BYOK and Office 365
You don’t have to bring and manage your own keys to get more control and transparency, says Paul Rich from Microsoft’s Office 365 team. BYOK isn’t the only way to get around the tension between having no control over encryption and losing most of the benefits of a cloud service by encrypting your data before putting it into the service.
“If you encrypt data before it goes into the service it can't be reasoned over, so simple table stakes stuff like spam and virus detection can't be done, and the higher level features like legal holds, and Delve document discovery and so on all require access to the content people are putting in. CIOs understand that and they want the functionality of those features when they come to the cloud. What they’re asking is ‘how can we allow you to do that reasoning with the machines that the service is comprised of but not have your people looking at our data?’”
The alternative is the new Office Lockbox. “The idea is that people at the cloud service don’t have access to your content. You can be assured of zero human access by Microsoft to your content. If there is a support reason we would need access, we ask for permission and until we get that, humans running the service wouldn’t be able to able to access it.” Customers get transparency and visibility, says Rich; they can see what access requests are coming in, control who in the business is approving those and get logs what activity took place while the content was accessible.
If you’re wondering what would stop Microsoft simply claiming that it didn’t have access, or admins doing more than the logs show, Rich points to the Government Security Program Microsoft runs to provide controlled access to Microsoft source code, which NATO recently renewed. “We agree with our customers, we want to take the lockbox code and have it be part of a program that allows third-party code reviews and shows it doesn’t have side doors or back doors.”
Delivering the Lockbox meant rewriting the Office services to remove the default that came from the on-premise server software where the admin always had access to the data. That’s been done for Exchange and the Lockbox option is already available; it will be an option for SharePoint in Q1 of 2016.
Office 365 is also moving from relying on BitLocker to encrypt the servers that workloads run on, which doesn’t protect them while they’re running, to encrypting at the application layer. That’s been done for SharePoint already and is in progress for Exchange. Microsoft’s Rich predicts it will be ready by the end of 2015, with Skype for Business following later. “That separates the data administrator from the service administrator much more strongly,” he claims. That will enable BYOK too. “We’ll be wrapping the key that we use in the application layer to protect mailbox content with the Azure Key Vault key that the customer owns.”
“When the service is fully released, our plan is to offer customers a small number of keys, perhaps 10 or 20, that you use with your tenant for Exchange, SharePoint and Skype for Business. Most customers say they don’t need more than a handful of keys, say three keys for America, Europe and APAC that they put in Key Vault HSMs in those geographies.
Those keys will need safeguarding but it won’t make running Office 365 much more complicated, he predicts. “You will do a minimal amount of management, to rotate the keys occasionally,” says Rich. “The way you use these keys is as an exit strategy for the whole service. In normal operation, we don't have access to your content; if a human needs access then the Office Lockbox is the answer and you know who had access and when. The key in the Key Vault it used to turn all the lights out at once when you leave the building.”
Secure your keys
Given how few businesses are securing the keys they’re already responsible for, according to a survey last year, BYOK and HYOK will be beyond the scope of many businesses. The Ponemon Institute found half of enterprises have no centralized controls for their SSH keys and many don’t rotate keys, which leaves them more vulnerable to attack. Losing cloud encryption keys would be even more problematic, as you’ll lose data permanently.
Remember, BYOK isn't the only key-related security responsibility you might be taking on soon. Windows 10 includes the new Device Guard option to limit PCs to only running signed applications that either come from the Windows Store or have been signed, by an ISV or by an enterprise themselves, using keys that chain up the Microsoft certificate authority. ISVs and Microsoft can sign apps that any enterprise can run; but those kinds of organizations already have processes for protecting high value keys.
The signing keys enterprises get are more limited and produce signed apps that you can only run in your own domain. But that still means that an attacker who compromises your signing keys can produce malware that your most secure devices will trust.
If you're using Device Guard to configure code integrity for your PCs, Microsoft's Chris Hallum points out that "it's really important that the accesses are held by trusted people, that you’re using two-factor authentication and that only a limited number of senior people in your organisation who you trust have access.”
In 2007, hackers stole the keys that Nokia used to digitally sign apps for its Symbian OS and blackmailed the company into handing over millions of euros in an attempt to get them.
If you aren’t prepared to deal with everything from fire to blackmail as a potential denial of service attack on your IT infrastructure and company data, you may not be ready to bring your own keys. Recently, a bug in the plugin GitHub created for Visual Studio 2015 mean that a developer who embedded his AWS credentials in code uploaded to what was meant to be a private repository found that hackers were using those keys to run up thousands of dollars’ worth of AWS instances.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.