Making the Right Encryption Choices Requires Balancing Risks

Thoughts about digital transformation and AI for enterprise leaders and their legal & compliance advisors

These posts represent my personal views on enterprise governance, regulatory compliance, and legal or ethical issues that arise in digital transformation projects powered by the cloud and artificial intelligence. Unless otherwise indicated, they do not represent the official views of Microsoft.

Regular readers will know that my team at Microsoft has been looking closely at encryption from the perspective of legal and compliance leaders in the enterprise. Of course, the technology itself and the algorithms behind it are fascinating and ingenious. But what’s more interesting to me—and more important I think for leaders—are the policy issues. How to go about encrypting your organization’s information as you expand your footprint in the cloud is a question that requires careful thinking about security, compliance, and ultimately trust. In today’s post, I’ll try to boil down my recent posts on this topic to the essentials. What follows are eight basic precepts about encryption and the cloud in the enterprise.

1. Every organization has legitimate secrets it needs to protect.

This may seem obvious, but it bears repeating. In the life of every organization, there is a large amount of information that must be kept from unauthorized eyes, whether external or internal. Secret information is not an anomaly nor is it necessarily a sign of something illicit. An organization that has no secrets is one that has no strategy, no knowledge of its customers or products or employees, no special skills, no frontier between itself and its environment. A business or government agency cannot function in such a state.

2. These secrets fall into three main categories.

Of course, we could devise an infinite variety of classifications for secret information, but taking a broad view it all falls into one of three bins:

• Confidential business information such as trade secrets, strategic plans, cost data, litigation tactics, internal disciplinary matters, finances, and so forth.
• Highly regulated information such as personal health and financial data belonging to individuals (consumers, employees, students, patients, etc.).
• Genuinely top secret information such as matters related to national defense or national security.

These three categories of enterprise secrets may require different kinds of encryption.

3. There are many kinds of encryption—it is essential to sort out their differences.

Microsoft by my count has over a dozen major encryption products. If you look at the market as a whole, you’ll find similar complexity. These varieties of encryption all exist for a reason. Without descending too far into technical details, it’s important for legal and compliance experts who are evaluating encryption to acquire the knowledge to understand what the major varieties are and how they differ. I’ll offer some guidance in the following bullet points.

4. Information needs to be protected in different ways at different stages of its life cycle.

The most basic life cycle stages are these (I wrote about this in more detail in last week’s post):

• Encryption of information while it is moving from point A to point B (encryption “in transit”). This includes the now universal and standardized encryption of the virtual pipes through which information flows over the public Internet or private networks. But it also includes the lesser-known but increasingly important use of encryption to enforce “allowable use policies” that travel with documents wherever they go. Examples from Microsoft include Azure Information Protection and Office 365 Message Encryption. With these innovative cloud services, you can now not only encrypt important documents but control what their recipients can do with them (such as printing or forwarding), audit who has opened them and even revoke access.
• Encryption of information while “at rest.” This includes disk encryption (such as BitLocker on your PC or the equivalent on servers in the cloud), which prevents a hacker who steals an actual storage device from reading what’s on it. A more advanced form of encryption at rest is known in the Microsoft cloud as service-level encryption. Here the customer data in a cloud service such as Office 365 gets its own encryption. This is not only a defense against malicious insiders and outside hackers but also—when combined with the right kind of encryption key—a way to comply with data protection regulations that require organizations to control their own data or keep it in their own country.
• Encryption of data while “in use.” This is a relatively new form of encryption and one that is still rapidly evolving. One example is the encryption of sensitive database columns even while a database server in the cloud is performing computations on them. A more advanced and still experimental variant of this approach is known as homomorphic encryption, which may one day make any computation on sensitive data strictly private.

5. There are good reasons why in most circumstances you should share control of your encryption keys with your cloud provider.

You might think that when your data is encrypted in the Microsoft cloud you keep it entirely secret from Microsoft by retaining sole possession of the encryption keys. You can choose that option if you wish (see below), but we recommend that in most cases you don’t. Allowing certain tightly controlled Microsoft software processes to scan your data in unencrypted form in our highly secure cloud data centers offers important benefits while introducing minimal risk.

