Microsoft’s Office 365 product provides one of the best hosting and office app services on the market. Many of Mailprotector’s managed service provider partners are using Office 365 as part of their technology stack. However, if you are wondering whether the Office 365 email encryption feature is enough to handle email security, it isn’t. Office 365 encryption misses the mark in both features and in its encryption methods. In this article, we will detail the good and the bad in using Microsoft’s 365 product for email encryption. We will also discuss why we believe a layered email security approach is necessary.
When talking about a complete email security solution, email encryption must be present. Particularly for those partners whose end users are regularly emailing sensitive data. What you’ll find is that Office 365 is restrictive and its email encryption feature is incomplete. Why? Let’s start with email encryption basics.
Basics of Encryption
Email encryption has become a necessity when sending emails outside of an organization. Lawyers, CPAs, medical offices, government officials, and others are required to send sensitive information across the Internet directly to their customers.
While Office 365 email encryption can be turned on and configured within Microsoft’s 365 platform, encryption is an afterthought to an otherwise top quality email hosting tool.
Email encryption allows for data to be protected by a digital security key while traveling publicly on the Internet. This prevents potential malicious hackers from accessing data you wouldn’t want visible to the public.
Office 365 email encryption can come in a few different forms, depending on your client and user needs – each of which has its own disadvantage that can at times, potentially leaving your users exposed.
There are three standard types of email encryption available through Office 365: OME, S/MIME, and IRM encryption. Each of which has its respective security disadvantage. Before you select the email encryption method that is the best fit for your security stack, we recommend reviewing the advantages and disadvantages of each. We believe that ignoring the downfalls of Microsoft’s email encryption is a recipe for disaster.
Office 365 Message Encryption (OME) – Advantages and Disadvantages
OME Encryption is Standard for O365.
Built on Microsoft Azure, Office 365 Message Encryption (OME) is the standard Office 365 encryption product provided by default to E3 and E5 license holders.
Internal and External Email Encryption.
Office 365 message encryption allows for internal or external email encryption. Your end users can send to any external platform regardless of the destination. This includes email platforms such as Google, Yahoo, or Intermedia.
There is a simple process of providing the login information for other platforms to access the encrypted message. If your recipients don’t wish to log into an account, they can simply request a one-time login code to view the encrypted email. Once they are in, they can view the email and securely reply.
Automatic Email Encryption.
IT providers can configure rules within the Exchange Admin Center to encrypt data detected by the Office 365 message system automatically. Additionally, end-users can use a one-click button to encrypt anything they want in seconds.
As an IT professional helping to configure encryption, you can configure automatic transport rules to trigger encryption when specific criteria are met. This includes adding quick, straightforward ways for your end-users to encrypt emails, such as adding the word “Encrypt” to the email’s subject or including the word “Secure” in the email body.
Numerous rules can be set up in OME to catch credit cards, social security numbers and other sensitive data to be automatically encrypted by the system.
Storage of Encryption Keys
OME makes things simple by storing all the encryption keys on Microsoft’s system, saving you the time of providing certificates to every one of your end-users. This whole system is built on Azure and can be utilized by nearly anyone.
Administrators Cannot Restrict Email Usage.
One of the biggest drawbacks to Office 365 email encryption setup and usage is that the OME product requires the Information Rights Management (IRM) or Azure Information Protection (AIP) add-on for administrators to add usage restrictions within O365’s system.
Usage restrictions would allow administrators to automatically restrict forwarding, printing, or downloading an encrypted email. The IRM and AIP products typically are an additional charge on top of the OME product, and without these products, the recipient of an encrypted email can do what they’d like with the email. So right out of the gate, Microsoft forces administrators to add products in order to be more secure.
Secure/Multipurpose Mail Extensions – Advantages and Disadvantages
S/MIME encryption needs no introduction in the email encryption realm. It has been used as a staple of security since 1995. It has been a secure, stable way to encrypt data for decades now, and for email, it is the go-to for large organizations that want to manage their data encryption.
Easy Generation of Encryption Keys.
S/MIME encryption is key-based encryption that allows a public key to be provided to anyone while only allowing emails to be decrypted by the private key your organization holds. The keys can be generated easily by an IT professional and take very little time to set up for an individual.
