It is best practice to maintain control and own the keys used to encrypt sensitive data in all applications. This is especially true for Microsoft 365 (M365), the productivity suite of choice for most enterprises as it permits online collaboration.
Today’s remote working environment relies heavily on sharing information, which challenges organizations to maintain security of confidential data and regulatory compliance, while driving employee productivity.
Organizations in highly-regulated industries such as financial services, government and healthcare can comply with regulations such as GDPR, HIPAA and Schrems II, by leveraging CipherTrust Cloud Key Management or Thales Luna HSMs with Double Key Encryption (DKE) for Microsoft 365.
DKE for M365 and Thales solutions work together to enable organizations to protect their sensitive data while maintaining control of their encryption keys. The solution uses two keys to protect data. Viewing data protected with DKE requires access to both keys. The customer maintains full control of one of their keys using the DKE service. A second key is stored in the Azure Key Vault.
Protected data is inaccessible to Microsoft because Microsoft services can only access the key stored in Azure Key Vault. DKE adds an extra layer of security to M365's existing encryption features. This means that both parties must "unlock" the data together. For the customer data to be accessed or decrypted, both keys are required.
This enhanced data protection capability enables organizations to benefit from the full power of Microsoft 365 collaboration and productivity tools (Word, Excel, PowerPoint, SharePoint and Outlook), while protecting sensitive data and meeting data privacy regulations and requirements.
CCKM is flexible and built for change. CCKM offers additional functionality to securely generate, store, and protect encryption keys for cloud-managed keys, Bring Your Own Key (BYOK), Double Key Encryption (DKE), and Hold Your Own Key (HYOK) encryption keys in one central location. CCKM provides a range of options depending on the customer’s security posture.
The solution enables the automation of key lifecycle management across clouds and hybrid environments with data protection with tools such as a single user interface across clouds, a common set of APIs across clouds, and a single pane of glass view into where customer keys are stored across multiple accounts, regions, subscriptions, and projects.
CCKM offers flexible deployment options including in the cloud, on premises, across hybrid environments, and as a service. Please visit the Community Edition from the Microsoft Marketplace to enable a 90-day free trial, or CCKM as a service from the Thales DPoD Marketplace.
Luna HSMS provide a secure foundation of trust for the double key encryption process, and help meet internal policy and compliance mandates by ensuring master encryption keys are held in a FIPS 140-3 Level 3 hardware root of trust, separate from where sensitive data resides.
Luna Key Broker for Microsoft DKE gives customers sole control over who has permission to access keys to decrypt protected data and provides them with enhanced data protection capabilities, including the ability to securely generate, store, and protect encryption keys in a FIPS 140-3 level 3 validated Luna HSM outside of Microsoft Azure.
Luna Key Broker for Microsoft DKE can be deployed either in the cloud, on premises or across hybrid environments. The solution works with Luna Network HSMs and Luna Cloud HSMs.
Thales can help organizations assess and define their DKE strategy including which integration and deployment options are best for them.