Azure RMS, Exchange Online, and BYOK

Tony Redmond

by Tony Redmond on 7/6/2016

Share this:

Article Details

Date Revised:

Applies to:
Azure RMS, Bring Your Own Key, BYOK, encryption, Exchange Online, information protection, Office 365, Rights Management Services, security

Office 365 makes it much easier to protect confidential information using Azure Rights Management Services (RMS). Companies often want to control the encryption keys used to protect information using a process called “Bring Your Own Key” (BYOK). Azure RMS supports BYOK for Office 365 but only if you accept some significant reductions in Exchange Online functionality.

BYOK means “bring your own key” and is a method for companies to ensure that they manage the encryption key used to secure tenant data through Azure Rights Management Services (RMS). The keys are created and managed by the tenant and supplied to Microsoft where the keys are held in a Thales hardware security module (HSM) that is owned and managed by Microsoft. However, Microsoft never has access to the keys and therefore can never access the data protected by those keys. Of course, Microsoft could attempt to gain access to the keys and use them to decrypt data, but that would be foiled by the tenant revoking the keys and thus making all the protected content unreadable (for anyone).

If you don’t use BYOK, Microsoft will manage the RMS key, also known as the Server Licensor Certificate (SLC) on your behalf. Most companies are quite happy for Microsoft to take care of encryption as they possess neither the expertise nor the interest to take on the responsibility of key management. Things are a little different in larger companies, especially those dealing with particularly sensitive information, where it is not deemed sufficient to allow a cloud provider to manage encryption keys.

Compared to the on-premises situation, Microsoft makes it really easy for tenants to use Azure RMS to protect files stored in SharePoint and OneDrive sites and messages circulating through Exchange. All of the heavy lifting that’s required to configure and deploy RMS on-premises largely disappears within Office 365.

Information Rights Management (IRM), which uses RMS to protect sensitive files, is baked into SharePoint Online and Exchange Online and the Office 2013 and 2016 desktop applications. Control is exercised through IRM templates, which determine the set of actions that a recipient can take with content, such as whether they can forward or print a message. Figure 1 shows how a template called “Sensitive Board Reports” is applied to a new Outlook message. Protected messages can be shared with external recipients, who have to connect to the Office 365 RMS servers to validate what actions they can take with the content.

IRM template applied to a new Outlook message; Azure RMS, Rights Management Services, Office 365

Figure 1: Applying an IRM template to an Outlook message

The ease in which IRM can be used inside Office 365 means that tenants who subscribe to the E3 plan (or above) really have no excuse for not protecting sensitive data with IRM.

A further level of automation is promised through Azure Information Protection, which builds on Azure RMS to apply persistent protection through IRM templates that are based on the classification and labelling of files. For example, a document that is labelled as “Top Secret” will automatically have the appropriate IRM template applied to it. The protection is persistent in that it applies even when information leaves an organization, meaning that even the most sensitive data can be shared with partners. Protected files can also be tracked in terms of who accesses their content and where those people are located and, if necessary because some violation is detected, access can be revoked.

Microsoft won’t release Azure Information Protection until later this year so no detailed information is yet available about how this will all play out with Office 365. All we can expect is that the additional functionality will cost more.

Returning to BYOK, apart from the additional complexity that a company takes on when it decides to manage its own keys, some important restrictions exist with Exchange Online that can make BYOK a non-starter for tenants that make extensive use of email. The restrictions are:

  • Protected emails or protected attachments in Outlook Web Access cannot be displayed. (Outlook clients can display the content.)
  • Protected emails on mobile devices that use Exchange ActiveSync IRM cannot be displayed.
  • Transport decryption (for example, to scan for malware) and journal decryption is not possible, so protected emails and protected attachments will be skipped.
  • Transport protection rules and data loss prevention (DLP) that enforce IRM policies is not possible, so RMS protection cannot be applied by using these methods.
  • Although the metadata of protected messages (including attachments) can be indexed, the content of these items (including attachments) cannot. The result is that protected items might be overlooked by eDiscovery searches.

Microsoft terms this condition “Azure RMS BYOK with reduced RMS functionality for Exchange Online” and the situation arises because Exchange Online uses an older version of the RMS SDK, which means that it doesn’t support BYOK. Basically, any attempt by the server to decrypt content for display fails. For example, when the transport system processes messages, it invokes the set of transport rules defined for the organization. These rules might contain some Data Loss Prevention (DLP) rules to check message text and attachments to ensure that items don’t contain sensitive data. Because the encrypted content remains inaccessible, the check cannot be performed. The same is true when OWA clients attempt to fetch protected data from the server. On the other hand, Outlook clients know how to deal with BYOK and are therefore able to decrypt content.

The situation is likely to change in the future. It has to because it’s a whopping gap in Microsoft’s BYOK coverage that needs to be closed in order to convince any tenant that deals with very sensitive data to move to the cloud. In the interim, stay tuned – and if you’re not interested in BYOK but have E3 or better licenses, try out IRM and see how easy it really is to have protected content in the cloud.

Follow Tony on Twitter @12Knocksinna

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

Topic: Security

Sign in with

Or register