Encryption and key management overview

What role does encryption play in protecting customer content?

Most Microsoft business cloud services are multi-tenant, meaning that customer content may be stored on the same physical hardware as other customers. To protect the confidentiality of customer content, Microsoft online services encrypt all data at rest and in transit with some of the strongest and most secure encryption protocols available.

Encryption isn't a substitute for strong access controls. Microsoft's access control policy of Zero Standing Access (ZSA) protects customer content from unauthorized access by Microsoft employees. Encryption complements access control by protecting the confidentiality of customer content wherever it's stored and by preventing content from being read while in transit between Microsoft online services systems or between Microsoft online services and the customer.

How do Microsoft online services encrypt data-at-rest?

All customer content in Microsoft online services is protected by one or more forms of encryption. Microsoft servers use BitLocker to encrypt the disk drives containing customer content at the volume-level. The encryption provided by BitLocker protects customer content if there are lapses in other processes or controls (for example, access control or recycling of hardware) that could lead to unauthorized physical access to disks containing customer content.

In addition to volume-level encryption, Microsoft online services use Service Encryption at the application layer to encrypt customer content. Service Encryption provides rights protection and management features on top of strong encryption protection. It also allows for separation between Windows operating systems and the customer data stored or processed by those operating systems.

How do Microsoft online services encrypt data-in-transit?

Microsoft online services use strong transport protocols, such as TLS, to prevent unauthorized parties from eavesdropping on customer data while it moves over a network. Examples of data in transit include mail messages that are in the process of being delivered, conversations taking place in an online meeting, or files being replicated between datacenters.

For Microsoft online services, data is considered 'in transit' whenever a user's device is communicating with a Microsoft server, or a Microsoft server is communicating with another server.

How do Microsoft online services manage the keys used for encryption?

Strong encryption is only as secure as the keys used to encrypt data. Microsoft uses its own security certificates to encrypt TLS connections for data-in-transit. For data-at-rest, BitLocker-protected volumes are encrypted with a full volume encryption key, which is encrypted with a volume master key, which in turn is bound to the Trusted Platform Module (TPM) in the server. BitLocker uses FIPS-compliant algorithms to ensure that encryption keys are never stored or sent over the wire in the clear.

Service Encryption provides another layer of encryption for customer data-at-rest giving customers two options for encryption key management: Microsoft-managed keys or Customer Key. When using Microsoft-managed keys, Microsoft online services automatically generate and securely store the root keys used for Service Encryption.

Customers with requirements to control their own root encryption keys can use Service Encryption with Microsoft Purview Customer Key. Using Customer Key, customers can generate their own cryptographic keys using either an on-premises Hardware Service Module (HSM) or Azure Key Vault (AKV). Customer root keys are stored in AKV, where they can be used as the root of one of the keychains that encrypts customer mailbox data or files. Customer root keys can only be accessed indirectly by Microsoft online service code for data encryption and can't be accessed directly by Microsoft employees.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to encryption and key management.

Azure and Dynamics 365

External audits Section Latest report date
ISO 27001/27002

Statement of Applicability
Certificate
A.10.1: Cryptographic controls
A.18.1.5: Cryptographic controls
June 21, 2022
ISO 27017

Statement of Applicability
Certificate
A.10.1: Cryptographic controls
A.18.1.5: Cryptographic controls
June 21, 2022
ISO 27018

Statement of Applicability
Certificate
A.11.6: Encryption of PII transmitted over public data transmission networks June 21, 2022
SOC 1
SOC 2
SOC 3
DS-1: Secure storage of cryptographic certificates and keys
DS-2: Customer data is encrypted in-transit
DS-3: Internal communication of Azure components encrypted in-transit
DS-4: Cryptographic controls and procedures
May 6, 2022

Office 365

External audits Section Latest report date
FedRAMP SC-8: Transmission confidentiality and integrity
SC-13: Use of cryptography
SC-28: Protection of information at rest
July 27, 2022
ISO 27001/27002/27017

Statement of Applicability
Certification (27001/27002)
Certification (27017)
A.10.1: Cryptographic controls
A.18.1.5: Cryptographic controls
March 2022
ISO 27018

Statement of Applicability
Certificate
A.11.6: Encryption of PII transmitted over public data transmission networks March 2022
SOC 2 CA-44: Data-in-transit encryption
CA-54: Data-at-rest encryption
CA-62: Customer Key mailbox encryption
CA-63: Customer Key data deletion
CA-64: Customer Key
February 14, 2022
SOC 3 CUEC-16: Customer encryption keys
CUEC-17: Customer Key vault
CUEC-18: Customer Key rotation
February 14, 2022

Resources