The most important benefit is protection against hackers. When we scan the messages and documents your users circulate in Office 365, for example, they remain unseen by any human eyes at Microsoft, but our AI-powered software analyzes them in depth for signs of malicious code, known dangerous web URLs, and attempted phishing attacks, among other things. Another benefit is compliance. Most organizations face legal obligations of various kinds to retain and archive certain kinds of information, for example for purposes of eDiscovery, and this can only be done if the cloud provider can access the data.

6. Yes, there is a theoretical possibility that a law enforcement or intelligence agency could legally force us to turn over your data without telling you, but this is a vanishingly rare occurrence that should not receive undue weight in your risk assessments.

We have a strict policy for handling legally binding orders for access to customer data in our cloud. We first examine the order closely to see if it complies with all applicable laws and requirements. If not, we reject it. If we determine the order is valid, we make every effort to redirect it to the customer who owns the data. If that fails, and there is no further legal action we can take, we will comply with the order. And yes, it is theoretically possible that the law may even compel us to withhold knowledge of this access from you. But you should be aware that Microsoft has successfully fought the U.S. Department of Justice to place tighter restrictions on when it is allowed to use so-called “gag orders” that prevent us from telling you about government data requests.

It is also essential that you understand how extremely rare such events are in reality. For example, in the second half of 2018, of 21,494 total law enforcement requests for customer data that Microsoft received in the world, only 61 were for enterprise customer data (the rest were for data belonging to users of our consumer services). In only 15 of these cases were we ultimately compelled to provide access to enterprise customer content, and only one of these cases involved U.S. law enforcement access to content stored overseas. I wrote about this topic in more detail last May. That’s a handful of cases out of more than 20,000. The critical point to remember is that while law enforcement access to enterprise cloud data is extraordinarily rare, attacks on your information by hackers are not rare at all: in the Microsoft cloud we block literally millions of such attacks every day. If we can’t scan your data as it flows through our cloud, we can’t stop these attacks and you will have to deal with them yourself. You should consider carefully which risk is greater.

7. Even when you choose (as you should) to share control of your keys with us as your cloud provider, you can still use your own separate on-premises keys for a small amount of genuinely top-secret information.

We always allow our customers to assess their own security needs and we don’t close off any options for them. We do offer full end-to-end encryption solutions for customers who absolutely require them. These include S/MIME and Hold Your Own Key (HYOK), that I’ve written about before. These options bring the additional cost of on-premises servers as well as additional risks (one of your system administrators might make a mistake configuring those servers, or a hacker might find a vulnerability in your on-premise defenses). But end-to-end encryption is a sensible solution for organizations that must handle a small amount of genuinely top-secret information—for example, defense contractors, branches of the military, and intelligence agencies. It may also sometimes be appropriate for organizations in other industries. We have made it easy for customers with these needs to integrate such on-premise encryption into workflows that rely on our highly secure cloud encryption for most other information.

8. Choosing the right encryption is always a matter of balancing risks.

No matter where you turn, there will always be risk. There is no such thing as an encryption solution that offers a 100% guarantee that your data will never be accessed against your will. It’s exceedingly unlikely that the algorithms themselves will be broken (at least not until the distant future when quantum computing matures). But the software, hardware, and people that implement the algorithms will never be absolutely free of vulnerabilities. Not even open source encryption software is immune from attacks, because hackers (possibly nation-states) have successfully planted malware in open source packages on multiple occasions. When choosing an approach to encryption and the cloud, you should always conduct a reasoned, evidence-based effort to measure and make a realistic comparison of the risks you face. When you evaluate the potential risk of entrusting your sensitive data to the Microsoft cloud, you should ask “does the evidence really suggest it could be safer somewhere else?” I believe the answer is “not likely.”

Despite its mathematical roots, encryption is too important a subject to be entrusted entirely to technologists. Legal and compliance leaders must be willing to grapple with encryption’s security and compliance trade-offs directly. Your duty is to guide your Boards and CEOs not to a mythical zero-risk solution that does not exist, but towards the best risk-balanced approach possible for your organization given your objectives and resources.

Microsoft has published a book about how to manage the thorny cybersecurity, privacy, and regulatory compliance issues that can arise in cloud-based Digital Transformation—including a section on encryption trade-offs. The book explains key topics in clear language and is full of actionable advice for enterprise leaders. Click here to download a copy. Kindle version available as well here.