Microsoft Outlook has been a cornerstone of the business world for decades. It’s where many organizations send emails, plan meetings and share files. As security challenges mount, it’s essential to implement the best protection for the platform itself and all emails within Outlook.
Encryption remains the industry standard for data protection, but it comes in a variety of forms and services. Microsoft offers built-in encryption options with benefits and downsides for each one. Third-party providers like Virtru supplement those options with encryption services that integrate directly into Outlook.
Outlook’s Native Encryption Options
Microsoft provides a number of options for encrypting your Outlook emails. However, most of them aren’t particularly user-friendly—and they still leave gaps in your email protection.
Those gaps aren’t just a security risk. They’re a serious problem for businesses that need to comply with any data protection regulations like HIPAA, CJIS or GDPR. The majority of regulations require persistent data protection, and incomplete protection options don’t offer enough security.
Transport-layer security (TLS) is the current standard of protection for email servers. All large platforms provide TLS encryption, which protects your emails within the network or while in transit. Outlook transmits any messages you send through an encrypted channel, preventing any eavesdroppers; it also encrypts the server your emails are hosted on.
Think of TLS like a bunker system. Your server is a bunker with strong walls. When you send an email, it goes through a protected underground tunnel right to another bunker (the recipient’s server). Emails at rest and in transit are fully protected by a perimeter of encryption.
The great thing is, you don’t need to do anything to set this up—it’s included in Outlook by default. However, it’s not a perfect solution. TLS doesn’t affect anything within that bunker system: your emails themselves are still just plain text. If an enemy does enter the bunker, your emails are unprotected.
Office 365 Message Encryption (OME)
Microsoft also offers OME, which allows you to encrypt text within emails. This native feature is fairly secure when used properly, but it has significant drawbacks: depending on the version of Outlook, setup can be complicated and time-consuming, and encryption functionalities are only optimized for certain Outlook recipients.
Office 365 Message Encryption is included in an Office license (use is limited depending on your subscription level). If you have an Office 365 subscription, it actually seems pretty easy to set up. To encrypt email messages, just click the “Encrypt” button and select the rules you want to enforce. You can also dig through your settings to encrypt all outgoing messages by default. This encrypts your email’s text and all its attachments.
Sounds easy, right? Unfortunately, it’s not that straightforward. There are three critical issues:
1. An admin will need to define transport rules to determine how a message is encrypted.
Microsoft’s screenshot is deceiving here. The only default options are “Encrypt” and “Do Not Forward.” If you need to customize any rules, an admin will need to go through a hefty setup process and configure encryption settings for that rule.
Moreover, automatic encryption rules are only enforced after Microsoft has read your unencrypted message to see if the content meets any of those rules, so your email content is fully visible to Microsoft.
2. OME is easy–if both the sender and the user have the right applications to support that encryption.
Outlook’s encryption works best with other Outlook servers. If your recipients use Outlook 365 or certain newer versions of Outlook for PC, they’ll be able to open the encrypted message normally. Any other platform (including other Outlook options) is more complicated.
OME can work with Yahoo!, Gmail and other standard clients, but in a time-consuming and fractured way. Recipients are redirected to an Outlook web page to sign in or request a one-time password in order to read messages in a browser window.
3. Setup varies wildly across different Outlook versions and subscriptions.
Microsoft’s setup page for Outlook encryption is pretty hard to follow because there isn’t one hard-and-fast rule that defines OME. It’s not particularly user-friendly or consistent.
In some cases, you can simply click the Encrypt button. In others, you’ll see a permissions button. You may see an options tab, which leads to more options, which has a dialogue box launcher, which leads to security settings, where you can select the encryption option… for a single message.
Even then, some recipients may need a key to open messages: “Only the recipient who has the private key that matches the public key used to encrypt the message can decipher the message for reading.”
Office 365 Message Encryption definitely improves the security of your emails. It also adds significantly to the workload required to secure those emails.
S/MIME and Legacy Systems
Outlook also supports S/MIME encryption, which is an older encryption format. However, it’s not a superior option: S/MIME has all of the downsides of OME and then some.
First of all, you need to install a special certificate before you can use S/MIME in Outlook. Second, both the sender and the recipient need to have S/MIME encryption standards configured on their mail application. If your email is going to someone without S/MIME set up, it simply won’t be readable for that person. Unfortunately, it’s not widely supported, so many recipients will be unable to set S/MIME up at all. Even if the message sends properly, you’ll need to give the recipient your encryption key to manually decode the email.
Third, S/MIME is also insecure. It’s vulnerable to outside attacks, like message takeovers; it also increases risk because users need to exchange encryption keys. If that key is compromised for any reason, your emails are no longer secure.
Other common encryption standards like PGP have their own weaknesses and can be tricky to implement. Additionally, they’re not officially supported by Outlook, unlike S/MIME.
Azure Rights Management Services (RMS)
Azure RMS is another Microsoft security tool that protects your data with encryption, identity and authorization policies. This protection is data-centric, meaning stays with your data wherever it goes. Only authorized people or programs will be able to read your data (in this case, an email). If you have a technical background, you can also configure end-to-end encryption within RMS.
RMS is a powerful tool, but it’s cumbersome to set up and requires some technical expertise. Activation, bootstrapping (or initialization) and protection is a hefty process. For users without the time or background, or who simply want to secure their email effectively, RMS is not an optimal choice.
Filling in the Gaps with Virtru
Virtru overcomes the limits of other encryption options. Our services integrate seamlessly with Outlook to provide easy, secure end-to-end encryption. With Virtru, you have full access control, including email expiration, revocation and instant access. Your encryption keys are stored separately from your encrypted emails, ensuring that only the right eyes see your content. You don’t need certificates, special software, a new account or one-time passwords–even if the recipient doesn’t use Virtru.
Best of all: it’s incredibly user-friendly and easy to set up. All your options and settings are visible right from your dashboard. You can even search through encrypted content. It’s the same usability you’re used to from Outlook, just with top-of-the-line security—and since usability is key to whether or not people actually use those security measures, that’s a pretty important feature.