Individual Encryption Keys.
The downside is that each person would need their S/MIME key installed on their computer. On top of more work, the S/MIME key prevents O365s systems from scanning emails sent this way for malware and viruses.
Going back to Office 365 Message Encryption, this is where OME can shine. Any E3 or E5 license comes with these features, so no additional cost is needed. To add encryption to any other licenses, you can pay an additional fee per license to utilize the product.
S/MIME encryption requires a certificate on each user’s computer or email client to decrypt emails sent this way, but once the leg work is out of the way, email can be kept secure from any prying eyes. In the early years of S/MIME, the main concern was that if a private key was lost, you’d also lose any email encrypted by S/MIME. Luckily there are free services available for key management, and many systems can help reissue a key to decrypt those emails.
S/MIME Makes Email Malware Scans Difficult
Office 365 Allows S/MIME Keys to be Used. However, with S/MIME, it is difficult to scan the emails for potential malicious payloads. This includes viruses, malware, and bad links.
The inaccessibility and inflexibility of S/MIME emails is why people have gotten away from using it as a standard in their businesses. If you are archiving email for compliance or hope to scan incoming emails from the Internet, S/MIME encryption can make this difficult and put users at risk.
Information Rights Management (IRM) – Advantages and Disadvantages
The IRM product provided by Microsoft O365 allows an end-user to restrict what a recipient of an encrypted email can do once an email is opened. This service prevents any data leakage from the end-users who are not under your management.
IRM cannot be used with every email platform as OME can, but it will cover most email users with no issues!
IT Administrators Can Add Email Restrictions.
In terms of sophistication, IRM improves upon the standard OME product. It is currently only available for enterprise-level customers. There are, however, additional solutions on the market that allow for smaller businesses to utilize all the great features of IRM while not requiring an enterprise-level license.
IRM is what allows users to restrict what the recipient of an email can do with their email. Unlike with the standard OME product, IRM users can prevent users from downloading, printing, or forwarding encrypted emails.
Protection Against Data Leakage.
The IRM system uses Azure Rights Management to keep everything concise and within Microsoft’s system so that no data is leaked. All of this can be triggered by an IT manager, as well, by using transport rules.
Preventing forwarding of sensitive data or downloading emails is quick and all within the Exchange Admin Center for O365. Keep in mind the IRM is excellent as an addition to OME and it is a great tool in an IT person’s pocket!
IRM Cannot Be Used by All Email Platforms.
The downside to IRM, in addition to its added cost, is that some platforms cannot receive email encrypted by the IRM system, so OME would be necessary for general use.
Why Office 365 Message Encryption is Not Enough
Microsoft Office 365 is an excellent choice as an email host. Many people use Office 365 encryption, and we don’t discourage its use. However, we recommend a layered approach to ensure complete email security. Without a full scale email encryption solution like Bracket, you are leaving your users exposed. Here are a few reasons why Office 365 email encryption isn’t enough.
Office 365 Cannot Do Email Recall
There are many features other products provide that OME and IRM don’t allow. These features include the ability to recall an email. One of the most requested options end-users want is to take back an email they didn’t want to send. OME encryption doesn’t allow for email recall.
Further, OME comes up short because it cannot give the end user the ability to manage a message thread. In addition to not being able to recall, once the email is out on the Internet, it is encrypted, but it can’t be adjusted or edited with OME or IRM.
Office 365 Message Encryption May Not Meet Email Compliance Policies
OME encryption utilizes RSA-2048 and SHA-256 for their encryption. Not many people mind this difference, but some regulatory bodies may require AES-256 encryption in the future, which is technically more secure than RSA-2048.
Office 365 Encryption Lacks Flexibility
OME can lack some flexibility that other encryption platforms have. Another factor many security professionals are concerned about is having all their data and mail flow in the same place. If you have all your services with O365, you have a single point of failure if anything breaks.
Microsoft is not untouchable. So, businesses can save time, money, and clients if they’re able to have a secondary system running in case O365 goes down. If you have encryption on another platform, many providers let you email from their encryption platform separate from O365.
