Microsoft this week announced a preview of Double Key Encryption for data created with Microsoft 365 applications.
It’s yet another Microsoft 365 data protection scheme, where one key gets stored in Microsoft Azure datacenters, accessible to Microsoft, while the other key is stored by the customer. Here’s how Double Key Encryption was described in an announcement by Alm Rayani, senior director of Microsoft 365:
Double Key Encryption for Microsoft 365 uses two keys to protect your data, with one key in your control and the second in Microsoft’s control. To view the data, one must have access to both keys. Since Microsoft can access only one key, your data and key are unavailable to Microsoft, helping to ensure the privacy and security of your data.
Double Key Encryption comes on top of existing encryption schemes for customer data, which happen when the data is stored in Microsoft’s datacenters (“at rest”) and when the data is in transit.
Double Key Encryption is described by Microsoft as being different from the Microsoft Information Protection service, which lets organizations label and protect access to sensitive files. Organizations that are “highly regulated,” such as financial and health care organizations, can use the Double Key Encryption service to stay compliant with regulations, including European Union GDPR data residency requirements, Microsoft’s announcement suggested.
Here’s how the announcement expressed that notion:
You can move your highly sensitive data to the cloud and be confident about preventing third-party access as you maintain full control of your key. Double Key Encryption allows you to store your data and key in the same location and help meet regulatory requirements across several regulations and standards such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), Russia’s data localization law – Federal Law No. 242-FZ, Australia’s Federal Privacy Act 1988, and New Zealand’s Privacy Act 1993.
Azure Information Protection Dependency
Oddly, Double Key Encryption has a dependency on using the Azure Information Protection unified labeling client for labeling protected data. “DKE works with sensitivity labels and requires Azure Information Protection,” a Microsoft overview document explained. Additionally, Microsoft 365 E5 licensing is required.
What’s odd about the Azure Information Protection client dependency is that Microsoft had announced in March that “the AIP client (classic) will be sunsetting on March 31, 2021.” Microsoft wants organizations to transition to using the Microsoft Information Protection service instead. Why organizations would need to use a client that’s subject to deprecation next year to use the new Double Key Encryption preview wasn’t explained.
Microsoft has somewhat similar protections available for users of Azure services.
Microsoft already has an Azure Key Vault protection scheme for Azure services that was commercially released five years ago. It’s designed for developers and chief security officers to assure regulatory compliance with software-as-a-service applications. Apparently, Azure Key Vault depends on a single key, stored in Azure datacenters, that’s “designed so that Microsoft does not see or extract your keys,” according to a Microsoft description of Azure Key Vault.
Also on the Azure side, Microsoft has an Azure Confidential Computing security solution that’s designed to protect sensitive data when it gets processed on Azure datacenters. Azure Confidential Computing was described back at the preview stage as protecting data against “malicious insiders” with administrative privileges, external hackers exploiting software flaws, plus third parties.