Message Encryption in Office 365
Transcript of Message Encryption in Office 365
Sunitha SamuelSenior Test Lead Microsoft
Message Encryption in Office 365
SPR202
Why is message encryption needed?
Departmental Only Emails
Medical RecordsBank Statements
Super Secret Information Credit Card Information
Inter company confidential Memos
Office 365 Message Encryption – Encrypt messages to any SMTP address
Personal account statement from a financial institution
Information Rights Management – Encrypt content and restrict usage; usually within own organization or trusted partners
Internal company confidential memo
S/MIME – Sign and encrypt messages to users using certificates
Peer to peer signed communication within a government agency
Encryption Solutions in Office 365
Admin:• Simple to provision and configure• Policy driven via Transport Rules• Customizable branding of encrypted emails and mail reading portal• Allows for Enterprise content inspection and compliance
Sender:• Ability to send encrypted messages to any SMTP address regardless of recipient’s client
or service provider
Recipient:• View encrypted messages on Office 365 Message Encryption portal after sign-in• Office 365 Message Encryption portal has rich OWA controls for viewing and composing
messages• Replies from the portal are also encrypted
Office 365 Message Encryption
How do recipients sign-in to view messages? – 2 ways• Microsoft account – used for sign-in to Microsoft services like OneDrive,
XBOX Live, etc…• Microsoft account for hotmail.com, outlook.com, live.com already exists• User can create Microsoft account for any SMTP address, like gmail.com, mycustomdomain.com –
address verification done as part of account creation process• If recipient does not have a Microsoft account, recipients are navigated through the process of
creating one• For a given email address, a single Microsoft account is used to access all Microsoft services and
view future encrypted emails
• Organizational Account – used for sign-in to workloads like Exchange Online, SharePoint Online, etc…
• As Office 365 embraces additional identity providers, so will Office 365 Message Encryption.
Office 365 Message Encryption
Demo
• Contoso Pharma wants to send encrypted emails to its partner doctors.
• Administrator has configured an ETR to encrypt any message going to Dr Toni when the subject contains the word “Encrypt”
• Dr Toni gets the encrypted email at his hotmail address and follows instructions to view the encrypted message send from Serena
• New ETR actions configurable via UI or PowerShell
Office 365 Message Encryption – Admin Configuration
New-TransportRule –Name EncryptRule <Condition for which to apply encryption> -ApplyOME $true
New-TransportRule –Name DecryptRule <Condition for which to remove encryption> -RemoveOME $true
• Customize opening text in encrypted email and disclaimer statement
Office 365 Message Encryption – Admin Configuration
Set-OMEConfiguration -Identity default -EmailText "Encrypted message from ContosoPharma secure messaging system"
Set-OMEConfiguration -Identity default -DisclaimerText “This email message and its attachments are for the sole use of the …"
• Customize portal text and logo
Office 365 Message Encryption – Admin Configuration
Set-OMEConfiguration -Identity default -PortalText "ContosoPharma secure e-mail portal"
Set-OMEConfiguration -Identity default -Image (Get-Content "C:\Users\admin\Desktop\contoso.png” -Encoding byte)
• Modern O365 UI and rich OWA controls
Office 365 Message Encryption – Modern UI
Office 365 Message Encryption - Under the hood
Exchange OnlinePolicy detection and
Enforcement
Tenant configuratio
n
O365 User Internet UserSend
Microsoft account/Organization
Account
Mail Reading Portal
Deliver
Post
• Office 365 Message Encryption uses IRM as a platform to encrypt message• Sending organization needs to have purchased and configured Azure Rights Management Services (RMS)• Keys imported from Azure RMS are 2048 bit and use SHA-256 encryption
• Encrypted messages are wrapped in an HTML file and sent as an attachment to intended recipients• HTML file contains the encrypted message along with other metadata• Messages can be viewed on any device that can open and post from an HTML file
• When user opens and clicks on link in the attachment, encrypted content is posted and held temporarily while user authenticates• User authenticates using a Microsoft account or Organizational Account• If user has neither, user is told and asked to create a Microsoft account before viewing• Any email address (@yahoo.com, @gmail.com, etc…) can be used to create a Microsoft account
• Once the authentication completes, message is decrypted and shown in modern UI with all rich OWA controls
• Messages replied from the portal are also encrypted
