Office 365 Message Encryption

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Managing Encryption in Exchange Online

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

@enowconsulting

Find us!

ENow Software

ENowSoftware

ENowSoftware.com

Some of ENow’s Loyal Customers

• Microsoft Silver ISV & Messaging Microsoft Partner

• Focused on building software solutions that simplify the life of IT administrators

• Software architected by MVPs with >15 years experience in high-end Microsoft

consulting and management

• Customers in over 60 countries ENow Software

About ENow

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

About the Speaker • Office 365 MVP• Microsoft Certified Solutions Master:

Messaging• Consultant @ SPS (spscom.com)

• @MCSMLab• Nathan@MCSMLab.com• Linkedin.com/in/nathanobryan• http://www.mcsmlab.com

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Introduction• Why encrypt?

• Transport Layer Security

• Office 365 Message Encryption

• Information Rights Management

• Secure/Multipurpose Internet Mail Extensions

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Why encrypt email?• The vast majority of email is sent over the Internet in plain text

• Reasons to encrypt:• Compliance• Protect organizational Intellectual Property• Security• Expand your job role

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

About compliance

• Four main areas to focus on when thinking about complianceo Retain and Removeo Discover and Searcho Protection against disclosureo Protection against misuse

• In this webcast, we’ll be focusing on protecting against disclosure and misuse

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Transport Layer Security (TLS)

• TLS creates a point to point encrypted tunnel between two organizations

• Using specific connectors, TLS sends all traffic between two organizations over port 587

• Domain Secure is not available in Office 365

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Domain Security in Exchange On-prem• TLS + end user notification that message delivery is secured

• Uses mutual TLS

• Requires edge servers

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring TLS• Office 365 Admin Portal >

Exchange > mail flow > connectors

• + to add a new connector

• From: Office 365

• To: Partner organization

• Next

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring TLS

• Give the new connector a name and description that will be meaningful to your organization’s IT staff

• Next

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring TLS• Specify the domain or domains that

you want to use this connector

• Next

• On the next page, specify if you want to route messages via MX record or to a specific smart host

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring TLS• Check the box to use TLS,

and specify the details for the expected certificate

• Confirm your settings on the final page of the wizard

• After the configuration runs, you’ll be asked to provide an email address to use in validating the connector

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

When is TLS the right choice?

• Many users in your organization send many sensitive messages to another organization

• Message traffic between two separate organizations are considered internal

• It can be set up between two separate Office 365 tenants

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Office 365 Message Encryption (OME)• Simple way for users to send secure messages over the internet

• Using transport rules, OME will secure messages that meet specific conditions

• OME encrypted messages can be sent to users on any platform

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring OME

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring OME

• North America: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

•European Union: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

•Asia-Pacific: Set-IRMConfiguration -RMSOnlineKeySharingLocation https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring OME

• Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

• Set-IRMConfiguration -InternalLicensingEnabled $True

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring OME

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring OME

• Adding Disclaimer and branding

• Get-OMEConfiguration

• Set-OMEConfiguration

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring OMECustomize this feature Use commands

Default textSet-OMEConfiguration -Identity <OMEConfigurationIdParameter> -EmailText "up to 1024 characters"

Disclaimer statementSet-OMEConfiguration -Identity <OMEConfigurationIdParameter> DisclaimerText "1024 characters"

Text at the top of the encrypted mail portalSet-OMEConfiguration -Identity <OMEConfigurationIdParameter> -PortalText "128 characters"

Logo Set-OMEConfiguration -Identity <OMEConfigurationIdParameter> -Image <Byte[]>

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Using OME

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

When is OME the right choice?• Users need to send secure email to recipients outside your

organization

• Recipients may be on any email platform

• Users and/or recipients may not have technical sophistication for S/MIME

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Rights Management Services (RMS)• Uses encryption to enforce usage rights on messages and documents

• Using controls in Office applications (or OWA) users can apply templates to messages and documents

• Most functionality of RMS works best within the same organization

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

RMS options

FeatureRMS for Office 365

EMS or Azure RMS Standalone

Users can create and consume protected content by using Windows clients and Office applications yes yes

Users can create and consume protected content by using mobile devices yes yes

Integrates with Exchange Online, SharePoint Online, and OneDrive for Business yes yes

Integrates with Exchange Server 2013/Exchange Server 2010 and SharePoint Server 2013/SharePoint Server 2010 on-premises via the RMS connector yes yes

