Encryption and key management overview
What role does encryption play in protecting customer content?
Most Microsoft business cloud services are multi-tenant, meaning that customer content may be stored on the same physical hardware as other customers. To protect the confidentiality of customer content, Microsoft online services encrypt all data at rest and in transit with some of the strongest and most secure encryption protocols available.
Encryption isn't a substitute for strong access controls. Microsoft's access control policy of Zero Standing Access (ZSA) protects customer content from unauthorized access by Microsoft employees. Encryption complements access control by protecting the confidentiality of customer content wherever it's stored and by preventing content from being read while in transit between Microsoft online services systems or between Microsoft online services and the customer.
How do Microsoft online services encrypt data-at-rest?
All customer content in Microsoft online services is protected by one or more forms of encryption. Microsoft servers use BitLocker to encrypt the disk drives containing customer content at the volume-level. The encryption provided by BitLocker protects customer content if there are lapses in other processes or controls (for example, access control or recycling of hardware) that could lead to unauthorized physical access to disks containing customer content.
In addition to volume-level encryption, Microsoft online services use encryption at the application layer to encrypt customer content. Service encryption provides rights protection and management features on top of strong encryption protection. It also allows for separation between Windows operating systems and the customer data stored or processed by those operating systems.
How do Microsoft online services encrypt data-in-transit?
Microsoft online services use strong transport protocols, such as Transport Layer Security (TLS), to prevent unauthorized parties from eavesdropping on customer data while it moves over a network. Examples of data in transit include mail messages that are in the process of being delivered, conversations taking place in an online meeting, or files being replicated between datacenters.
For Microsoft online services, data is considered 'in transit' whenever a user's device is communicating with a Microsoft server, or a Microsoft server is communicating with another server.
How do Microsoft online services manage the keys used for encryption?
Strong encryption is only as secure as the keys used to encrypt data. Microsoft uses its own security certificates and associated keys to encrypt TLS connections for data-in-transit. For data-at-rest, BitLocker-protected volumes are encrypted with a full volume encryption key, which is encrypted with a volume master key, which in turn is bound to the Trusted Platform Module (TPM) in the server. BitLocker uses FIPS 140-2 compliant algorithms to ensure that encryption keys are never stored or sent over the wire in the clear.
Service encryption provides another layer of encryption for customer data-at-rest giving customers two options for encryption key management: Microsoft-managed keys or Customer Key. When using Microsoft-managed keys, Microsoft online services automatically generate and securely store the root keys used for service encryption.
Customers with requirements to control their own root encryption keys can use service encryption with Microsoft Purview Customer Key. Using Customer Key, customers can generate their own cryptographic keys using either an on-premises Hardware Service Module (HSM) or Azure Key Vault (AKV). Customer root keys are stored in AKV, where they can be used as the root of one of the keychains that encrypts customer mailbox data or files. Customer root keys can only be accessed indirectly by Microsoft online service code for data encryption and can't be accessed directly by Microsoft employees.
Related external regulations & certifications
Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to encryption and key management.
Azure and Dynamics 365
| External audits | Section | Latest report date |
|---|---|---|
| ISO 27001 Statement of Applicability Certificate |
A.10.1: Cryptographic controls A.18.1.5: Cryptographic controls |
April 8, 2024 |
| ISO 27017 Statement of Applicability Certificate |
A.10.1: Cryptographic controls A.18.1.5: Cryptographic controls |
April 8, 2024 |
| ISO 27018 Statement of Applicability Certificate |
A.11.6: Encryption of PII transmitted over public data transmission networks | April 8, 2024 |
| SOC 1 SOC 2 SOC 3 |
DS-1: Secure storage of cryptographic certificates and keys DS-2: Customer data is encrypted in-transit DS-3: Internal communication of Azure components encrypted in-transit DS-4: Cryptographic controls and procedures |
August 16, 2024 |
Microsoft 365
| External audits | Section | Latest report date |
|---|---|---|
| FedRAMP | SC-8: Transmission confidentiality and integrity SC-13: Use of cryptography SC-28: Protection of information at rest |
August 21, 2024 |
| ISO 27001/27017 Statement of Applicability Certification (27001) Certification (27017) |
A.10.1: Cryptographic controls A.18.1.5: Cryptographic controls |
March 2022 |
| ISO 27018 Statement of Applicability Certificate |
A.11.6: Encryption of PII transmitted over public data transmission networks | March 2022 |
| SOC 2 | CA-44: Data-in-transit encryption CA-54: Data-at-rest encryption CA-62: Customer Key mailbox encryption CA-63: Customer Key data deletion CA-64: Customer Key |
January 23, 2024 |
| SOC 3 | CUEC-16: Customer encryption keys CUEC-17: Customer Key vault CUEC-18: Customer Key rotation |
January 23, 2024 |