Microsoft is planning to roll out a new Office 365 feature that will allow users who subscribe to one of the company's high-end enterprise hosting plans to send encrypted email messages.
Dubbed Office 365 Message Encryption, the optional feature will work with a range of email clients, including Exchange Server, Outlook.com, Gmail, Yahoo, Lotus Notes, GroupWise, and Squirrel Mail. Encrypted message recipients will see an encrypted message attachment in their email, which when double-clicked will open in a browser window. To view the message, a recipient will first have to authenticate using an Office 365 or Microsoft account ID.
Microsoft Exchange product marketing manager Shobhit Sahay said in a blog post that the approach "is designed to help you send confidential messages to people outside your company simply and securely, without the administrative overhead required to use S/MIME or similar technologies," referring to encryption techniques that require keys to be managed client-side.
He added that messages are encrypted before leaving Microsoft's datacenter "to prevent any spoofing or misdirection," and secured throughout transit using TLS and SSL. Meanwhile, the data contained in the encrypted message is stored in Microsoft's datacenter using BitLocker disk-level encryption. Encrypted email recipients can also employ two-factor with their Microsoft account ID, thus adding a further layer of access security.
Microsoft said the encryption service will not be available for Office 365 users in China.
[Will encryption matter if the NSA has infected your PC? Read NSA Surveillance Infected 50,000 PCs With Malware.]
In the wake of National Security Agency whistleblower Edward Snowden's leaks, which have revealed that the agency's digital dragnet has been intercepting information sent and received by millions of Americans, interest has surged in data encryption and encrypted email. Information security experts have said that while encrypting data may not prevent the NSA -- or any other technologically sophisticated organization -- from capturing and decoding it, encryption does require a much greater degree of effort.
Snowden, notably, used an encrypted webmail service known as Lavabit, although that was more akin to an encrypted version of Gmail, rather than Microsoft's new Office 365 feature.
Historically, however, many email users shied away from employing client-based data encryption tools such as PGP, owing to perceived installation and management challenges. But Sahay promised that operating Microsoft's encrypted email service would be straightforward. "The Message Encryption interface, based on Outlook Web App, is modern and easy to navigate. You can easily find information and perform quick tasks such as reply, forward, insert, attach, and so on," he said. "As an added measure of protection, when the receiver replies to the sender of the encrypted message or forwards the message, those emails are also encrypted."
Beyond personal use, another possible application for more widespread email encryption would be to give businesses more techniques for securing sensitive information, for example, for banks sending credit card statements to customers via email, mortgage brokers querying information from customers via email, and physicians sending health information to patients.
For outgoing messages, encryption can also be applied using transport rules, which can be configured, for example, to only encrypt messages that include specified keywords or email addresses -- can be managed either via a Web-based interface, or the Microsoft PowerShell scripting language.
The encrypted email feature, which Microsoft plans to introduce by the end of March 2014, will be added to the Office 365 enterprise-level E3 ($20/user/month) and E4 ($22/user/month) plans, as part of their Windows Azure Active Directory Rights Management feature. That includes a variety of information-protection features, such as the ability to prevent internal users from forwarding a message, as well as restricting messages to "read only," meaning they can't be copied, printed, saved, or edited.
Note that for anyone currently using Exchange Hosted Encryption (EHE), it will be replaced by Office 365 Message Encryption. "Like EHE, Office 365 Message Encryption works with Office 365 mailboxes as well as with on-premises mailboxes that use Exchange Online Protection," Sahay said. All EHE users will soon be moved to the Office 365 Message Encryption service.
Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the The Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site. (Free registration required.)