In this blog post on the subject of security, we explain what Microsoft Information Protection and Double key Encryption are.
In most companies, only a small proportion of data and documents can be described as highly sensitive. These may not be stored in the public cloud due to regulations. This is precisely where Microsoft Information Protection comes in with Double Key Encryption (DKE).
What is Double Key Encryption, Microsoft Information Protection, an appliance and SaaS?
Double Key Encryption
Double key encryption is the encryption of a document with 2 independent keys provided by separate providers. Access is only possible with both.
Microsoft Information Protection
Microsoft Information Protection provides functions to support the classification of documents.
Appliance
An appliance provides the key management function in the form of preconfigured hardware. These are available from various providers and can be operated in the internal data center to provide the second key.
SaaS
The abbreviation SaaS stands for "Software as a Service" and is used when a cloud provider makes a directly usable solution available. There are now also such providers for key management systems, which makes implementation much easier and potentially interesting for smaller companies.
How to protect your sensitive data with Information Protection
Storing sensitive data in the public cloud is a particular challenge. Mircosoft 365 has long offered the option of protecting content with Information Protection. Encryption can be used to prevent unauthorized persons from accessing content - regardless of where it is stored. The sticking point is that the key required for this is provided by Microsoft and is therefore not under the customer's control. However, this is precisely what is required for sensitive data in many cases.
A few months ago, Microsoft introduced a solution to this problem: the so-called double key method. Encryption with two keys from different sources ensures that the document can only be accessed with both keys. As usual, one of the keys is provided by Microsoft. The second key is completely in the care of the customer. The system required for this must either be provided in the customer's own data center in the form of an appliance or can also be obtained from specialist providers as an SaaS application. Microsoft Information Protection is then linked to the service and documents can be double-encrypted via the so-called sensitivity labels using the DKE option.
However, the process also has disadvantages. In addition to the increased complexity due to the dependency on two systems, certain functions from the cloud can no longer be used (e.g. indexing, Office Web Apps) - the online service has no access to the second key and can therefore no longer view the documents.
In summary, with DKE Microsoft now offers a way to store sensitive documents in Microsoft 365 - with full control over the second key.
