Thales Blog

How Microsoft and Thales Offer Enhanced Security and Compliance for Microsoft Office 365

February 3, 2022

Mike Schrock Mike Schrock | VP Business Development, Cloud Service Providers More About This Author >

At the 2021 Thales Cloud Security Summit, I caught up with Benjy Levin, Program Manager, Microsoft, to discuss enhanced security and compliance for Microsoft Office 365 using Double Key Encryption (DKE) with Thales external keys and hardware security modules (HSMs). Our discussion covered topics like customer concerns and expectations, data sensitivity, regulatory compliance, and fully integrated security through DKE and Luna Key Broker.

The joint solution of Microsoft data protection with DKE and Thales Luna Key Broker meets crucial cybersecurity objectives, including secure remote work, data protection on-the-go, secure data storage and more.

Customer Concerns and Expectations

Business needs vary based on their data inventory and compliance requirements. As they implement security solutions, organizations want to retain control and management of cryptographic keys, avoid disruption of daily operations, and maintain the same security labeling and practices. When considering security and compliance, the companies’ pain points are:

  • Technical control of internal access by cloud service provider (CSP)
  • CSP foreign government compliance obligations
  • Digital sovereignty

What businesses are looking for is a fully integrated security suite like Microsoft Information Protection (MIP) that provides a built-in, intelligent, unified and scalable way to protect all SaaS apps for all the various levels of data sensitivity.

Data Sensitivity and Privacy Regulations

Security is implemented based on the sensitivity of customer data. All data does not require the same level of protection or number of security controls. A typical organizational data landscape includes three levels:

  • Highly sensitive data that is subject to regulations and should be secure from third-party access
  • Sensitive data that require enhanced protection
  • Non-sensitive data that can be moved to the cloud without enhanced security

Regulatory compliance requirements are driving the momentum to have enhanced data security and stronger encryption. Businesses have varying security and privacy requirements depending on the types of data they maintain, as well the regions in which data is located. Providing a unified way to categorize and label data is essential to applying the appropriate security controls to tackle regulatory compliance for the personal information and intellectual property maintained by organizations.

Of great importance is also the impact of the Schrems II ruling and the European Data Protection Bureau’s (EDPB) recommendation to separate data and keys. While CSPs and SaaS vendors scramble for ways to address the EU sovereignty needs, Microsoft’s Double Key Encryption (DKE) solution offers enhanced protection for highly sensitive data required to meet compliance and regulatory requirements.

What is Microsoft Double Key Encryption?

The DKE solution provides enhanced protection for highly sensitive data to meet business needs and regulatory compliance obligations. The solution protects sensitive customer and personal data with two keys, one of which is a business-controlled key. Because both keys are necessary to access the clear text content, organizations do not need to worry about third-party access as they are always in control of one of the keys. This means that Microsoft has no access to the customer data since they do not have access to the business-controlled key to decrypt the data without consent.

How Thales Luna Key Broker integrates with Microsoft DKE?

Thales Luna Key Broker for Microsoft DKE allows organizations to protect their most sensitive data while maintain full control and ownership of encryption keys outside of Azure cloud. Luna Key Broker enables you to generate and manage your encryption keys according to your own security policies while maintaining sole control of your data.

The joint solution offers flexibility since it can be deployed either in the cloud or on-premises, while it helps meet compliance mandates such as HIPAA, GDPR and Schrems II. Keys are managed and stored in high assurance FIPS 140-2 Level 3 validated Luna HSM.

Issuance support for a wide range of payment instruments


Together Microsoft DKE and Thales Luna Key Broker offer businesses a wide array of benefits to include:

  • Full control of encryption keys
  • Consistent labeling experience because DKE is driven from the sensitivity labels that are used as part as Microsoft Information Protection
  • Simplified deployments based on reference code and extensive instructions
  • Centrally managed user access to key and content
  • Data stored in a location of your choice – on-premises or in the cloud

Together, Microsoft and Thales offer a solution that takes into account the varying business needs of our customers. The solution gives customers peace of mind, helps to quickly meet regulatory compliance and is simple to use.

To hear more about Microsoft DKE solution and the partnership with Thales, watch our webinar, Enhanced Security & Compliance for MSFT 365 Using DKE & Thales External Keys, on demand.