In the first six parts of this series (Part 1, Part 2, Part 3, Part 4, Part 5, Part 6), I’ve covered the basics of encryption, BitLocker, TLS, Office 365 Message Encryption, Information Rights Management, and S/MIME. In part seven, I’m going to wrap the discussion of encryption within Exchange Online by providing a quick summary of each option and giving some examples of the best circumstances in which to use each.
BitLocker is an encryption technology designed for protecting data at rest. In Exchange Online, all data drives are protected by BitLocker without the need for individual tenant administrators to take any actions. I’ve included BitLocker in this list just for the sake of completeness.
Transport Layer Security:
Transport Layer Security (TLS) is an encryption technology designed to provide a secure communications channel between two organizations. TLS is best used in circumstances when your organization needs to ensure that all email sent to another organization is sent securely without needing any user action. You can configure TLS on send and receive connectors used to handle traffic to specific partners or other organizations.
In the on-premises version of Exchange it is possible to configure TLS so that users are notified when an outgoing message will be routed over a TLS encrypted connection. This feature is called Domain Secure. Domain Secure is not available in Exchange Online.
Office 365 Message Encryption:
Office 365 Message Encryption (OME) is probably the closest thing to what the average user thinks of when they consider encrypted email. When used, OME encrypts and stores messages sent to recipients outside Office 365. The message recipient is sent a notification to log into OME to access the encrypted message.
There are multiple ways that OME can be triggered for a specific message. I find the best way to trigger OME for a specific message is via a transport rule. Transport rules give tenant administrators the ability to define a set of circumstances that will apply OME protection to messages. Transport rules can trigger OME based on a key work in the subject line, or messages going to a specific user or domain. In Part 3 of this series I showed how to setup a transport rule to trigger OME when the subject line of a message starts with the word “Secure”.
Information Rights Management:
Information Rights Management (IRM) is not really intended to be an encryption technology. IRM is designed to allow users to control how the content of messages are used by recipients, with this control being enforced via encryption technology.
IRM allows a user to apply a predefined template to a message. The template contains details of the rights to access content that are allowed to recipients. Exchange Online provides 3 default templates for IRM. If those three templates do not completely meet your organization’s needs, you can create your own templates to meet custom conditions.
IRM is best used within your organization. A CEO may need to send a companywide message with details of an upcoming deal that has to remain within the company until the deal is finalized. IRM can be used to ensure that message cannot be forwarded by the recipients. IRM will not prevent all malicious behavior, but it does provide a framework for helping honest employees respect your organization’s rules.
Only the default "Do Not Forward" IRM template can be used outside of your organization and that template can only be used to send messages to other Office 365 tenants. In order to use IRM with messages that are sent to organizations outside of Office 365 you would have to do extensive setup of your own PKI in your on-premises Active Directory.
Secure/Multipurpose Internet Mail Extensions:
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a client side encryption technology. Both the strength and the weakness of S/MIME is that the encryption is done on the client side. This means that your messages are protected from any unauthorized access by administrators within your tenant, but it also means that transport rules and virus protection cannot access your S/MIME encrypted messages to apply their protections.
Because of the way public key encryption works (outlined in Part 1 of this series), S/MIME works “backwards”. That is to say, setting up your S/MIME certificate allows other people to send you encrypted messages. S/MIME can work for users outside of your organization as well as for users on completely different messaging platforms to send you encrypted email. But that process is not nearly as smooth as the OME service.
Client to Server communications:
Regardless of the type of encryption you use, all communication between your Outlook client and the Exchange server within Exchange Online is encrypted. That communication may flow over MAPI/HTTP, RPC over HTTP, or possibly even other protocols. You can look at the connections established between Outlook and Exchange Online by holding down the control key and right-clicking on the Outlook icon in your system try. From the menu, select Outlook Connection Status and a window will open that shows all connections between your Outlook client and Exchange.
Once you message traffic gets to the Exchange servers you can be assure that it is handled securely through the entire transport stack.
Wrapping up encryption in Exchange Online:
We’re around seven thousand words, and two months, into this series on encryption in Exchange Online and I think we’ve got it pretty well covered. There are four different ways (five if you count BitLocker) you can encrypt your message traffic in Exchange Online and each of them provides different protections for different situations. Hopefully, if you’ve gotten this far, you have learned something new about your options for securing your messages within Exchange Online. I know I did. If you still have any questions, let me know in the comments below.