I recently saw a demonstration of a new product from Trend Micro called “Trend Micro Cloud App Security for Office 365”. The beta for this product can be found HERE
From that website, the description of the product is as follows
Based on proven encryption technology, Trend Micro Cloud App Security for Office 365 provides data security and privacy protection for data in the Microsoft Office 365 cloud. This service protects your data in a non-trusted environment by encrypting it on arrival. This is done while preserving all native Office 365 functionality and the user experience. With the encryption key separated from encrypted data, only you can decide who can access email and calendar and task information.
Here is a slide from their desk showing the benefits of this solutions
It’s really the “Data-at-Rest Encryption” part that I will be addressing here today.
I do not claim to be a cryptography expert, nor do I claim to be a security expert. However I do think I have a pretty good grasp on how Exchange works, and from what I can see this product is a complete waste of time and money.
Microsoft has published Ten Immutable Laws of Security on TechNet. Law #3 says “If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.” I’m not saying Microsoft is “a bad guy”, but the law still applies. Microsoft owns the server that your data is sitting on, so there is no way you can keep Microsoft out of that data. Trend seems to be claiming otherwise, and that claim is simply impossible. Much like chiropractic, homeopathy, faith healing, and magic their claim violates the laws of physics.
Trend is saying that this product takes email out of your inbox and encrypts it with encryption keys that are not available to Microsoft, then replaces the message with the encrypted version in your mailbox. This process is totally useless. By the time a message gets to your mailbox, Microsoft has had lots of opportunities to examine that message. In fact, 100% of messages that get to your mailbox are already stored in the transport database. Neither you as a user or admin, nor Trend has access to this unencrypted transport database. If Microsoft wants, or is compelled by a government, to access your email they can do so there. Furthermore since Microsoft has unencrypted versions of your messages and this solution places encrypted versions in your mailbox, it would be trivial for Microsoft to compare the two versions of a single message and use that to figure out your encryption key.
I completely agree that moving your data into Office 365 is a huge security risk. Several governments, including the U.S. and the U.K., have already declared that they are intent on gaining what amounts to unrestricted access to all data stored in Office 365. My guess would be they will end up getting that access either lawfully or otherwise. If that is a problem for your organization, then don’t migrate to Office 365. Keep your data on servers that you own, with an encryption solution that you own end to end. Solutions like this offer no protection against Microsoft accessing your data.