Office 365 Hold Your Own Key

Encryption is hard. There is really no way around that fact.

One of the great benefits of Office 365, or any cloud product, is that these complex solutions are deployed and maintained for you by those who are best qualified to make them work. The downside to having someone else deploy and run your IT solutions is the lack of control you have over your information. You don’t really know who has access to your information when you’re moving it to the cloud.

Now, I don’t want to sound like a tin foil hat alarmist. Microsoft does a really good job of providing transparency into their compliance and data access policies and procedures in Office 365. Features like Lockbox and auditing within Office 365 should give customers assurance that their data is relatively secure in Microsoft’s hands.

The problem is sometimes that doesn't cut it. Some customers are going to have some data that is just too important to hand off to anyone in an unencrypted format. Microsoft is well aware that some customers have security requirements that make the move to Office 365 impossible without absolute assurance they can maintain 100% control over their most sensitive data.

Today I’m going to talk about hold your own key (HYOK), a solution to address this concern. Before we get to HYOK, however, we need to catch up on Azure Key Vault and BYOK.

Azure Key Vault

Azure Key Vault is a Microsot Azure service that allows you, as the name suggests, to store encryption keys in the cloud. The best way to think of Azure Key Vault is a Hardware Security Model (HSM) as a service.

An HSM is a piece of hardware that's purpose-built to hold and process encryption keys securely. They are fairly pricey pieces of hardware. Even more so, they are complex to setup and maintain. If you’re going to deploy your own HSM on-premises, you really need trained staff to ensure the equipment functions properly.

Azure Key Vault is Microsoft taking that HSM hardware and abstracting it from you, the customer, so you don’t have to worry about all the setup and deployment. You do still get all the security functionality of that HSM.

An HSM provides security by securely storing encryption keys in a fashion that never allows them to leave the HSM. When you encrypt a document on a server, that server needs to hold your encryption keys resident in memory for at least a short time. Anytime a server is holding encryption keys in memory, there is a risk that, if that server is compromised, control of that key will be lost and your encrypted data will be vulnerable. The HSM prevents this vulnerability by holding the key and doing the encryption and decryption in its own purpose-built hardware. Once in an HSM, keys cannot be extracted by anyone including Microsoft who physically controls that HSM.

Azure Key Vault allows you to access Microsoft’s HSMs via the REST API for encrypting and decrypting data without exposing your encryption keys.

Azure Key Vault costs about $1 per month to store a single key, plus about $0.03 for every ten thousand operations against that key. Pricing may vary slightly depending on how you purchase Azure, but those numbers should give you a ballpark estimate.

Azure Key Vault can be used for your Azure applications and SharePoint Online. There is a preview of the upcoming support for Exchange Online with Azure Key Vault, but that feature is not currently generally available.

Bring Your Own Key (BYOK)

As I said above, Azure Key Vault allows you to securely store encryption keys in the cloud. I did not, however, say anything about generating keys.

You can, of course, use Microsoft’s Certificate Authority (CA) within Azure to generate the keys that you use in Azure Key Vault. If, however, you would like to take your security up a notch, BYOK gives you another option.

The BYOK feature of Azure Key Vault allows you to use a key from a source outside Azure as your encryption key. That source can be your own on-premises CA, a third-party CA or anything in-between — as long as you have a valid CA with a valid Certificate Revocation List (CRL).

In its first incarnation, to use BYOK you had to physically get your encryption key to Seattle and manually load it into Microsoft’s Azure Key Vault HSM. This limitation has since been overcome. Now, you can load your encryption keys into Azure Key Vault over the Internet.

What’s important to understand about BYOK is that loading your encryption key into Microsoft’s HSM means that Microsoft will have the ability to decrypt any documents that are encrypted with that key. The HSM prevents Microsoft from exporting your encryption keys and using them outside the HSM, but it does not prevent Microsoft from accessing your data.

Again, I am in no way insinuating that Microsoft does access any materials that are stored within the Office 365 service. I’m just saying that there is no technological barrier preventing Microsoft from accessing materials you encrypt with keys stored within Azure Key Vault.

BYOK does give you two advantages over using keys generated by Microsoft’s CAs.

• You know the details of your key
• You can revoke your key and prevent anyone (including yourself) from decrypting data encrypted with that key

So BYOK offers some additional protection for your sensitive data, but it’s still not to the point where you know that only you and those you designate have access to your data. The good news is that Microsoft has introduced the next level of data protection if that is what you need.

Hold Your Own Key (HYOK)

Recently made available in preview, HYOK allows you to keep your own keys for SharePoint Online (and soon Exchange Online) in your on-premises environment. Unlike BYOK, HYOK is a configuration where you keep your own encryption keys, and all the encryption and decryption work is done with your on-premises hardware.

The upside to HYOK is that you know no one has access to your data without your approval. You hold all the keys to the kingdom.

Of course, this added security comes at a cost.

• You have to maintain your on-premises encryption infrastructure. If something goes wrong, you could be locked out of your own data with nowhere to turn.
• Any data encrypted with HYOK cannot be accessed by ANY Office 365 services. You get no DLP, no transport rules, no eDiscovery. None of the advanced data handling features of Office 365 will work. Setting up HYOK does require considerable configuration. Basic setup instructions can be found here on TechNet. I have not had a chance to replicate this setup in my lab yet, so I cannot comment on the accuracy of these instructions. This is a pre-release product at the time of this writing, so I assume these instructions are less than perfect.

In order to help make it easier for your users to understand which encryption should be used with each data type, HYOK is implemented with Azure Information Protection.

Azure Information Protection is a whole other encryption technology in Office 365, but that is going to have to be the subject of another blog post.