Microsoft Email Encryption – Options for Advanced Data Protection and Privacy
Microsoft – specifically its cloud collaboration suite, Office 365 – provides powerful default data protection and privacy capabilities, but some organizations may need additional functionality to meet advanced business privacy, regulatory, and data residency requirements.
Microsoft offers native Office 365 add-ons for email encryption. However, Gartner notes that 35% of Office 365 customers seek third party solutions for email security — either as a supplement to Microsoft’s offerings or as a full replacement.
Office 365 organizations look beyond Microsoft’s default and native capabilities for several reasons. From more secure architectures to differentiated features, third-party plugins — like Virtru — provide administrators and end users with added ease of use, security, and cross-platform control.
Azure RMS encompasses two product offerings for Microsoft email encryption and data protection:
- Office 365 Message Encryption (OME) – OME allows customers to send emails with encryption that exceeds the basic Transport Layer Security (TLS) built into Outlook Desktop and Outlook Web App (OWA) by default. OME also includes data loss prevention (DLP) capabilities that can automatically take actions on emails according to policies preconfigured by an administrator.
- Azure Information Protection (AIP) – and its on-premise counterpart, Information Rights Management (IRM) – enables customers to apply usage restrictions to email messages shared with other Microsoft recipients.
Third party Microsoft email encryption solutions integrate with Office 365 to combine the capabilities of OME and AIP, as well as other features. Since these products are not built directly by Microsoft, they must be purchased separately from Office 365.
Azure RMS encrypts messages after leaving the sender’s device using Transport Layer Security (TLS). When the message reaches Microsoft servers, the content is stored unprotected. This means that Microsoft and other intermediary third-party providers can access the securely-sent data, making certain data residency, privacy, and compliance requirements (CJIS, EAR, and others) more difficult to meet.
In contrast, Virtru’s Microsoft email encryption protects messages with client-side, AES-256 bit encryption from the moment the sender hits ‘send.’ The data remains encrypted from start to finish; the only people who can access your data are you and the recipient.
For added security, Virtru offers a Customer Key Server (CKS) option for organizations that wish to maintain complete and exclusive access to encryption keys protecting their data. The encryption keys hosted on Virtru’s servers are encrypted by additional keys accessed exclusively by the customer.
Ease of Use for Sending Microsoft Encrypted Emails
To send a message securely using Azure RMS, the user must include a particular text string in the subject or body of the email (the string, often something like ‘encrypt,’ is determined by the Office 365 administrator). If the user forgets to include the keyword, the email may be sent unencrypted.
Azure RMS can also encrypt messages using data loss prevention (DLP) rules configured by administrators to detect and automatically encrypt sensitive information.
Virtru emails can be encrypted on-demand on the client-side: With the flip of a switch, messages and files are sent securely. Like Azure RMS, Virtru can also encrypt at the network level via DLP rules that automatically encrypt content before it leaves the organization.
Ease of Use for Receiving Microsoft Encrypted Emails
Recipients who have already configured Azure RMS onto their email servers can read Azure RMS messages transparently. If recipients do not have Azure RMS configured, they will receive an email containing an HTML attachment and instructions on how to download it.
A common complaint from Azure RMS users is that their recipients often refuse to download the attachment included in this first message due to fear of phishing attacks. Microsoft administrators report that this experience can be frustrating because it requires them to deviate from their security policies that caution against the downloading of suspicious attachments. As anti-phishing software, end-user training, and policies become more pervasive, this problem is only likely to increase.
If they are able to download the attachment, recipients will then have the option of creating a new Microsoft account, signing in with their existing Microsoft account, or accessing a one-time email code. Unlike Virtru, Azure RMS recipients cannot authenticate using non-Microsoft accounts, which adds some friction to the authentication process for external users.
In comparison, Virtru users can read emails directly from their inboxes. Non-Virtru users can read and respond to emails from a web-based Secure Reader after authenticating with their existing email credentials. Reading an email secured by Virtru will not require a new password or new software.
Ease of Use for Configuration
After activating Azure RMS, administrators must use Exchange Online to access PowerShell, Microsoft’s task automation and configuration management framework, which consists of a command-line shell and associated .NET scripting language. Administrators must have experience with PowerShell in order to configure Exchange to use AIP.
Configuring Virtru is simpler: Individuals can download the plugins directly from Virtru’s website or administrators can push them to end users. For server-level encryption via Virtru’s Network Data Protection, administrators must install the software on their servers or in their cloud environment. For backend integrations in On-Premise, Azure, or Federated AD environments, Virtru provides instructions and an installer that can be configured in minutes.
Ease of Use for DLP
Data Loss Protection (DLP) with Azure RMS offers a significant number of options, including mandated encryption. However, all DLP settings require that Microsoft servers scan the unencrypted message on its servers, violating some data residency regulations.
Virtru DLP scans end-user content before sending, preventing regulatory breaches and preventing third parties — including Microsoft — from accessing your data.
Both Virtru and Microsoft offer digital rights management (DRM) style controls that allow implementation of granular access and usage restrictions for emails and files. However, Azure RMS message controls do not work when sharing with non-Microsoft users. By contrast, Virtru controls are available cross-platform, regardless of with whom you share content.
Virtru offers the following control features, which can be applied no matter where you are sharing information:
- Revoke message access
- Set expiry times
- Forwarding tracking and control
- Read receipts
- PDF watermarking
These protections are persistent across mail servers, for all domains.
Ready to learn about how Virtru’s Microsoft email encryption can work with your organization? Let’s chat.