipient's email system is configured. 

 

To ensure messages are encrypted and can only be opened by the intended recipient, OME encrypts the contents and applies controls to ensure messages are secure, wherever emails are being sent to.

@Cian Allner 

 

I see, and thank you for the summary.  I remember reading that OME is a feature in the higher levels of licensing, like above Business Premium, which means virtually all small business won't have it.  But I will do some reading because right now my knowledge is vague on this.  

Would it be safe to say however, that anybody that is using Office 365 at any level, and using Gmail at any level, is using TLS?  I don't put much faith in email hosting providers or internal IT teams that are still using for example a standalone linux server or some virtual hosting service, for example GoDaddy free webmail.  So I am biased against anything that is not MIcrosoft or Google, and to be clear, Office 365 is my primary choice but I do like Google for many things.  

 

Yes that's right,  TLS will be used by Microsoft and Google, many other major providers too will use TLS to secure connections when transferring email and so forth.

1 best response

Accepted Solutions
best response confirmed by ViProCon (Brass Contributor)
Solution

Does this help, its the best explanation I have seen:

 

Exchange Online always attempts to use TLS first to secure your email but cannot always do this if the other party does not offer TLS security.

 

For Exchange Online, we use TLS to encrypt the connections between our Exchange servers and the connections between our Exchange servers and other servers such as your on-premises Exchange servers or your recipients' mail servers. Once the connection is encrypted, all data sent through that connection is sent through the encrypted channel. However, if you forward a message that was sent through a TLS-encrypted connection, that message isn't necessarily encrypted. This is because, in simple terms, TLS doesn't encrypt the message, just the connection.

 

If you want to encrypt the message you need to use an encryption technology that encrypts the message contents, for example, something like Office Message Encryption.”

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-c...

 

This provides how various measures help and where they are implemented

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-encryption-risks-and-protection...

 

This provides info on the broader topics:

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide#encryption-...

 

The licence requirements for OME are discussed here:

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-faq?view=o365-worldwide#what-subscript...

 

Hope that helps.

View solution in original post