In today's digital era, it is crucial to ensure that your most sensitive data is protected in the best possible way. To protect your sensitive data in Microsoft 365, there are two powerful tools to consider: Microsoft Purview Information Protection and Double Key Encryption (DKE).
Double Key Encryption (DKE) offers a high level of security and is specifically designed to meet the strictest protection requirements. However, it is important to note that DKE is not suitable for all types of data. It is usually best to use this encryption method to protect a limited subset of data.
Microsoft DKE is a solution that allows customers to encrypt their data in Microsoft 365 using their own keys. This can be important for customers who have sensitive data that requires high security and control. Microsoft DKE works by having the customer generate and store their keys in a hardware device called a Hardware Security Module (HSM).
When the customer wants to access their data at Microsoft, they must first authenticate themselves to their HSM device and gain access to the keys. Then they can decrypt their data using the keys. This way, the customer has full control over their data and can protect it from unauthorized access, even from Microsoft.
” DKE helps you meet regulatory requirements across several regulations and standards such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA)”
Microsoft
DKE, or Double Key Encryption, is a method of protecting sensitive data using two keys. One key is stored with Microsoft, and the other is with the customer. Both keys must be used together to read the data. This gives the customer full control over their data and prevents anyone else from accessing it without the customer's consent.
However, DKE has some limitations and is currently used on a smaller scale, primarily by companies that consider themselves to have highly sensitive data. For example, DKE cannot be used with certain features that require searching, filtering, or indexing of data or through popular web applications that Microsoft offers. DKE can also affect the performance and availability of data. Therefore, it is important to weigh the pros and cons of DKE before choosing to implement it.
Which applications in Microsoft can utilize DKE?
A good starting point and alternative to DKE?
With Microsoft Purview Information Protection, you can take advantage of classification and labeling features. This allows you to identify and label your sensitive data to ensure the appropriate level of protection. This is suitable for most scenarios and also gives you access to a range of features and services within Office 365.
However, if you work in highly regulated industries such as financial services or healthcare and have specific security and data management requirements, double key encryption (DKE) may be more relevant. With DKE, you can ensure that only you have the ability to decrypt your protected content under any circumstances. You retain full control over your keys and avoid giving Microsoft access to your protected data.
However, if you work in highly regulated industries such as financial services or healthcare and have specific security and data management requirements, double key encryption (DKE) may be more relevant. With DKE, you can ensure that only you have the ability to decrypt your protected content under any circumstances. You retain full control over your keys and avoid giving Microsoft access to your protected data.
Summary
To summarize, it is important to choose the right protection method for your sensitive data. By using Microsoft Purview Information Protection and its classification and labeling features, you can secure most of your sensitive data effectively. This method is suitable for most situations and allows you to take advantage of the powerful services offered by Office 365.
On the other hand, if you work in a highly regulated industry such as financial services or healthcare and have specific security and data handling requirements, double key encryption (DKE) may be relevant for you. DKE provides an additional level of security by ensuring that only you have the ability to decrypt your protected content under any circumstances.
If you have regulatory requirements that require your encryption keys to be stored within a specific geographical boundary, DKE is also a suitable solution. By keeping all encryption and decryption keys in your own data center or with a service provider in Sweden, you fulfill these requirements and ensure complete control over your content.
In conclusion, the choice between Microsoft Purview Information Protection and DKE is about finding the right balance between security and functionality for your specific needs. Use Information Protection to protect most sensitive data and save DKE for the most critical and regulated data sets.
When can you take full control of the encryption keys in Microsoft?
Currently, it is not clear when Microsoft will offer complete control of the encryption keys to its customers. However, we believe that double key encryption (DKE) can be a step in that direction and a preparation for a "Hold Your Own Key" (HYOK) solution where the customer has full control and retains the key to their data while still enjoying full functionality in their services.
It is interesting to note that other major cloud service providers such as Google, AWS, and Oracle Cloud already offer their customers the ability to protect their data with on-premises keys. We believe it is only a matter of time before Microsoft announces similar functionality and provides customers with full control.
As an organization, it is important to continue monitoring developments in cloud services and security solutions. By staying aware of the latest trends and innovations, you can make informed decisions about which tools and techniques best suit your needs and help protect your sensitive data in the best possible way.
Learn more
Read more about HSM
Read more about kryptering och Azure