Case Study
Thales helps automotive manufacturer benefit from the full power of Microsoft 365 collaboration and productivity tools
Get in contact with a Cloud Security Specialist
Enhanced Security and Control Over Sensitive Data in Microsoft 365
It is best practice to maintain control and own the keys used to encrypt sensitive data in all applications. This is especially true for Microsoft 365 (M365), the productivity suite of choice for most enterprises as it permits online collaboration.
Today’s remote working environment relies heavily on sharing information, which challenges organizations to maintain security of confidential data and regulatory compliance, while driving employee productivity.
Organizations in highly-regulated industries such as financial services, government and healthcare can comply with regulations such as GDPR, HIPAA and Schrems II, by leveraging CipherTrust Cloud Key Management or Thales Luna HSMs with Double Key Encryption (DKE) for Microsoft 365.
Double Key Encryption for Microsoft 365
DKE for M365 and Thales solutions work together to enable organizations to protect their sensitive data while maintaining control of their encryption keys. The solution uses two keys to protect data. Viewing data protected with DKE requires access to both keys. The customer maintains full control of one of their keys using the DKE service. A second key is stored in the Azure Key Vault.
Protected data is inaccessible to Microsoft because Microsoft services can only access the key stored in Azure Key Vault. DKE adds an extra layer of security to M365's existing encryption features. This means that both parties must "unlock" the data together. For the customer data to be accessed or decrypted, both keys are required.
This enhanced data protection capability enables organizations to benefit from the full power of Microsoft 365 collaboration and productivity tools (Word, Excel, PowerPoint, SharePoint and Outlook), while protecting sensitive data and meeting data privacy regulations and requirements.
Why Is Using Thales Solutions for DKE More Secure?
- Shared Responsibility and Separation of Duties: Since both the customer and Microsoft hold a key, there's no single point of failure. Neither party can access the data alone. This also ensures that data-at-rest is kept separate from where keys are stored, which is a cloud security best practice.
- Enhanced Control and Privacy over Data and Keys: The customer has more control over their data because they alone possess one of the keys. Without the customer key, the data remains inaccessible, even to Microsoft, and if someone were to compromise Microsoft's systems, the customer’s data would still be protected because they wouldn't have the customer’s key. Customer’s also have greater control over how and when their encryption keys are used to protect and access encrypted data.
Thales Solutions for Microsoft DKE
Two Thales Solutions to Choose From:
1. CipherTrust Cloud Key Management (CCKM)
CCKM is flexible and built for change. CCKM offers additional functionality to securely generate, store, and protect encryption keys for cloud-managed keys, Bring Your Own Key (BYOK), Double Key Encryption (DKE), and Hold Your Own Key (HYOK) encryption keys in one central location. CCKM provides a range of options depending on the customer’s security posture.
The solution enables the automation of key lifecycle management across clouds and hybrid environments with data protection with tools such as a single user interface across clouds, a common set of APIs across clouds, and a single pane of glass view into where customer keys are stored across multiple accounts, regions, subscriptions, and projects.
CCKM offers flexible deployment options including in the cloud, on premises, across hybrid environments, and as a service. Please visit the Community Edition from the Microsoft Marketplace to enable a 90-day free trial, or CCKM as a service from the Thales DPoD Marketplace.
2. Luna Key Broker for Microsoft DKE
Luna HSMS provide a secure foundation of trust for the double key encryption process, and help meet internal policy and compliance mandates by ensuring master encryption keys are held in a FIPS 140-3 Level 3 hardware root of trust, separate from where sensitive data resides.
Luna Key Broker for Microsoft DKE gives customers sole control over who has permission to access keys to decrypt protected data and provides them with enhanced data protection capabilities, including the ability to securely generate, store, and protect encryption keys in a FIPS 140-3 level 3 validated Luna HSM outside of Microsoft Azure.
Luna Key Broker for Microsoft DKE can be deployed either in the cloud, on premises or across hybrid environments. The solution works with Luna Network HSMs and Luna Cloud HSMs.
Thales can help organizations assess and define their DKE strategy including which integration and deployment options are best for them.