In case of a Microsoft outage, this versatility will allow your end-users to keep working while Microsoft fixes the issues.
Additional Email Security Features Are Available Elsewhere
By using an additional email encryption platform, you could allow for the email to expire on a specific date, passwords to be added for concerned users, and subject lines to be protected when not in an encrypted state.
Bracket Email Encryption Picks Up the Slack
Mailprotector’s Bracket email encryption tool allows for automatic encryption, subject protection, forward protection, and download protection without any additional cost to the business.
Anything OME and IRM can accomplish, Bracket can perform as well, without the requirements of a high-cost license. So let’s talk about Bracket.
Bracket by Mailprotector
The right email encryption tool can be a chore to select and manage. After listening to the needs of our Partner Advisory Board and other members of our partner base, we at Mailprotector decided to try something new. Partners were asking for an easier, faster way for users to exchange encrypted emails. They needed the process to be both simple and secure; both customizable and effortless.
Soon after, the Bracket email encryption tool was born and subsequently the technology was patented.
- Patented Encryption Technology: No one else can provide encryption quite like Mailprotector’s Bracket email encryption solution. Patented in 2020, Bracket was created as a secure, easy-to-use email encryption tool. To speak to Bracket’s ease-of-use, every user in the world can encrypt directly from their keyboard. Users simply wrap the subject line in brackets and send.
- Compliant: Bracket is compliant with HIPPA, FINRA, and many other regulatory bodies because it utilizes AES-256-bit encryption standards.
- No passwords, plugins, or downloads required: Recipients of emails from Bracket don’t need an account, a password, or even a one-time code to log in. It allows them to select a device fingerprinted link that logs them into the Bracket portal where your end-users have complete control.
- Email Recall Enabled: Emails can be recalled, expiration dates can be set on each message thread, individual comments and attachments can be removed, and the end-user can prevent any mismanagement of the email.
- Configuration Flexibility: Bracket can be configured in several ways. First, Bracket can be configured as an outbound gateway before emails reach the internet to encrypt data before anyone can intercept it. Second, it can be set up to be delivered directly via a secure connection within nearly any email client.
- No More Lost Passwords: Bracket offers users fool-proof sign-in with a secure, expiring link. That is good for both the users and administrators.
- Accessibility: Encrypted email can be sent from any email app on any device.
- MX-free for Office 365: No need to change records so they route through filtering services.
- Easy File Transfer: Bracket also includes an encrypted file transfer service, Bracket Share, which gives users a personalized file transfer page with an easy URL (share link) that they can provide to anyone.
- Quick and Easy Deployment: Bracket can be set up as a standalone product in O365 utilizing an API configuration between Mailprotector and O365. The deployment in any of these configurations takes only a few minutes, and IT professionals can leverage both Mailprotector’s DLP policies as well as O365’s, Google’s, or any others.
Bracket shores up everything that is missing from OME, IRM, and S/MIME while allowing you to get the best of both worlds in O365 and Mailprotector!
Does Office 365 have email encryption?
Microsoft 365 uses encryption in two ways: in the service, and as a customer control. In the service, encryption is used in Microsoft 365 by default; you don’t have to configure anything. For example, Microsoft 365 uses Transport Layer Security (TLS) to encrypt the connection, or session, between two servers.
How do I encrypt a message in Office 365?
In the message that you are composing, click File > Properties.
Click Security Settings, and then select the Encrypt message contents and attachments check box.
Compose your message, and then click Send.
What kind of encryption does Office 365 use?
Office and Microsoft 365 Message Encryption – OME
The first layer is Office 365 Message Encryption, or known as the acronym OME, and is encryption provided by Office 365. In 2018, Microsoft employs 256-bit encryption on their .docx files.
How strong is Microsoft Word encryption?
How secure is the encryption? # The encryption in Microsoft Office 2016 is considered safe (AES with 256-bit key) and takes a very long time to break with today’s machine resources if the password is secure enough.
Is Office 365 email encryption HIPAA compliant?
Yes, with a signed BAA and proper usage, Office 365 encryption is HIPAA compliant. It is the responsibility of the covered entity to ensure that a BAA is signed before Office 365 can be used to transmit, store, or maintain PHI.