Many organizations would like to apply encryption to all e-mail messages since it improves the information security posture. Is encrypting all messages the right way to go?
E-mail encryption is described as the process by which information is encoded so that only an authorized recipient can decode and consume the information. On top of this Microsoft Purview Information Protection (MIP) also provides effective protection after the content has been decrypted and opened. MIP provides both encryption and protection. For more information please read this document, we are only discussing Microsoft Purview Message Encryption in this blog post.
In the encryption statement above there is a challenge for modern workplaces where business systems like CRM, mailbox delegates as well as compliance, anti-malware systems and many other integrations cannot be automatically authorized without proper integration with the encryption system, since they are not the recipients of the immediate e-mail thread.
Another challenge is that if encryption gets in the way of the users, they will find ways to get around the system or the escalation will reach the board since productivity is impaired. Both cases will force you to produce a more effective plan.
Before attempting to encrypt all e-mails, start to ask yourself why? The most common reason why organizations want to encrypt everything is that they do not want to overwhelm end users with options and reduce the risk of mistakes. It is hard for users to determine the sensitivity or impact level of information shared. Considering the impact encryption will have on business processes encrypting all, will likely not provide the expected outcome of simplicity.
What information is commonly encrypted and protected, can classification be made simpler?
Please see the classification framework concepts on this page, Concepts - Classification labels | Microsoft Learn.
Confidential, Highly Confidential is where most organizations set the bar to encrypt and protect. Examples of Confidential can be proposals going to a customer, or internal conversations with regard to a confidential business proposal. While highly confidential is the secret recipe to help the organization get ahead of the competition, trade secrets can severely impact regulatory compliance, business value and reputation.
Public/General data is commonly only labelled not protected/encrypted so that DLP and other tools can determine the class of data. A key tool that organizations can use to help users correctly classify emails is auto labelling policies Automatically apply a sensitivity label in Microsoft 365 - Microsoft Purview (compliance) | Microsof....
If you select to encrypt Public/General data, consider having at least one label that doesn’t encrypt to allow for an internal exception. Utilize auto labelling that recommends/notifies users which labels to apply while working on a document on the client side.
To make this successful your labels needs to make sense to your users, and you need to equip them with the right level of guidance and training. For example, valid scenarios for when they can use non-encryption labels and why policy tips are showing.
Here comes some learning from organizations that have encrypted most of the e-mail flow.
Shared Mailboxes used for internal and customer conversations
MIP encryption of e-mails, both Advanced Message Encryption and MIP Sensitivity labels configured with encryption can cause issues with existing shared mailbox processes.
Mailbox delegates, e.g., user shared mailbox or folders using Outlook.
Mailbox delegates can be configured without any administrator interaction. MIP-encrypted content will not be readable by delegates from the Win32 Outlook client or OWA (OME messages). There is an exception if the user has direct permissions via the Template, they can open the message via Win32 Outlook (UDP/Do Not Forward/Encrypt Only they are not accessible).
Line of Business systems and custom applications
Line of business systems can be a bit more complex, both regular CRM products as well as your own custom applications.
Make sure to have a flexible approach to these systems since blocking business systems will reflect badly on the project and cause large portions of the user groups unable to migrate. You have good options in transport to either remove protection or apply a different encryption based on your business needs. You may combine this with the data type included in the e-mail and set appropriate sensitivity label.
External organizations
When communicating with external parties there are two experiences depending on your settings. For Microsoft-based services, you can utilize the inline view of messages unless you are using a custom branding template to deliver messages. Microsoft plan to deliver a feature that will allow you to deliver messages with an inline view for custom templates. Note that the inline view doesn’t work with features such as revoke.
Older versions of tenant restrictions may interfere with protected messages. The new cross-tenant access settings should not cause the same issues. Read the documentation to learn more about cross-tenant access settings. This report can provide insights into cross-tenant activity.
You may share a simple guide based on this with your business partners to educate them on how to open protected messages.
Security & Compliance
An exception to the above is if your organization have deployed DKE Double Key Encryption (DKE) - Microsoft Purview (compliance) | Microsoft Learn. Microsoft do not have visibility into content that has been protected using DKE. You can use the Microsoft MIP SDK to allow for integration with DKE.
Conclusion
While it may seem tempting to encrypt all messages using Microsoft Purview Message Encryption, there is a significant risk that you will hit several of the challenges mentioned in this document. It is not as hard as with S/MIME where you must share private keys and use other methods to provide access. But it has a significant enough impact to end users for you to carefully plan your implementation.
You need to carefully balance user impact and organizational risk. By over-encrypting content you may inadvertently force users to incorrectly classify content to be able to fulfil their business functions. Increasing the risk for the very same content that you are attempting to protect.
Correctly labelling content after sensitivity and destination is important. So, if you haven’t started, enable it today, even without encryption it will still help you. Enable auto labelling on internal/external communications based on data that is sensitive to your environment, even without encryption it will help with visibility and build your knowledge to implement encryption effectively. Follow up using Activity Explorer and Content Explorer.
As always we look forward to your feedback!
Thank you,
Microsoft Purview Information Protection team.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.