For sensitive data, SaaS is not admissible unless you bring your own encryption keys.
The Swiss association privatim — which brings together data protection supervisory authorities for public-sector bodies — recently announced this stance. It targets more precisely solutions from “large international providers […], such as … Microsoft 365.” This reasoning rests, among other things, on the existence of the CLOUD Act and the prospects of U.S. authorities accessing data without respecting the rules of international mutual legal assistance.
Most SaaS solutions still do not offer true end-to-end encryption, privatim also notes. It also decries insufficient transparency from “global-scale” companies so that Swiss authorities can verify compliance with contractual data protection obligations. This finding, the association adds, applies as much to the implementation of technical measures and change management as to the commitment and oversight of employees and subcontractors.
Microsoft 365: three options for using your own encryption keys
Microsoft 365 provides baseline volume encryption via BitLocker and DKM (Distributed Key Manager, client-side technology that uses a set of secret keys). Since October 2023, AES-256-CBC is the default.
The primary way to bring your own keys is the Purview Customer Key option. It works with the following licenses:
- Office 365 E5
- Microsoft 365 E5
- Purview Suite (formerly Microsoft 365 E5 Compliance)
- Microsoft 365 Information Protection & Governance
- Microsoft 365 Security and Compliance for FLW
Purview Customer Key relies on the Azure Key Vault service. At the Standard level, keys — generated in the vault or imported — are software-protected. At the Premium level, they are stored in HSMs (hardware security modules). There is a single-tenant option called Managed HSM.
Another possibility: double-key encryption — one under the client’s control, the other stored in Azure. A solution to reserve for highly sensitive data, according to Microsoft. It effectively blocks access to features such as eDiscovery, search and indexing, Office web apps, anti-malware/anti-spam rules that require visibility into attachments… and Copilot.
Even with the Customer Key option, Microsoft retains a master key (“availability key”), which the client can request to activate in case it loses its own keys.
