Do you use Office365? Have you used the message encryption feature?

10th December 2019 Advice 8 Minutes

Do you ever send information that you'd like to ensure only the intended recipient can read? If so, this is the blog post for you! We're going to explain why you should consider encrypting email content and just how you can implement it. If our content is useful to you, we’d love to hear about it, make sure you subscribe to our newsletter for instant access to all our content as we publish.

Encryption basics

There are three types of protections we afford data; In Transit, In Use and At Rest. In transit is when moving from server to server, in use is when processed (read) by the recipient and at rest is when stored at the eventual destination (their mailbox).

How email fits this and what's available

The good people at Deltagon have described this process in a great blog post. Borrowing their analogy, we can liken an email to a postcard, the postal service to all the hops along your inbound email route and the recipient as well, the recipient.

So, you dropped your postcard in the mail, and it’s going to go from A to B. What level of protection would you expect for your postcard? Would you expect the postman's bag to be transparent? Would it concern you if it was? Well, in some cases that’s the level of protection your email gets. Encryption in transit is only partially rolled out; there’s still a long way to go for the email industry.

While encryption in transit is important, there are also other key factors at play here. Do you have total trust in the postal service with your confidential data? God forbid they should deliver it to the wrong place or misplace it. That’s the trust we implicitly place in our email and email filtering suppliers, seems like we need a rethink and that’s where email content-encryption comes in.

Email content-encryption is the fastest and most reliable path to confirming your data is protected. Many vendors have attempted to push their solutions over the years, and it’s the lack of an open standard that means we’re all in the situation we are. We could take this post down the route of S/MIME or Information Right Management (IRM) but the lack of cross-compatibility means these solutions still trail way behind in ease of use. For that reason, the solution we’re focusing on in this post is the one that’s gaining the most traction for its ease of use; Office 365 Message Encryption (OME).

OME - What it does and what license you need

Let’s start with what OME does; it allows Office 365 users to send encrypted messages to any email address. An end-user can mark an email as requiring encryption from within either the Outlook client or the Outlook Web Access portal, more on this to follow. Now to the downsides, the license isn’t included in standard subscriptions unless you’re an enterprise customer. You’ll need the “Azure Information Protection Plan 1” license, costing £1.51 per month per user, in our eyes a cost well worth the reward.

Sending an encrypted email

To send an encrypted email from Outlook, it's as simple selecting the option.

Outlook client

Outlook Web Access client

Receiving an encrypted message

Sending is a simple process but receiving is a little different, and where it can get confusing. If you're an Office365 user, you benefit from the fact you’ve already proved your identity to Microsoft by using the application. The email received displays as normal, plus you get a notification informing you that the message is encrypted.

Unfortunately, this isn’t true of those that aren’t using the Office365 platform. Rather than receiving the content, the recipient will receive an email stating they've received an encrypted email and need to provide authentication details to retrieve the content.

In the example below, I used the One Time Passcode (OTP) method to retrieve the content. As you can see, the result is the same regardless of the authentication type. I can respond to the original sender via the online portal and the from address is still my third party email address.

As the recipient logs in to the Microsoft web portal and retrieves the content via a web browser over HTTPS, the content is encrypted end to end.

Let's wrap this post up (just in time for Christmas!)

While the OME method isn't perfect, it's a huge step in the right direction. Lack of third party support limits OMEs usefulness in day to day correspondence; we advise it’s used only to protect confidential information where necessary. In those circumstances, the additional steps to protect the data seem worth the ease of use trade-off. Perhaps this lack of completeness in the product is why Microsoft haven’t included it as standard across the board, either way, I’d watch this space!

Thanks for your time in reading my ramblings. We plan on putting more content out like this in the future and if you want instant notification don’t forget to subscribe!

Like what you've read and want more? Get our advice delivered straight to your inbox, we promise it wont be overwhelming!

About the Author