Administrators can create departmental templates yes yes

Organizations can create and manage their own RMS tenant key in a hardware security module (the Bring Your Own Key solution) yes yes

Supports non-Office file formats: Text and image files are natively protected; other files are generically protected yes yes

RMS SDK for all platforms: Windows, Windows Phone, iOS, Mac OSX, and Android yes yes

Integrates with Windows file servers for automatic protection with FCI via the RMS connector yes

Preview: Users can track usage of their documents During preview only yes

Preview: Users can revoke access to their documents During preview only yes

https://technet.microsoft.com/en-us/network/dn858608.aspx

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring RMS• See OME section• Three default templates

o Do Not Forwardo Company – Confidential - View,

Reply, Reply All, Save, Edit, and Forward.

o Company – Confidential View Only - View

• Use advanced features button to create new templates

• On-premises AD can be used for RMS in Exchange Online

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring RMSAdvanced features > Rights Management

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

RMS Sharing App• https://portal.azurerms.com

• Allows you to see who has opened your RMS protected documents

• Allows you to revoke access

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Using RMS• Templates that start with Company are only useable within that

tenant• Do Not Forward template can be used with other Office 365 tenants,

but does not work well with non-Office 365 mail systems• BYOK is available in Azure AD, but currently does not work with RMS• RMS is not a foolproof protector against violations• Templates are usable in other Office applications

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

When is RMS the right choice?• Sensitive documents and messages need to be protected internally

• Recipients need time limited access to documents and messages

• Should be considered a tool to assist users in following policy

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Secure/Multipurpose Internet Mail Extensions (S/MIME)

• Developed in 1995, V3 in 1999 and achieved wide acceptance

• Provides:oDigital signatureso End-to-end message encryption

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Obstacles to using S/MIME• Not all email software supports S/MIME

• Because S/MIME encryption and decryption is done at client, message traffic is not inspected by transport stack

• Requires SSL certificate to be installed on client machine

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

S/MIME digital signaturesDigital signatures provide:

• Authentication• Nonrepudiation• Data integrity

Digital signatures DO NOT provide:• Confidentiality

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

S/MIME signing processWhen a message is signed:• The text of the message and the user’s private key are processed together• The output is a signature that is appended to the message

When recipient receives a message:• The digital signature process is repeated using public key• The output is compared to the original signature

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

S/MIME message encryptionMessage encryption provides:

• Confidentiality• Data integrity

Message encryption DOES NOT provide:• Authentication• Nonrepudiation

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

S/MIME message encryption

• S/MIME message encryption works backward

• You install an SSL certificate so others can send you encrypted messages

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

S/MIME digital signatures + message encryption• Both can be applied to the same message

• Provides all the benefits

• For added security, use one certificate for signing and one certificate for encryption

• By default OWA “triple wraps” messages that are signed and encrypted

• Outlook does not “triple wrap” messages, but can read triple-wrapped messages

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring S/MIME• Install your SSL certificate on

your PC - Free certificate from http://startssl.com/

• Certmgr.msc

• Export

• Select Microsoft Serialized Certificate Store (.SST)

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Configuring S/MIME• $sst = Get-Content <sst 

filename>.sst -Encoding Byte

• Set-SmimeConfig -SMIMECertificateIssuingCA $sst

• Outlook > File > Options > Trust Center > Trust Center Settings… > Email Security > Settings…

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

S/MIME with on-premises PKI

• You can use an on-premises PKI to set up S/MIME in Office 365

• Once on-premises CA is in place, enabling S/MIME for users is much the same process

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Using S/MIME in Outlook

• Options > More Options

• Security settings

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Using S/MIME in OWA

• From new message select …• Show message options

• Under options > S/MIME you can set default to encrypt and/or sign all messages

• Must install S/MIME control on each PC in addition to certificate

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

S/MIME messages

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

When is S/MIME the right choice?

• Small number of sophisticated users send and receive many highly sensitive messages

• IT staff has the technical knowledge to manage complex encryption

• Sensitive messages need to be secured from end to end

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

What doesn’t work in Exchange Online

• Journal report decryption

• Outlook Protection Rules

• Domain Security

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Summary

• Why encrypt?

• Transport Layer Security

• Office 365 Message Encryption

• Information Rights Management

• Secure/Multipurpose Internet Mail Extensions

• Questions?

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Q&A

A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T

Thank Youwww.enowsoftware.com