Thales Blog

Announcing Thales HSM Backed Double Key Encryption for Microsoft Office 365 – The best of both worlds.

October 5, 2020

Mike Schrock Mike Schrock | VP Business Development, Cloud Service Providers More About This Author >

For the CISO office, Security Architects and Auditors who are focused on maintaining compliance and protecting sensitive data across their organization, one of the best practices for data security is to maintain control and own the keys used to encrypt sensitive data in all applications. This especially true for Microsoft 365 , which has become the productivity suite of choice for most enterprises.

For years Thales helped companies maintain strong controls of their keys with solutions such as CipherTrust Cloud Key Manager for Bring Your Own Key (BYOK) to Azure KeyVault and Microsoft 365 . Thales also supported AIP “top secret” labeled data for HYOK in Thales Luna Hardware Security Module (HSM) on premises environments. While both of these are valuable solutions that give the customer greater control of their key material, some customers were looking for greater controls that further reduce risk. For example, the BYOK use case assures key quality and availability, but it gives up key custody to Microsoft. And in the case of HYOK, customers were limited to protecting select data types. While these solutions satisfied compliance requirements, larger and more data security sensitive enterprises desired key custody and a broader set of supported data protection use cases.

Today, Microsoft and Thales are further strengthening the data security options available for customers of Microsoft 365. Microsoft has announced general availability of Microsoft Information Protection’s (MIP) Double Key Encryption (DKE) for Microsoft 365, which uses two keys to protect your data—one key is in your control and a second key is stored securely in Microsoft Azure. As part of this announcement, Microsoft has partnered with Thales to manage the keys in your organization’s control by using a Thales Luna HSM, which you own, control and meets FIPS 140-2 Level 3 high assurance NIST standards. Since Microsoft can control access to only one of these keys, your protected data remains inaccessible to Microsoft, until the enterprise decides to make their key accessible. This is similar to retrieving the contents of your safe deposit box, the bank’s key and your personal key are required to open the box. The result is full control over the privacy and security of your data as accessing your data in clear-text requires both keys. In addition, you gain greater visibility because you have your own logs of key usage.

Together Microsoft and Thales deliver DKE with HSM backed keys allowing customers with Microsoft 365 migrations the best of both cloud application data encryption and key ownership and control, while meeting the highest security assurances available for the cloud.

“Microsoft Double Key Encryption demonstrates Microsoft’s understanding and dedication to creating a cloud service that supports highly-regulated environments and best practices for maintaining the highest levels of control of data in a cloud environment”, said Todd Moore, Vice President of Encryption Products at Thales, “Thales integrates with Microsoft Double Key Encryption by adding support on Thales Luna 7 Hardware Security Modules, the most deployed HSM in the world. This assures that the customer created encryption keys and controls meets the most stringent compliance and best practice requirements set by governments and auditors”.

Additionally, Thales offers organizations the broadest set of hybrid HSM deployment options with Luna HSM environments in either on-premises, in colocation, Luna Cloud HSM or as an Azure Dedicated HSM service. Once both cloud and customer infrastructures and configurations are set, integration operations will be as seamless as using existing AIP labeling schemes. Thales is currently running an alpha program for our new Luna 7 integration with DKE. Please reach out to your account manager if your enterprise would like to participate. Also stay tuned for more details to come.