Despite NSA Crypto-Meddling, Microsoft Plans Office 365 Encrypted Email

The new service from Microsoft lets users send encrypted emails to people outside the company, no matter what the destination
The new service from Microsoft lets users send encrypted emails to people outside the company, no matter what the destination

The service lets users send encrypted emails to people outside the company, no matter what the destination: Outlook.com, Yahoo, Gmail, Exchange Server, Lotus Notes, GroupWise, Squirrel Mail or any other webmail service included.

Office 365 Message Encryption includes all of the capabilities of EHE plus new features, such as the ability to apply a company's branding to encrypted messages. Like EHE, Office 365 Message Encryption works with Office 365 mailboxes as well as with on-premises mailboxes that use Exchange Online Protection. In terms of technologies, TLS encrypts the tunnel between mail server to help prevent snooping/eavesdropping; SSL encrypts the connection between mail clients and Office 365 servers; and BitLocker encrypts the data on the hard drives in the data center, so that if someone gets unauthorized access to the machine they can't read it.

There are of course many business situations where this type of encryption is essential, such as a bank sending credit card statements to customers or an insurance company providing details about the policy to clients. A healthcare provider can use encrypted messages to send healthcare information to patients, and attorneys can send confidential information to a client or another attorney.

Shobhit Sahay, a product marketing manager on the Microsoft Exchange team, explained in a blog that Office 365 E3 and E4 users will get Office 365 Message Encryption at no extra cost, because Microsoft is including it in Windows Azure Rights Management, which is already part of E3 and E4 plans. It’s also including it in the standalone version of Windows Azure Rights Management. For $2 per user per month companies can gain both internal and external information protection: traditional rights management capabilities like do not forward for internal users, plus the new ability to encrypt outbound messages to any recipient.

Administrators can set up transport rules to apply Office 365 Message Encryption when emails match specified criteria. Once the admin sets up the rules, whenever anyone in the company sends a message that matches the conditions, the message is encrypted using Office 365 Message Encryption. The outgoing message is encrypted before it is delivered to the outside mail server to prevent any spoofing or misdirection.

The encrypted message then appears as an attachment in a message in the recipient's inbox, with instructions for how to view it. That person can open the attachment right from their inbox, and the attachment opens in a new browser window. When the receiver replies to the sender of the encrypted message or forwards the message, those emails are also encrypted.

Office 365 Message Encryption will be available for purchase during the first quarter of 2014, and customers who are currently using EHE will be upgraded to Office 365 Message Encryption beginning in the same timeframe.

Meanwhile, is reviewing all of its cryptographic standards and its peer-review development process in the wake of revelations that the National Security Agency has been able to weaken its encryption algorithms to carry out surveillance. Documents leaked by Edward Snowden in September showed that the NSA spends $250 million a year on a project called “SIGINT Enabling” to secretly undermine encryption. A main goal of that effort is to “use the agency’s influence” within the peer-review process to weaken the encryption standards that NIST and other standards bodies around the world publish.

What’s hot on Infosecurity Magazine?