![]() ![]() Refer to the following table for validation of controls related to encryption and key management. Microsoft's online services are regularly audited for compliance with external regulations and certifications. Related external regulations & certifications Customer root keys can only be accessed indirectly by Microsoft online service code for data encryption and can't be accessed directly by Microsoft employees. Customer root keys are stored in AKV, where they can be used as the root of one of the keychains that encrypts customer mailbox data or files. Using Customer Key, customers can generate their own cryptographic keys using either an on-premises Hardware Service Module (HSM) or Azure Key Vault (AKV). When using Microsoft-managed keys, Microsoft online services automatically generate and securely store the root keys used for Service Encryption.Ĭustomers with requirements to control their own root encryption keys can use Service Encryption with Microsoft Purview Customer Key. Service Encryption provides another layer of encryption for customer data-at-rest giving customers two options for encryption key management: Microsoft-managed keys or Customer Key. BitLocker uses FIPS-compliant algorithms to ensure that encryption keys are never stored or sent over the wire in the clear. ![]() For data-at-rest, BitLocker-protected volumes are encrypted with a full volume encryption key, which is encrypted with a volume master key, which in turn is bound to the Trusted Platform Module (TPM) in the server. Microsoft uses its own security certificates to encrypt TLS connections for data-in-transit. Strong encryption is only as secure as the keys used to encrypt data. How do Microsoft online services manage the keys used for encryption? Examples of data in transit include mail messages that are in the process of being delivered, conversations taking place in an online meeting, or files being replicated between datacenters.įor Microsoft online services, data is considered 'in transit' whenever a user's device is communicating with a Microsoft server, or a Microsoft server is communicating with another server. ![]() Microsoft online services use strong transport protocols, such as TLS, to prevent unauthorized parties from eavesdropping on customer data while it moves over a network. How do Microsoft online services encrypt data-in-transit? ![]() It also allows for separation between Windows operating systems and the customer data stored or processed by those operating systems. Service Encryption provides rights protection and management features on top of strong encryption protection. In addition to volume-level encryption, Microsoft online services use Service Encryption at the application layer to encrypt customer content. The encryption provided by BitLocker protects customer content if there are lapses in other processes or controls (for example, access control or recycling of hardware) that could lead to unauthorized physical access to disks containing customer content. Microsoft servers use BitLocker to encrypt the disk drives containing customer content at the volume-level. How do Microsoft online services encrypt data-at-rest?Īll customer content in Microsoft online services is protected by one or more forms of encryption. Encryption complements access control by protecting the confidentiality of customer content wherever it's stored and by preventing content from being read while in transit between Microsoft online services systems or between Microsoft online services and the customer. Microsoft's access control policy of Zero Standing Access (ZSA) protects customer content from unauthorized access by Microsoft employees. To protect the confidentiality of customer content, Microsoft online services encrypt all data at rest and in transit with some of the strongest and most secure encryption protocols available.Įncryption isn't a substitute for strong access controls. Most Microsoft business cloud services are multi-tenant, meaning that customer content may be stored on the same physical hardware as other customers. In this article What role does encryption play in protecting customer content? ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |