Office 365 Customer Key Jaclynn Hiranaka Senior Program Manager BRK3014 Office 365 Customer Key Jaclynn Hiranaka Senior Program Manager Exchange Kavita Kamani Principal PM Manager SharePoint and OneDrive © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda 1 2 3 4 The promise of Service Encryption and Customer Key How it all works 2 How you can onboard to customer key 3 How you exercise control over customer key 4
Meet compliance obligations that require encrypting data Encryption in Office 365 Built-in capabilities that help control your data and mitigate risk Protect Mitigate risk of data loss through default and added customer controlled encryption capabilities Control Leverage flexible policies and added controls that help manage your data Compliance Meet compliance obligations that require encrypting data
What is “Service Encryption” Additional defense in depth protection for customer data Encryption at the application layer for Office 365 data at rest Provides strong separation of Windows Server administrators and customer data Effective regardless of Microsoft-managed or Customer-managed keys What is “Service Encryption”
New! Service encryption with Customer Key 7/17/2018 5:00 AM New! Service encryption with Customer Key Helps meet compliance obligations that require you to provide and manage your own keys used to encrypt Office 365 data at-rest Customer in control over service’s ability to reason over your data when key is revoked-initiating path towards data deletion Built into the service for seamless integration with no disruption to end user and added protections against unintended key loss Auditable and verified. Actions are auditable and controls will be verified in an SOC audit © Microsoft Corporation. All rights reserved.
Customer Key is NOT about Changing the dynamics of the Online Service Terms for 3rd party data requests Changing access rules for customer data for Microsoft personnel Customer Key is NOT about
How does Customer Key work in SharePoint? Customer Keys In Azure Key Vault Service One pair of keys per geography/tenant scoped How does Customer Key work in SharePoint? Tenant Intermediate Key 2 encrypted copies, each protected by one Customer Key Site Encryption Key Protected by Tenant Intermediate Key File Chunk Encryption Key (1 File = N chunks = N keys) Protected by Site Encryption Key
How does Customer Key work in Exchange?
Protecting your keys Use two Key Vaults in separate Azure subscriptions, in non-paired regions Distributed ownership of each Key Vault Enforcement of Key Vault setup and configuration Microsoft provides a co-operative escrow model to protect against mishaps and attackers
What is Recovery Key Provides industry leading availability -- Data protection advantage to our customers Protects against ransomware and insider compromise that could threaten the destruction of customer data Enforced diversity in key protection and destruction to protect against malicious or accidental data loss Shared responsibility to protect keys -redundancy in key management Ensures destruction of customer data is always intentional
How does the Recovery Key work in Exchange? Jaclynn or Paul, can we get a high level graphic here
How does Recovery Key work in SharePoint? Customer Keys In Azure Key Vault Service One pair of keys per geography/tenant scoped Recovery Key – Microsoft Managed In SPO Secret Store One per tenant How does Recovery Key work in SharePoint? Tenant Intermediate Key 2 encrypted copies, each protected by one Customer Key Tenant Intermediate Key Another encrypted copy, protected by one Recovery Key Site Encryption Key Protected by Tenant Intermediate Key Only used when a recovery process is needed due to unintentional customer key compromise (customer calls Microsoft, or Microsoft detects via alert and confirms with customer) File Chunk Encryption Key (1 File = N chunks = N keys) Protected by Site Encryption Key
Onboarding to Customer Key Customer determines business case Customer purchases and assigns licenses to user objects Customer sets up Azure Key Vaults FastTrack onboarding for Customer Key Offer Microsoft reviews data and Feature is enabled
Key Vault Set Up (common to Exchange and SharePoint) Create two Azure subscriptions in your tenant, with two different sets of administrators Put your Azure subscriptions on the Do Not Cancel list Create a Key Vault in each subscription Name your Key Vault uniquely and create/upload keys Give permissions to EXO/SPO to wrapKey/unwrapKey/get
Azure Key Vault Setup 7/17/2018 5:00 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7/17/2018 5:00 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Onboard via Fasttrack 7/17/2018 5:00 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7/17/2018 5:00 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Exchange set up Admin creates a Data Encryption Policy Assign DEP to mailboxes Initiate mailbox move to encrypt mailboxes Status check Exchange set up
7/17/2018 5:00 AM Exchange Setup Demonstrate Data Encryption Policy creation and assignment Status check on pre-encrypted mailbox © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7/17/2018 5:00 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
SharePoint set up Admin creates tenant-wide encryption (Register-SPODataEncryptionPolicy) Status check
7/17/2018 5:00 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
SharePoint Setup Demonstrate encryption policy creation and assignment 7/17/2018 5:00 AM SharePoint Setup Demonstrate encryption policy creation and assignment Status check on pre-configured tenant © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Rolling Keys Business or compliance needs may require you to roll keys at some regular cadence Create new key versions, and update the policy Exchange: Run Set-DataEncryptionPolicy <DEP name> -Refresh SharePoint: Run Update-SPODataEncryptionPolicy Check encryption status Exchange: Run Get-MailboxStatistics SharePoint: Run Get-SPODataEncryptionPolicy
Data Purge Path Remove SPO/EXO ID permissions on Key Vaults (Azure Administrators) Set the Purge Request flag using PowerShell Send in the signed and notarized Data Deletion Document Microsoft deletes the Recovery Key All data that falls under that policy is unrecoverable
Exchange Revocation Demonstrate Key Unavailable Experience 7/17/2018 5:00 AM Exchange Revocation Demonstrate Key Unavailable Experience © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
A mailbox under a DEP where both Customer Keys are unavailable
SharePoint Revocation 7/17/2018 5:00 AM SharePoint Revocation On an already revoked tenant, demonstrate user experience © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Recap and Key Takeaways Value of Service Encryption and Customer Key 1 How to onboard 2 How to exercise revocation 3 Microsoft’s commitment and your recovery options 4
Resources Technical Documents to get started Customer Key FAQ 7/17/2018 5:00 AM Resources Technical Documents to get started Customer Key FAQ Encryption in the Microsoft Cloud Whitepaper © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Other recommended sessions 7/17/2018 5:00 AM Other recommended sessions Title Time SaaS Encryption: lies, damned lies, and hard truths Thursday, September 28 2:00 PM - 2:45 PM OCCC West Hall F3-4 Implementing Bring Your Own Key with Azure Information Protection and Azure Key Vault Hands on Labs Room Encryption key management strategies for compliance Thursday, September 28 10:15 AM - 11:00 AM OCCC W240 Protect and control your sensitive emails with new Office 365 Message Encryption capabilities Tuesday, September 26 4:00 PM - 5:15 PM OCCC West Hall B4 Taming the Beast - How We Secure the World's Largest Enterprise Cloud Service Wednesday, September 27 4:30 PM - 5:15 PM OCCC W205 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Please evaluate this session Tech Ready 15 7/17/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7/17/2018 5:00 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.