Microsoft Office 365 provides the familiar Exchange and Office working environment but with all of the advantages a cloud infrastructure has to offer. That security must not be neglected, however, and that cloud providers must themselves be considered as a risk factor have both been made very clear by the enactment of the EU GDPR. Mail, calendar data, and other information requiring protection should therefore always be protected from access by unauthorized parties by using encryption and pseudonymization.
These parties also include the cloud providers, of course: As soon as the provider can gain access – even theoretically – to personal data, the provider also shares the responsibility of the cloud client company itself for conducting thorough background checks of all data protection measures taken by the cloud service provider. While companies cannot eliminate this responsibility entirely, work here can be greatly simplified and risks can be minimized by ensuring that the cloud provider is never given access to personal data – since these data are always encrypted while stored at rest in the cloud.
To avoid having to make any modifications to the Office 365 cloud service itself, however, the use of a suitable encryption solution like eperi Cloud Data Protection (CDP) is essential. After all: any mail and any file that contains personal data can potentially get into the wrong hands and present a risk to the company – and ultimately result in the payment of stiff fines in the worst-case scenario. There’s never been a better time to revisit effective data protection in the Office 365 cloud.
eperi CDP improves security in Office 365 cloud environments
eperi Cloud Data Protection for Office 365 perfectly complements the security and data protection functionality offered out of the box by Office 365, expanding Office 365’s built-in security features into a centralized data protection and compliance platform. The solution ensures that sensitive information is securely encrypted before it is transmitted to the Office 365 cloud.
Only a select group of authorized persons from the company has access to the cryptographic keys that are required to encrypt and decrypt the sensitive information stored in the Office 365 cloud. All encryption and decryption processes take place under the full control of the company and entirely outside the Office 365 cloud. Even Microsoft’s own administrators or employees working in external data centers have absolutely no access to the plaintext data.
Of course, the question then arises of how all this works: how can key user features such as a full-text search run across mail on the Exchange server work if the data in the Office 365 cloud are always encrypted at all times and Microsoft cloud services have no access to the keys? The answer is provided by the eperi Gateway, which forms the basis of all Cloud Protection Data solutions, and the techniques it uses for working with the Office 365 cloud and the protocols that the cloud supports.
Office 365 and its interfaces: what they offer and how they work
For seamless access to encrypted data within an Office 365 environment, it’s obviously the case that the eperi Gateway needs to be compatible with all of the applications and their associated interfaces. In terms of applications, the list looks like this:
Outlook for managing e-mail accounts, Calendar for organizing appointments, SharePoint for handling collaboration and OneDrive for storing data on the cloud ‘drive’ – these are the core services that are provided by Office 365.
There are three ways to access these services: by using the Office desktop client that is available for Mac and Windows computers; by using the mobile Microsoft apps; or by using the online Office 365 apps with a web browser. Technically, access to all applications is provided under the hood by the following interfaces/protocols:
HTTP(S): The Hypertext Transfer Protocol is used to provide access to applications from a standard web browser. Thanks to HTTPS (HTTP Secure), encrypted connections can also be utilized between the browser and the server. The transport protocol that HTTP itself uses is called TCP/IP, while the encryption technology that secures the connection is either SSL (Secure Socket Layer) or TLS (Transport Layer Security). Data transfer via HTTPS utilizes either an asymmetric or symmetric model. A recognized certificate must also be installed on the server to ensure the web browser can authenticate itself against the web server.
SMTP: The Simple Mail Transfer Protocol is used for sending Emails in the Office 365 environment. The interface is based on the TCP/IP transport protocol and uses SSL/TLS for sending encrypted Emails. In the case of Emails being sent while using SSL/TLS, the term SMTPS (SMTP Secure) is also used.
Exchange Web Services (EWS): EWS offers a highly secure and user-friendly way for users to access the mailbox data stored in Office 365. These data include mail, calendar appointments, and contacts. Here, too, HTTPS is also used as a secure access protocol.
