Should you enable Microsoft's Office 365 Automatic Message Encryption?
On 13 December 2018, Microsoft released a rather startling announcement revealing its plan to implement a new automatic mail flow rule in all Office 365 tenants. This rule (policy) would encrypt all outbound e-mails containing certain sensitive data (eg, credit card numbers, bank accounts, etc), with the intention of providing a base level of data loss prevention (DLP) to all Office 365 customers.
At first glance, this seemed like a pretty smart idea. It certainly lined up with Microsoft's dedication to making information protection easier and more accessible for us all. Dig a little deeper, however, and several potential problems become apparent, problems that led to a widespread outcry from numerous technology specialists around the globe (including us).
While Microsoft appears to have taken these concerns to heart and has since withdrawn from implementing an automated policy, the suggestion that it could have been introduced with a service update (with just 30 days' notice) has put a spotlight on the whole area of encryption and content security.
If you're interested in the problems caused by auto-encryption, or are thinking about introducing auto-encryption (under your own control), here's what you need to know.
Upsides of automatic encryption
It would be inaccurate and unfair to say Microsoft applying encryption automatically would be a universally bad thing. For smaller organisations that don't deal with a lot of sensitive information, auto-encryption would be unlikely to affect mail flow to any serious degree and could prevent the occasional privacy breach.
Larger organisations that haven't set up their own rights management and label policies may even find auto-encryption genuinely valuable. Some protection is better than none at all with legislation like GDPR in full force...
Downsides of auto-encryption
Unfortunately, for most businesses, the downsides of automatic encryption would outweigh the potential benefits by a fair margin. Problems range from mildly annoying to seriously awkward, depending on your organisation and the complexity of your existing message transport rules.
Here are a few of the most common issues that would have been created if Microsoft had gone ahead (or you are thinking of setting up this policy yourself):
American view of 'what's sensitive'
Microsoft is a global organisation, but arguably, it's still a little biased towards the American market. As such, it's no real surprise that automatic detection has a few gaps when it comes to recognising sensitive information from other regions. Not all foreign bank account details, passports and identity numbers will trigger the automatic encryption policy, making it an unreliable source of protection for non-US organisations for now.
False sense of security
Regional discrepancies aside, there are other details (like personal addresses) that Microsoft's planned automatic policy wouldn't have flagged as sensitive. Of course, unless you've done your homework, you probably won't know what is and isn't covered. Chances are, more than a few businesses will get a nasty surprise when they realise their automatic encryption hasn't protected their information quite as comprehensively as they'd assumed. Being lulled into this kind of false sense of security is a dangerous game.
Mail flow disruptions
Setting up effective message transport rules can be a lot like choreographing a complicated dance: each rule needs to be carefully considered as part of the greater whole to avoid unexpected conflicts tripping things up. Inserting an automatically generated transport rule like the new OME policy right into the middle of things could very easily disrupt the reliability of your organisation's mail flow.
Independent software vendor (ISV) failures
ISVs frequently struggle to perform their functions on encrypted messages, which means most encrypted e-mails won't get their nifty headers or footers attached properly or be accessible to your CRM, for example. This issue isn't unique to Microsoft's OME, but it is something to consider when you don't have full, granular control over which messages you're encrypting.
Interference with legitimate business workflows
Not being able to control the specifics of which messages get encrypted can also cause problems for a business that legitimately need to pass on "sensitive" information as part of an ordinary work day. For example, travel agents might need to forward passport numbers to airline booking desks, that's 10 times more difficult when you can't forward, print or copy content because an e-mail has been automatically encrypted.
Alternative solutions for protecting sensitive e-mail content
You may be wondering what your other e-mail protection options are if you decide to avoid the automatic encryption route. The good news is, if you have an E3 or E5 licence, you already have the tools you need to protect your communication channels (and more) in a far more nuanced, granular and controllable way than any automatic encryption policy.
Sensitivity labels and rights management protection templates
When it comes to being able to pick and choose exactly what information you want to protect, how and when you want to protect it, there's no better solution than a set of well-thought-out sensitivity labels backed by a comprehensive rights management protection template.
Depending on your licence, sensitivity labels can be manually (E3) or automatically (E5) applied to messages that meet specific criteria, and trigger a predefined set of security actions (including encryption, if that's what you need) according to your rights management protection template.
Since each step of this process is custom-defined, it becomes far easier to align your messaging protection with your corporate DLP policies to ensure you meet your regulatory responsibilities without negatively impacting productivity.
Using Office 365 labelling policies effectively
Implementing effective labelling is a two-stage process. The first stage involves understanding your requirements and responsibilities as a business; the second involves translating this knowledge into actionable policies, and accurately deploying them in your tenant.
Needless to say, this can be a complicated process that takes some serious business, legal and technical expertise. We hate to toot our own horn, but it is one of the areas where the Cloud Essentials team really adds value for our clients.
Not only do we have business analysts and legal experts on staff, we also have extensive first-hand experience designing and implementing DLP and labelling policies for businesses in a variety of highly regulated sectors. That means we know exactly what does and doesn't work, where the common pitfalls lie, and the best ways to achieve the security you need without negatively affecting your workflows.
Eyes on the future
In future, we fully expect to see Microsoft refining its automatic DLP solutions to provide better protection for a wider variety of users. Until then, we'd highly recommend getting up close and personal with your labelling policies if you don't want sensitive information getting into the wrong hands.
Not sure where to start? Get in touch with Cloud Essentials.