From Inside the Cloud: What controls do we provide to protect your data in transit in Office 365?

Asaf Kashi is the group program manager in the Office 365 Information Protection team.

In our last few posts in our From Inside the Cloud series, my colleagues and lead engineers, Perry Clarke, Vivek Sharma and Kamal Janardhan shared insider overviews on how we design and run various aspects of security, privacy and compliance in Office 365.  Today, I would like to share an overview of the controls you have within Office 365 to protect your data in transit.

As I explain in today’s three-minute video—we protect your data in transit on two levels. First  by encrypting all data in transit at the service level and second, by providing solutions you can use for detection and proactive prevention of the data going out to unintended recipients in the first place. Let me explain.

How your data is protected in transit

At the service level, we encrypt all data between your users and the Office 365 service using Transport Layer Security (TLS) that leverages SSL encryption. This protects your data from anyone sniffing the transit pipes.

Beyond network security, we provide proactive detection and prevention with Data Loss Prevention (DLP) and customer controlled encryption capabilities.

With DLP, you can detect different types of sensitive data in the content or files that are being shared by your users, investigate it and take appropriate actions—these actions include making your users aware about the sensitivity of the content being shared or block them outright from sharing particular sensitive content at all. You can even have granularity of actions based on whether the recipients are internal or external. We have many different templates out of the box from different industries and geographies, which allow you to easily create solutions to protect standard sensitive data types such as credit card data and social security data. In addition to providing protections, this ability also helps you to attest to industry standard regulations.

Encryption solutions to support productivity and usability

Encryption is a well-known way to protect the data. With Office 365 we are committed to providing various ways to encrypt your data while at rest or in transit. While encrypting data to protect it is interesting, we understand that our customers find real value in productivity and usability. To enable productivity, while not compromising security, we think about encryption as a continuum of solutions and scenarios—where each scenario might offer a different protection solution. Today we have three different encryption solutions for different scenarios and we continue to invest in high value, relevant solutions for data protections.

Our first encryption mechanism is Rights Management Services, or RMS, which is mostly used when you are communicating within your organization, or with your trusted business partners. A common usage model here is to control the way the content is going to be used, such as “Do not forward” and “Do not print,” as well as to provide an encryption mechanism so there are no man in the middle attacks and ensure that only the intended recipients can view the content.

Our second encryption mechanism is Office 365 Message Encryption, which allows you, as a business, to communicate with your customers or your consumers using any SMTP email address. You don’t need to know if your consumer has a particular device or a particular application to be able to consume the encrypted content. This provides you a way to send encrypted content such as mortgage applications or medical records, which your consumer might only look at once, but allows you to confirm that the information has been encrypted.

Our third encryption mechanism in Office 365 is S/MIME. This is a certificate based encryption mechanism that allows any two clients to communicate securely, independent of what servers or services are in-between them. This is commonly used by businesses who are communicating with government agencies or government agencies communicating amongst themselves.

Core to our approach is providing you solutions to protect your information while it is within your organization’s Office 365 environment or in our service, based on your needs. So protecting your data in transit is a combination of network level security between you and Microsoft, as well as the capabilities we provide you in the cloud to detect and prevent sensitive data from leaving your organization. Those capabilities allow us to protect your data in transit.

For more information please refer to the detailed whitepaper, Customer controls for Information Protection in Office 365 in the Office 365 Trust Center.

I hope that today’s explanation starts to clarify how we approach protecting your information in Office 365.

Let us know what you’re thinking—send us your comments and questions and of course you can find out more on this topic by visiting the Office 365 Trust Center.

—Asaf Kashi