Do you have Office 365 secure email encryption? If you are reading the above sentence and don’t have a definite answer, this is the article you must read today.
In a previous article Office 365 Security: 6 Genuine Concerns (And How to Address Them), we discussed the top Office 365 email security concerns, and what you can do as a business to better protect your data. From your feedback, we saw that more education on the types of encryption for Office 365 is needed, and thus this article was born.
Interested in taking your client’s Office 365 security to the next level? Contact us and get an Office Protect free trial.
What is encryption?
Encryption is the process of encoding information without a key (called a cipher), so the information cannot be decoded. It’s perfect for transporting data in less secure channels, such as through Wi-Fi or via email.
A basic example of this is taking a message, moving every letter to one letter down the alphabet (A becomes B, B becomes C, etc.) and creating what is called unreadable ciphertext. You would send this information, and upon arrival, the recipient receives the cipher key and can unlock the information.
With email, this all happens behind the scenes automatically.
- A unique cipher encrypts an email message.
- The email is encoded into ciphertext.
- Email is sent and received.
- Receiver enters a cipher key to decode the message.
There are three different types of encryption available for Office 365 to secure and protect email. It is best to imagine each as a separate layer, with the first as basic and each additional layer of encryption providing more security and protection.
Office 365 Message Encryption – OME
The first layer is Office 365 Message Encryption, or known as the acronym OME, and is encryption provided by Office 365. In 2018, Microsoft employs 256-bit encryption on their .docx files. Needless to say, you are more likely to experience the heat death of the universe before your digital files are cracked open by brute force.
OME is very powerful as it can not only encrypt emails but allow anyone to with any email address to receive them. If you have a client for example that uses google mail or yahoo mail as their mail platform, Office 365 message encryption will be able to connect and send secure emails to them without any additional setup. To unlock or decrypt these files, they are given a one-time passcode (such as a cipher key) or can use a Microsoft account to gain authorized access.
They do not need an Office 365 subscription to access the email, and if they want to send a response, their reply will be encrypted by the same service on the return journey.
Plus another advantage is Microsoft is continually upgrading this protection. For example in later 2018:
“Links clicked on in Word, Excel, and PowerPoint will be checked in real-time to find whether the destination website will likely download malware or be part of a phishing scam.”
Information Rights Management – IRM
Information Rights Management encryption, or IRM, is a level of encryption that manages sensitive information from being forwarded, printed or copied.
It does this by encrypting not only the document/email but the level of access. You can use different levels for different users. For example, you can fully prevent items from being read, to copy and paste, removing the ability to take screenshots, or printing and editing. The administrator can also change the level of permissions at any time, without having to re-share the email.
This technology would be useful for documents and emails in which you cannot trust the recipients completely (like emails to suppliers who might sell plans to competitors).
It can also protect data offline as well, as the information rights management does not just apply for when the data is in transit but also when it is static on the server. However, it may not work with other platforms (unlike OME), and an email sent off-platform might be copied and forwarded.
However, due to the prevalence of cameras in phones, there’s nothing to stop someone from simply taking a photo of the screen. Typically, in a workplace with sensitive information, employees would have to check their phones into secure storage before arriving at their desks.
Secure/Multipurpose Internet Mail Extensions – S/MIME
This third layer of encryption is Secure/Multipurpose Internet Mail Extension, S/MIME, which is encryption that ensures each email comes from an authentic sender.
It does this by ensuring that every email is attached to a digital signature that is encrypted in the base information of the message. This signature will include everything from the IP address, the sender’s platform, the author, and much more.
This digital signature means that the recipient will know exactly who sent the message, and the system will be confident in the identity of the sender. Because the system identifies the sender, it means that these emails are not scanned for spam, viruses, malware or have any policies apply to them. It is an added level of privacy and security, as some sensitive information can trigger spam filters (especially big files).
One major flaw with the system is that if the sender’s system is compromised (such as with a virus) and their private keys leaked, then any email sent by them will be granted access to the rest of the system. For viruses and malware, this means easy access to others in the network, especially since virus scanning software will not scan their attachments.
Which one to use for your business?
This is a fantastic question; where would you begin if you wanted to apply these systems to your current Office 365 email platform?
We recommend that you first encrypt with OME, before ensuring the protection of the recipient with IRM, and lastly protection of the sender with S/MIME. This triangle of protection will incorporate all the advantages listed above.
This might sound complicated if you are a newcomer to email encryption, but by using Office Protect, your business can be confident that the system and emails will remain secure.
This is because Office Protect will automatically roll out the best security settings for your business, and give you access to additional monitoring tools such as alerts for unknown outside access, unauthorized changes to your security policy, all within a few minutes of deployment.