If you’re wondering what would stop Microsoft simply claiming that it didn’t have access, or admins doing more than the logs show, Rich points to the Government Security Program Microsoft runs to provide controlled access to Microsoft source code, which NATO recently renewed. “We agree with our customers, we want to take the lockbox code and have it be part of a program that allows third-party code reviews and shows it doesn’t have side doors or back doors.”
Delivering the Lockbox meant rewriting the Office services to remove the default that came from the on-premise server software where the admin always had access to the data. That’s been done for Exchange and the Lockbox option is already available; it will be an option for SharePoint in Q1 of 2016.
Office 365 is also moving from relying on BitLocker to encrypt the servers that workloads run on, which doesn’t protect them while they’re running, to encrypting at the application layer. That’s been done for SharePoint already and is in progress for Exchange. Microsoft’s Rich predicts it will be ready by the end of 2015, with Skype for Business following later. “That separates the data administrator from the service administrator much more strongly,” he claims. That will enable BYOK too. “We’ll be wrapping the key that we use in the application layer to protect mailbox content with the Azure Key Vault key that the customer owns.”
“When the service is fully released, our plan is to offer customers a small number of keys, perhaps 10 or 20, that you use with your tenant for Exchange, SharePoint and Skype for Business. Most customers say they don’t need more than a handful of keys, say three keys for America, Europe and APAC that they put in Key Vault HSMs in those geographies.
Those keys will need safeguarding but it won’t make running Office 365 much more complicated, he predicts. “You will do a minimal amount of management, to rotate the keys occasionally,” says Rich. “The way you use these keys is as an exit strategy for the whole service. In normal operation, we don't have access to your content; if a human needs access then the Office Lockbox is the answer and you know who had access and when. The key in the Key Vault it used to turn all the lights out at once when you leave the building.”
Secure your keys
Given how few businesses are securing the keys they’re already responsible for, according to a survey last year, BYOK and HYOK will be beyond the scope of many businesses. The Ponemon Institute found half of enterprises have no centralized controls for their SSH keys and many don’t rotate keys, which leaves them more vulnerable to attack. Losing cloud encryption keys would be even more problematic, as you’ll lose data permanently.
Sign up for Computerworld eNewsletters.