3 min read

Banking-Grade BYOK for Office 365

Banking-Grade BYOK for Office 365

Securing data and keeping it private is essential for many organizations and institutions, including banks or ministries, where data security and data privacy are critical. That security and privacy must always be assured and remain in control under the institution or organization.

In keeping the critical need for data security, Microsoft 365 allows users to work with both managed keys or BYOK to protect all their documents and data. Cryptomathic’s banking-grade CKMS is the first lifecycle key management system and first HSM-agnostic solution to be validated by Microsoft for their new Bring Your Own Key method for MS Azure Key Vault to support Office 365.

Microsoft Managed Keys

Microsoft can manage all cryptographic keys used by their Azure cloud services, including root keys used for service encryption. This option is available for OneDrive for Business, SharePoint Online, and Exchange Online and is the default service encryption.

The advantage of using Microsoft Managed Keys is that it’s easier for a business to set up such a service if it isn’t subject to certain compliance requirements on encryption and key management (such as PCI DSS).

All data will remain encrypted using Microsoft Managed Keys. 

The great disadvantage is that the customer risks being caught in a vendor lock-in. Getting data out, e.g., when moving to a different cloud or into a different subscription service for office tools, will be a tedious, time-consuming and consequently costly process. Decryption and re-encryption might also create an open flank for data theft.

Also, the customer is not in control of data security or data privacy. For security regulated institutions like governments or banks, this option would not comply with regulatory requirements.

Bring Your Own Key, called Customer Key at Microsoft

With the BYOK or Customer Key option, the customer supplies the root keys to be used with service encryption and manages those keys using the Azure Key Vault. Microsoft manages all other keys. In this approach of Bring Your Own Key (BYOK), Customer Key is available for OneDrive for Business, SharePoint Online, and Exchange Online.

There are multiple benefits to service encryption using Customer Key, including:

  • Strong encryption protection with added rights protection and management features
  • No third party, e.g. Microsoft or any other service provider has access to unencrypted data
  • An option that allows multi-tenant services to provide per-tenant key management
  • The ability to separate Windows operating system administrators from accessing customer data that is stored or processed by the operating system
  • Enhances functionality of Microsoft 365 to meet the demands of customers with compliance requirements for encryption.
Read White Paper

Customer Key allows users to generate their own cryptographic keys, whether using an on-premises Hardware Security Module (HSM) or Azure Key Vault (AKV). No matter how the key is generated, users can use AKV to control and manage the keys that Office 365 uses. Once the keys are stored in AKV, they can be used as the root for a keychain that encrypts the user’s data or files.

With Customer Key, users have control over how Microsoft processes their data. If the user decides to remove their data from Office 365, it can be done using Customer Key as a technical control. 

Using a banking grade key management system, the whole life cycle of the keys can be managed in a streamlined, automated and highly secure way.

This ensures that no one, including Microsoft employees, can access or process that data during any time of the keys’ life cycle. 

Communication, documentation and data are managed in a secure way, allowing to use Office 365 in security sensitive environments like banks and governments, all while keeping compliance with relevant regulations. 

Cryptomathic is first with BYOK Solution for Microsoft’s Azure Key Vault

Cryptomathic was the first to launch a full lifecycle and HSM-agnostic “Bring Your Own Key” solution for Microsoft’s Azure Key Vault including Office 365. 

Previously, BYOK support for Azure’s Key Vault was possible only by using a single vendor’s HSM. Now Microsoft supports a new protocol that is open to HSM and other security-centric vendors. Cryptomathic is an early supporter of this standard and the first to support it with a comprehensive banking grade key management system, CKMS.

CKMS pushes Azure Key Vault BYOK keys automatically to the cloud under the institute’s dictated key management policies and manages the keys throughout the whole key life cycle. Legally required audits are made possible on customer sites. CKMS allows for multiple HSM brands; therefore, putting the choice of an HSM vendor in the customer’s hands. This HSM-agnostic approach gives organizations broad support of their applications both in the cloud and on-premises with bank-grade security and compliance.

Another advantage for the customer is that CKMS can be the single key management system across the institute's hybrid cloud, securing processes in the local data-center as well as in the various cloud applications. 

This embeds the management of keys for Office 365 into the institute’s overall key management process. With the same policies, and without additional workload, time or operational costs involved. 

And there is one additional important point: centralizing key management abandons heterogeneous and error-prone manual security architectures. It thus reduces the risk of open flanks and consolidates a stringent, compliant and easy-to-manage security infrastructure.

In 2020, CKMS has been officially validated by Microsoft for its new key import method to the family of products supporting Azure Key Vault BYOK.


Download white paper

References and Further Reading