Microsoft announced today the first public preview of a new Microsoft 365 security feature named Double Key Encryption.
"Double Key Encryption enables you to protect your highly sensitive data while keeping full control of your encryption key," Microsoft said today.
"It uses two keys to protect your data - one key in your control, and a second key is stored securely in Microsoft Azure.
"Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security," it added.
Microsoft says the new feature was specifically designed for highly regulated industries, such as financial services or healthcare, or for companies that need to safely store sensitive data in the cloud, such as trade secrets, patents, financial algorithms, or user data, and need the highest level of protection to satisfy both regulatory requirements and internal protocols.
Two example scenarios where Double Key Encryption can help include:
- Scenario 1: Sensitive Intellectual Property: Big Pharma company, Contoso, would like to move their sensitive information to the cloud, but some formulations of their market leading drugs need to be kept secure even during migration to the cloud. Using the Cloud provider's key to encrypt the data is not enough security assurance for Contoso, as there is a concern that the cloud provider may grant some third-party access to the data or have an operator that may inadvertently decrypt sensitive information (i.e., during a technical support call). In such a case, Contoso, would like to encrypt the sensitive content with their key, and then proceed to re-encrypt with the Cloud Provider's key.
- Scenario 2: Regulated Environments: A Government Agency is about share confidential information via a cloud platform with some of their contractors. The Government agency needs to ensure that the information remains opaque to third parties based on their regulated government data policies. The Agency encrypts their content with Double Key Encryption and shares such content via a cloud platform with their contractors; thereby, guaranteeing that the cloud provider does not have access to the content and only the intended recipients have access.
Double Key Encryption is also integrated with the Azure Information Protection unified labeling capabilities, allowing tenants to create multiple DKE labels, and protect data with different encryption keys, while also applying different group policies and access restrictions based on the users who need to access the data.
Once the label deployed, users will be able to activate it for any document and have the file automatically encrypted and protected while managed inside a company's Microsoft 365 account.
Double Key Encryption will be available starting today as a public preview for Microsoft 365 E5 and Office 365 E5 customers.
Additional information will be available later today, such as official documentation and GitHub repositories. Links to be added when they go live.