Exchange ActiveSync (EAS): As with Exchange Web Services, EAS also offers access to Email, calendar functions, and appointments, but from mobile devices such as smartphones and tablets. Here, the EAS ‘direct push’ feature is worth mentioning, which is the driver behind the regular and automatic transfer of Emails, appointments, etc. between Office 365 and the mobile device. This ensures that new messages and scheduled appointments arrive on phones in real time. Data between the server and mobile device are also transferred via HTTPS.
MAPI over HTTP(S): The Messaging Application Programming Interface provides a way for mail messages to be sent directly from applications other than the email client. This enables text documents to be sent from Word, for example, without first needing to copy them into the email client provided by Office 365. MAPI over HTTPS was introduced with Microsoft Exchange 2013 and has since replaced its predecessor protocol of RPC over HTTP. In particular, the faster connectivity between a portable computer and the Office 365 mail server with MAPI over HTTPS offers considerable improvements compared to RPC over HTTP.
Autodiscover: This Office 365 feature for mail makes it much easier to set up new mailboxes. To do so, only the e-mail and the password for the new user need to be entered – the rest is handled by the AutoDiscover service. Here, properly configured DNS servers and matching certificates are especially important. The correct assignment of Exchange servers and AutoDiscover information takes place with the help of Active Directory.
It almost goes without saying that the eperi Gateway provides comprehensive support for all of these Office 365 protocols, functions, and interfaces. Not least because this is the only way to ensure end-to-end encryption in the Office 365 cloud environment. As an added bonus, this broad-based technology support means that users do not experience performance issues or any other restrictions when using Office 365, and modifications to the cloud service itself are also unnecessary.
When the mix needs to be just right: hybrid Office 365 installations
While the trend is certainly towards cloud-based usage of Office 365, this isn’t always a pertinent solution. In some businesses, one or more user groups may have justified concerns about using a cloud-based system. An elegant solution to this problem can be achieved by ensuring that these user groups remain within the bounds of the local Exchange environment, while other user groups with less critical data are relocated to the cloud. In addition, a hybrid Exchange/Office 365 environment of this kind can also take along the full functionality and administrative controls of local Exchange configurations into the cloud.Support for this hybrid Exchange/Office 365 model is offered by eperi Cloud Data Protection for Office 365.
eperi Gateway and Office 365: a dependable duo for Email
The key benefit of the eperi Gateway is its straightforward encryption model that ensures that the user does not have worry about having the right key or similar technical obstacles. As an example, a user simply writes an unencrypted mail message and hits send. This mail lands on the recipient’s mail server, where it is encrypted on arrival by the eperi Gateway before being forwarded to Office 365. Since only the recipient’s company has the key to decrypt the message, this ensures that the only people that can read the message are the company’s authorized users. Everyone else simply sees a jumble of cryptic characters.
Another interesting feature here is the option of accessing the Office 365 environment with Outlook Web Apps. Since the eperi Gateway also handles the encryption and decryption of messages between the browser and the Office 365 cloud environment, mail can easily be accessed via web browser from anywhere in the world – while remaining fully protected.
With eperi, mail and file searches work perfectly – even with full encryption
An ingenious solution is used to enable full-text searches to be run across encrypted Emails and files within an Office 365 environment. To do so, the eperi Gateway creates a complete index of all Emails and files, and saves this index not in the Office 365 cloud but in the secure customer environment – such as on the eperi Gateway server, for example. This decouples the Office 365 environment from the eperi Gateway and also adds an extra layer of security.
When a user enters a search term, this is first forwarded to the eperi Gateway. The search query is modified to include the correct dataset ID and then forwarded to the Office 365 cloud environment, which uses this unique number to locate and return the correct, encrypted search result from the Office 365 environment to the eperi Gateway. The Gateway then decrypts the Email or file and provides it to the user as a plaintext document. This ensures that search results such as mail or files are never present outside the company in plaintext: as a result, Office 365 content cannot be compromised at any time.
As data protection and security requirements grow more demanding, especially in terms of cloud storage and the increased use of cloud services such as Microsoft’s Office 365, encrypting sensitive data in the cloud is becoming increasingly important. At the same time, usability and features should not suffer as a result. The eperi Cloud Data Protection solution ensures businesses can meet these challenges.