Office 365 Message Encryption - Under the hood
Purchasing Office 365 Message Encryption
Office 365 Message Encryption is included with Azure RMS
* On-premise customers need to route mails through Exchange Online** Windows Azure Rights Management is not available for Office 365 Small Business plans
Plan Requires Price
Office 365 E3, E4 Windows Azure Rights Management is included
Included
Office 365 E1, K1 Windows Azure Rights Management $2 PUPM
Office 365 Exchange Online Plan 2, Plan 1, Kiosk
Windows Azure Rights Management $2 PUPM
Office 365 SharePoint Plan 2, Plan 1 Windows Azure Rights Management $2 PUPM
Office 365 Midsize Business Windows Azure Rights Management $2 PUPM
Exchange on-premises Windows Azure Rights Management $2 PUPM
• Customers using EHE will be upgraded to Office 365 Message Encryption at no additional cost
• Awareness and transition emails will be sent prior to transition – Transitions started for Q1CY14
• No action required on tenant admins – existing EHE policies will be automatically migrated to Office 365 Message Encryption policies
• EHE mail recipients will continue to have access to view their old encrypted emails
• EHE account store and emails already encrypted with EHE will not be migrated to Office 365 Message Encryption
Upgrade: Exchange Hosted Encryption to Office 365 Message Encryption
Upgrade: Exchange Hosted Encryption to Office 365 Message Encryption
Feature Exchange Hosted Encryption Office 365 Message Encryption
Send Encrypted Mail to anyone Available AvailableCustom Branding Not Available AvailableMessage attachment size limit 10 MB 25 MBIntegration with Exchange transport rules
Available, but complex headers involved
Available and simplified
User experience Custom EHE portal Enhanced Office 365 UIIntegration with Data Loss Prevention
Available Available
Purchase Option Sold Standalone Included with Azure RMS
• Information Protection technology• Protection is persisted with the data, content can travel anywhere
(desktops, file shares, USB keys, cloud drives, network and devices)
• Combines encryption and usage restrictions• Prevent accidental disclosure of sensitive data by applying usage
polices (cannot forward, cannot print, read-only)
• Simple to use• Authors just select a policy option, consumers just open documents• Administrators can configure policies to protect content automatically• Securely share data with individuals within organization and trusted
partners
Information Rights Management
Admin:• Simple to provision and configure using Windows Azure Rights
Management – No on-premises RMS server required• Policy driven via Transport Rules• Allows for Enterprise content inspection and compliance
Sender:• Ability to send IRM protected messages to recipients in the organization
using supported clients - OWA and Microsoft Office 2010 and 2013
Recipient:• Ability to view IRM protected content just like regular emails using
supported clients (OWA, Microsoft Office 2010 and 2013, EAS)
Information Rights Management – Exchange Online
• Automatically protect email with IRM using Exchange Transport Rules
Information Rights Management – ETR & DLP
• Protect email with IRM right from the Outlook Web App.
Information Rights Management – OWA
Government preferred way to secure email communication• Based on a published and broadly supported standard• Must know recipients public cert to send them encrypted mail• Must have private key associated with sending email address to sign
email• Without having recipients private key, no one can open and view the
message
Exchange on-prem continues to support S/MIMEOWA 2013 support added in SP1
S/MIME
Admin:• Admin provisions certificates to users and synchronizes them with
Exchange Online• Simple Exchange Online configuration for S/MIME OWA behavior
Sender:• Ability to send signed and encrypted email to intra organization
recipients who are properly configured
Recipient:• Ability to view signed and encrypted emails using OWA and supported
clients and reply
S/MIME in Exchange Online
• Admin Exchange Online configuration options
S/MIME in Exchange Online
Demo
• Contoso Pharma researchers want to discuss and talk about a research drug securely
• Serena sends email to Rosella using OWA • Rosella views the email on OWA and responds
SummaryOffice 365 Message Encryption – Encrypt messages to any SMTP address
Personal account statement from a financial institution
Information Rights Management – Encrypt content and restrict usage; usually within own organization or trusted partners
Internal company confidential memo
S/MIME – Sign and encrypt messages to users using certificates
Peer to peer signed communication within a government agency
Q/A
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.