Shobhit Sahay is product marketing manager on the Microsoft Exchange team.
We’re pleased to announce the upcoming release of Office 365 Message Encryption, a new service that lets you send encrypted emails to people outside your company. No matter what the destination-Outlook.com, Yahoo, Gmail, Exchange Server, Lotus Notes, GroupWise, Squirrel Mail, you name it-you can send sensitive business communications with an additional level of protection against unauthorized access. There are many business situations where this type of encryption is essential. We’ve listed just a few.
- A bank sending credit card statements to customers over email.
- An insurance company providing details about the policy to clients.
- A mortgage broker requesting financial information from a customer for a loan application.
- A healthcare provider using encrypted messages to send healthcare information to patients.
- An attorney sending confidential information to a client or another attorney.
- A consultant sending a contract to a client.
- A therapist providing a patient diagnosis to an insurance company.
Office 365 Message Encryption is the new version of Exchange Hosted Encryption (EHE). This version includes all of the capabilities of EHE plus new features, such as the ability to apply your company’s branding to encrypted messages. Like EHE, Office 365 Message Encryption works with Office 365 mailboxes as well as with on-premises mailboxes that use Exchange Online Protection.
Here’s the added good news: Office 365 E3 and E4 users will get Office 365 Message Encryption at no extra cost. We’re including it in Windows Azure Rights Management, which is already part of E3 and E4 plans. We’re also including it in the standalone version of Windows Azure Rights Management, without raising the price of that service. For $2 per user per month you can get a complete solution for internal and external information protection: traditional Rights Management capabilities like Do Not Forward for internal users, plus the new ability to encrypt outbound messages to any recipient.
Let’s take a closer look at how Office 365 Message Encryption works.
Setting up encryption
Administrators set up transport rules to apply Office 365 Message Encryption when emails match specified criteria. Transport rules provide great flexibility and control, and can be managed via a web-based interface or PowerShell.
Setting up the transport rules is simple. Administrators simply select the action to apply encryption or remove encryption in the Exchange admin center. This is an improvement over EHE, which required complex headers and multiple setup steps.
You set up Office 365 Message Encryption rules in the Exchange admin center.
Once the admin sets up the rules, whenever anyone in the company sends a message that matches the conditions, the message is encrypted using Office 365 Message Encryption. The outgoing message is encrypted before it is delivered to the outside mail server to prevent any spoofing or misdirection.
Receiving and responding to encrypted messages
When an external recipient receives an encrypted message from your company, they see an encrypted attachment and an instruction to view the encrypted message.
The encrypted message appears as an attachment in a message in the recipient’s inbox, with instructions for how to view it.
You can open the attachment right from your inbox, and the attachment opens in a new browser window. To view the message, you just follow the simple instructions for authenticating via your Office 365 ID or Microsoft Account.
Once you are authenticated, the content of an encrypted message appears.
The Message Encryption interface, based on Outlook Web App, is modern and easy to navigate. You can easily find information and perform quick tasks such as reply, forward, insert, attach, and so on. As an added measure of protection, when the receiver replies to the sender of the encrypted message or forwards the message, those emails are also encrypted.
When you reply to an encrypted message you’ve received, your reply is also encrypted.
Applying custom branding
Office 365 Message Encryption allows you to customize the branding on your company’s encrypted messages and portal where the message is viewed. The customization is not limited just to your company logo, but can also extend to the text in the header, disclaimer, and the portal text in the sent email.
With Message Encryption, you can customize the disclaimer text and header text in your company’s encrypted emails.
You can also customize your company Logo and portal text that appear in your encrypted emails.
Administrators can use PowerShell cmdlets to set up the branding for these texts and images.
PowerShell can be used to set up different branding texts and logo emails encrypted in Message Encryption.
With Office 365 Message Encryption you can send sensitive information to people outside your organization with the confidence that that information is protected. We’re excited to bring its new capabilities to you, and we look forward to hearing your feedback.
— Shobhit Sahay
Q. When will Office 365 Message Encryption be available?
A. Office 365 Message Encryption will be available for purchase during the first quarter of 2014, and customers who are currently using Exchange Hosted Encryption (EHE) will be upgraded to Office 365 Message Encryption beginning in the same timeframe. EHE customers can learn more about the upgrade by visiting the EHE Upgrade Center.
Q: How do I get Office 365 Message Encryption?
A: Office 365 Message Encryption will be available as part of Windows Azure Rights Management. Office 365 Enterprise E3 and E4 users will get Office 365 Message Encryption at no extra cost. We’re including it in Windows Azure Rights Management, which is already part of the E3 and E4 plans. We’re also including it in the standalone version of Windows Azure Rights Management, without raising the price of that service. Office 365 Message Encryption is available as an add-on for other Office 365 plans and for standalone plans. For example, Exchange Online Kiosk Plan 1 and Plan 2 customers will be able to add the service to their subscriptions at a cost of $2 per user per month.
Office 365 Message Encryption is also available to Exchange on-premises customers who purchase Windows Azure Rights Management service. Office 365 Message Encryption requires on-premises customers to route email through Exchange Online, either by using Exchange Online Protection for email filtering or by establishing hybrid mail-flow.
Q. I am currently an Exchange Hosted Encryption (EHE) Subscriber. What happens to my subscription?
Customers who are currently using Exchange Hosted Encryption (EHE) will be upgraded to Office 365 Message Encryption beginning in the first quarter of 2014. EHE customers can learn more information about the upgrade by visiting the EHE Upgrade Center.
Q. How does Office 365 Message Encryption relate to other encryption technologies?
A. A variety of encryption technologies work together in Office 365 to provide protection for emails at rest and in transit:
- TLS encrypts the tunnel between mail server to help prevent snooping/eavesdropping.
- SSL encrypts the connection between mail clients and Office 365 servers.
- BitLocker encrypts the data on the hard drives in the datacenter so that if someone gets unauthorized access to the machine they can’t read it.
- Information Rights Management. Windows Azure Rights Management in Office 365 prevents sensitive information from being printed, forwarded, or copiedby unauthorized people inside the organization.
- S/MIME is an encryption scheme that uses client-side encryption keys, popular for some government B2B scenarios. Read more about the upcoming S/MIME enhancements in Office 365 here.
Office 365 Message Encryption is designed to help you send confidential messages to people outside your company simply and securely, without the administrative overhead required to use S/MIME or similar technologies. It’s an outside-the-company companion to Information Rights Management, which is why it’s included as part of the Windows Azure Rights Management offering.