Microsoft recently rolled out an updated and improved encrypted email solution for Office 365 users. Encrypted email has long been an issue for those in industries and professions where a large amount of sensitive personal and financial detail needs to be shared. Many existing encryption solutions are complicated and cumbersome, often requiring multiple devices and a several-step process to complete, sometimes for both the sender and the recipient.
At the same time, recent news events have heightened concerns and public awareness of just how unsecure traditional email might be. Are you comfortable discussing a medical condition and its treatment with your doctor via regular email? How about swapping information about your finances and investments with your financial adviser if you’re not certain that no one else might be reading those messages?
Last month, Microsoft officially rolled out Office 365 Message Encryption. While it’s not without its own pitfalls, the new program is simpler to use than previous Microsoft encryption methods and available at a price (included in E3 and E4 plans) that makes it obtainable for small businesses that could otherwise never afford it.
Derived from the Exchange Hosted Encryption that’s been in place for several years, it can be a rules-based system. From the sender’s perspective, that means it can be as simple as including the word “Encrypted” in the subject line. When the server sees the term the rule calls for in the subject line, it will encrypt the outgoing message. The encrypted message will appear in the receiver’s inbox as an HTML attachment. When they click on it, they will be prompted to login in order to read the message. Here’s the gotcha: In order to open the message, the recipient needs a Microsoft account login and password. There’s a brief video on how Office 365 Message Encryption workshere.
The message encryption is closely tied to Exchange’s Data Loss Prevention (DLP) component. With a slightly more complex but also quite flexible set of rules in the DLP, the Message Encryption service can be configured to recognize potentially damaging private data, such as bank account or Social Security numbers, PII (Personal Identification Information, a no-no for organizations covered by HIPAA regulations) or in the text of an email. Depending on the rules that are configured for the system, it can automatically issue a warning to the sender, for example, calling attention to the flagged content, or forward the email to a supervisor, compliance officer, or the legal department for approval before it goes out. While this setup takes more work to configure, it can completely automate the decision-making process controlling which information needs to be encrypted and nearly guarantee compliance.
Office 365 Message Encryption is included with E3 or E4 subscriptions. It can be purchased separately withWindows Azure Rights Management, which also includes Information Rights Management.
Most other large email providers either don’t offer encryption yet, or are charging an arm and a leg for it. So it’s a pretty good deal, and less costly than most third-party solutions. Given heightened concerns over the security of everything online, the others may not be too far behind.