Hi All - long time lurker, but first time posting. Hope to be more active group member going forward.
I think this can be answered on a more generic level than just about O365/Exchange. To Paul's point: answer to questions like this should almost always be "CMK in a way it is offered by major cloud providers for at-rest encryption is not a security control hence has no bearing on overall threat profile of the service. In particular, it does not affect materially either legitimate or compromised access by CSP". It depends a bit on a specific implementation (e.g. additional layer of encryption vs simply access to the key management interface, although efficacy of layers upon layers can be easily challenged as well), but this is a reasonable rule of thumb. I have wrote a piece earlier this year where I try to explain this in simple terms: https://medium.com/@marcinjkot/customer-mis-managed-key-or-why-you-dont-need-cmk-79954930462
Secondly, I don't think a single article of MS practices and architecture of key management exists; Azure is really a collection of products, managed by separate product groups which operate more or less like small companies under a common umbrella. If we want to deep dive specific architecture, we need to do this in the context of a particular service.
------------------------------
Marcin Jekot
Data Protection CTO
UBS
------------------------------
Original Message:
Sent: Sep 15, 2023 03:35:30 PM
From: E A
Subject: Exchange Online Crypto Question
Understood.
Regrettably, the article falls short from
describing the architecture (the "primary
focus" vs barking).
Have a nice weekend!
Original Message:
Sent: 9/15/2023 1:52:00 PM
From: Paul Rich
Subject: RE: Exchange Online Crypto Question
Hi - I don't keep up with the Microsoft documentation any longer but the link that Alex originally posted should provide enough information to make informed decisions. I'd strongly advise that the primary focus should be on what you are trying to accomplish - the end goal. If the end goal is to somehow change the privacy dynamics relative to the cloud security provider, you are barking up the wrong tree.
------------------------------
Paul Rich
Executive Director
Morgan Stanley
Original Message:
Sent: Sep 14, 2023 09:58:29 AM
From: E A
Subject: Exchange Online Crypto Question
Thank you, Paul.
Is there something you'd recommend to read
on MS Key Mgmt, something that'd explain
its architecture?
Many thanks!
Original Message:
Sent: 9/11/2023 1:31:00 PM
From: Paul Rich
Subject: RE: Exchange Online Crypto Question
Hi Alex. I designed the feature and wrote a threat analysis for it. I'm not at home now with access to the file. Want to connect me with the person looking for this info?
------------------------------
Paul Rich
Executive Director
Morgan Stanley
Original Message:
Sent: Sep 09, 2023 06:23:44 AM
From: Alex Sharpe
Subject: Exchange Online Crypto Question
This request was received from a former CISO who now advises CISOs at SMB organizations. My first thought, is there is not enough information to say for sure. Hoping others in the group would have additional insights.
"The Mailbox Key is protected by the Data Encryption Policy Key which has three copies protected by the Customer Keys (2) and the Availability Key.
SO - If I compromise or have legitimate access to ANY of those three keys, I can get the Data Encryption Policy Key and the Mailbox Key.
SO - If MS has a compromise in the infrastructure that exposes Availability Keys, it does not matter that I have paid for a separate Customer Key."
Thoughts??
------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
------------------------------