Application Security
11/26/2013
02:56 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Office 365 Encrypted Email On Tap

Microsoft Office 365 Message Encryption feature will encrypt all messages by default, though recipients will need an Office 365 or Microsoft Account ID to read the mail.

10 Ways To Fight Email Overload
10 Ways To Fight Email Overload
(click image for larger view and for slideshow)

Microsoft is planning to roll out a new Office 365 feature that will allow users who subscribe to one of the company's high-end enterprise hosting plans to send encrypted email messages.

Dubbed Office 365 Message Encryption, the optional feature will work with a range of email clients, including Exchange Server, Outlook.com, Gmail, Yahoo, Lotus Notes, GroupWise, and Squirrel Mail. Encrypted message recipients will see an encrypted message attachment in their email, which when double-clicked will open in a browser window. To view the message, a recipient will first have to authenticate using an Office 365 or Microsoft account ID.

Microsoft Exchange product marketing manager Shobhit Sahay said in a blog post that the approach "is designed to help you send confidential messages to people outside your company simply and securely, without the administrative overhead required to use S/MIME or similar technologies," referring to encryption techniques that require keys to be managed client-side.

He added that messages are encrypted before leaving Microsoft's datacenter "to prevent any spoofing or misdirection," and secured throughout transit using TLS and SSL. Meanwhile, the data contained in the encrypted message is stored in Microsoft's datacenter using BitLocker disk-level encryption. Encrypted email recipients can also employ two-factor with their Microsoft account ID, thus adding a further layer of access security.

Microsoft said the encryption service will not be available for Office 365 users in China.

[Will encryption matter if the NSA has infected your PC? Read NSA Surveillance Infected 50,000 PCs With Malware.]

In the wake of National Security Agency whistleblower Edward Snowden's leaks, which have revealed that the agency's digital dragnet has been intercepting information sent and received by millions of Americans, interest has surged in data encryption and encrypted email. Information security experts have said that while encrypting data may not prevent the NSA -- or any other technologically sophisticated organization -- from capturing and decoding it, encryption does require a much greater degree of effort.

Snowden, notably, used an encrypted webmail service known as Lavabit, although that was more akin to an encrypted version of Gmail, rather than Microsoft's new Office 365 feature.

Historically, however, many email users shied away from employing client-based data encryption tools such as PGP, owing to perceived installation and management challenges. But Sahay promised that operating Microsoft's encrypted email service would be straightforward. "The Message Encryption interface, based on Outlook Web App, is modern and easy to navigate. You can easily find information and perform quick tasks such as reply, forward, insert, attach, and so on," he said. "As an added measure of protection, when the receiver replies to the sender of the encrypted message or forwards the message, those emails are also encrypted."

Beyond personal use, another possible application for more widespread email encryption would be to give businesses more techniques for securing sensitive information, for example, for banks sending credit card statements to customers via email, mortgage brokers querying information from customers via email, and physicians sending health information to patients.

For outgoing messages, encryption can also be applied using transport rules, which can be configured, for example, to only encrypt messages that include specified keywords or email addresses -- can be managed either via a Web-based interface, or the Microsoft PowerShell scripting language.

The encrypted email feature, which Microsoft plans to introduce by the end of March 2014, will be added to the Office 365 enterprise-level E3 ($20/user/month) and E4 ($22/user/month) plans, as part of their Windows Azure Active Directory Rights Management feature. That includes a variety of information-protection features, such as the ability to prevent internal users from forwarding a message, as well as restricting messages to "read only," meaning they can't be copied, printed, saved, or edited.

Note that for anyone currently using Exchange Hosted Encryption (EHE), it will be replaced by Office 365 Message Encryption. "Like EHE, Office 365 Message Encryption works with Office 365 mailboxes as well as with on-premises mailboxes that use Exchange Online Protection," Sahay said. All EHE users will soon be moved to the Office 365 Message Encryption service.

Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the The Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stratustician
50%
50%
Stratustician,
User Rank: Apprentice
12/2/2013 | 7:28:42 PM
I'm still not convinced...
While I love the idea of email providers (or solutions as in this case) building in encryption, I don't see the masses appreciating this as much as enterprises would like to think. 

One of the biggest reasons employees use corporate email addresses to send non-business emails is to send files.  With the advent of cloud storage, this has probably dropped the number of folks using corporate email in a way that would lend itself to data loss risk.  In reality, most security tools should be able to flag emails with sensitive information, so at this point, what would encryption really achieve?

Yes, sending corporate emails in general has the risk of potentially being intercepted by unwanted parties, but until we can prove without a doubt, that this form of encryption is indeed untampered, there is really no immediate benefit in terms of security in the way that Microsoft would probably like to believe.
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
11/29/2013 | 12:20:52 PM
Too bad Office365 Small Biz Premium is not included
Too bad that the Small Business Premium version of Office365 is not included in the email encryption feature addition. Many small businesses and individuals on those plans could really benefit from this new feature...
samicksha
50%
50%
samicksha,
User Rank: Apprentice
11/27/2013 | 4:54:40 AM
Re: on tap for who? NSA?
I want to thank author for bringing this blog, i have been reading about this topic earlier also, the need and demand of keeping your private data secure is an important issue, moreover one question i often read is, Will it have a backdoor for the NSA? Not sure though.
MikeSullivan73
50%
50%
MikeSullivan73,
User Rank: Apprentice
11/26/2013 | 4:17:50 PM
on tap for who? NSA?
Great article, however this is intergrated into 365 and its there to compete with other providers.

 

In reality if its not independant its not really safe from prying eyes...

 

I would recommend somthing independent like,

gpg

datamotion 

galaxkey

 

all independant and work across platfoms :)

Mike
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-3071
Published: 2014-07-26
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

CVE-2014-3301
Published: 2014-07-26
The ProfileAction controller in Cisco WebEx Meetings Server (CWMS) 1.5(.1.131) and earlier allows remote attackers to obtain sensitive information by reading stack traces in returned messages, aka Bug ID CSCuj81700.

CVE-2014-3305
Published: 2014-07-26
Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCuj81735.

CVE-2014-3324
Published: 2014-07-26
Multiple cross-site scripting (XSS) vulnerabilities in the login page in the administrative web interface in Cisco TelePresence Server Software 4.0(2.8) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCup90060.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.