This article explores what Double Key Encryption (DKE) is and how it helps organisations maintain control over their data and significantly mitigate the risks associated with cloud computing.
The past few years have seen the adoption of cloud computing by companies worldwide grew almost exponentially. And this trend isn’t likely to slow down with the recent developments in artificial intelligence, as illustrated by Microsoft’s 24% increase in growth in 2023.
At the same time, the frequency of data breaches in the cloud is up 10% from last year, with 27% of businesses having reported a data breach or cloud security incident in 2022.
With the rapid adoption of cloud and the frequency of breaches multiplying, the way organisations protect their sensitive data and meet compliance and regulatory requirements is evolving.
When moving to the cloud, organisations demand for more data sovereignty — the principle that data is subject to the laws and governance of the nation where it is collected or stored — aiming to prevent unauthorised access by malicious actors and ensure compliance with regulatory requirements.
Let’s see how organisations can maintain control over their data, significantly mitigating the risks associated with cloud computing with Microsoft, specifically looking at Double Key Encryption protection.
How does Microsoft 365 protect your data?
One of the most common ways to protect data in the cloud is through encryption. Encryption is the process of converting information or data into ciphertext, using an encryption key.
By default, Microsoft 365 encrypts data stored in its cloud services both at rest and in transit. It uses some of the strongest and most secure encryption protocols.
When Microsoft encrypts data in the cloud, it both manages and stores the encryption keys (in the Azure Key Vault), employing security best practices and robust key management protocols.
However, while these measures provide substantial protection and are considered state-of-the-art, risks remain for organisations.
What are the risks of Microsoft key management?
The effectiveness of encryption, and by extension data protection in the cloud, mainly depends on key management. Who has access to the encryption key is essential as it dictates who can consequently access the protected data.
This intricate relationship between encryption key and key holder poses a real risk in situations where the encryption key is leaked or breached.
Take for example the attack called “Storm-0558” suffered by Microsoft in 2023.
During this attack, which impacted more than 25 organisations, attackers used a stolen Microsoft account signing key to access Outlook Web Access and Outlook.com. With the key, attackers also forged access tokens and impersonated Azure Active Directory users, giving them virtually access to anything in the breached Microsoft 365 environments, from emails, files to sensitive data, as well as trade secrets in Office, Sharepoint, etc.
Allowing Microsoft to manage your encryption key may also lead to unauthorised data access by governments and agencies. Microsoft, being a company headquartered in the United States, needs to comply with surveillance laws, including for example the Lawful Access to Encrypted Data Act or the Patriot Act, among others. Under those laws, US government agencies can request access upon the obtention of warrant to customer data stored by Microsoft without letting them data owner know. While this type of “Sneak & Peek Searches” is obviously less common and relies on a pretty lengthy legal processes, it still represents a significant risk of unauthorised data access for organisations storing their confidential data in the cloud.
Finally, using encryption key managed by Microsoft might lead to breaches over compliance and regulatory requirements. In fact, some industry-specific regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) or the General Data Protection Regulation (GDPR) dictate exclusive control over data access. These regulations specify, in some instances, that cloud-service providers should not be able to access and view customer data. As a result, relying on encryption keys managed by Microsoft violate compliance standards.
You might be wondering how organisations can mitigate these risks and move beyond relying solely on Microsoft-managed keys. This is where Double Key Encryption comes to play.
What is Double Key Encryption?
Double Key Encryption, or DKE for short, is a Microsoft encryption implementation, which lets organisation maintain full control over their encryption keys.
It uses two keys to protect data. One key is managed by Microsoft and stored in the Microsoft Azure Vault, while the other key is under your strict control, usually stored securely by a trusted third party or service provider.
To access the encrypted data, both keys are required, making it nearly impossible for unauthorised parties to decrypt the information without both keys. This solution means that Microsoft cannot view data protected by Double Key Encryption, as it requires to have access to both keys.
Or put differently and by Microsoft itself,: “Since Microsoft services can only access the key stored in Azure Key Vault, protected data remains inaccessible to Microsoft, ensuring that you have full control over your data privacy and security”.
With Double Key Encryption, organisations can assure who can access the encryption, which in turn enhances their data protection against breaches and unauthorised data access, while complying with data regulations.
Protecting your sensitive data with Double Key Encryption
By using Double Key Encryption, companies greatly reduces the risks of data breach and unauthorised data access by third-party or bad actors. It also ensures that organisations retain control over their data, even in situations where data physically reside in other juridictions.
Remember the STORM attack we mentioned earlier? Had any of the organizations impacted employed Double Key Encryption, the attack’s consequences would have been significantly mitigated. The attackers would have been unable to open and view files, documents, or any data within the compromised system. That’s because they wouldn’t have had the second encryption key to decrypt documents, as the decryption key is not stored in the Microsoft, but resides in the customer infrastructure.
Using Double Key Encryption acts as a significant barrier against unauthorised data access. This is particularly advantageous when facing data requests from government agencies. Since Microsoft cannot decrypt the data on its own, requests for data by governmental bodies must involve the organisation that owns the data directly. This ensures that any access aligns with the legal and regulatory framework governing the data owner, thereby protecting data sovereignty.
Double Key Encryption also helps organisations comply with local and international data protection regulations (like GDPR, HIPAA, FINMA, HDS, SecNumCloud, etc.) that demand data to be controlled and accessed according to the laws of the country where the data subject resides. In fact, it provides an effective way to disable data access to cloud-service providers, in our case Microsoft, which in turn ensures compliance and fulfils legal obligations.
Deploying Double Key Encryption with DuoKey
There are several options for how Double Key Encryption can be deployed and implemented. While most solutions rely on the use of Hardware Security Module (HSM) to store customer keys in Double Key Encryption, DuoKey provides an encryption module for Microsoft’s Double Key Encryption that is compatible in both HSM and secure Multi-Party Computation (MPC) server.
In MPC servers, the encryption key is divided into multiple segments and distributed across several independent servers or cloud providers. No single entity possesses complete access to the full encryption key in this configuration, as the key is never fully recombined by any actors.
This unique approach mitigate the risk of leaks or breaches of the encryption key, ensuring high level of control and security over your sensitive data, even in the event of a breach.
When to Adopt Double Key Encryption?
Double Key Encryption is commonly used for real-top secret and highly sensitive data, which usually represents about 5% of an organisation’s overall data.
It is important to note that Double Key Encryption comes with some limitations and unavailabilities of key functionnalities, such as search, indexation and Co-Pilot, among others. Deploying this type of encryption therefore requires a carefully considered decision.
Here’s a list of situations where we believe Double Key Encryption should be implemented:
- Your organisation handles highly sensitive information, such as governmental or proprietary corporate information. In this case, Double Key Encryption provides an essential additional layer of security to secure your data, even in the event of breach,
- Your organisation operates in high-risk industry, like the finance, healthcare, or defence industries, as well as other industries where intellectual property is critical. In those industries, which are governed by strict regulations, the implications of data breaches are particularly severe and double encryption is imperative.
Conclusion
To sum up, as cloud adoption accelerates and data breaches become more frequent, organisations must prioritise securing sensitive information.
Microsoft’s Double Key Encryption offers a robust solution, providing enhanced data protection and sovereignty by requiring two keys for decryption. This approach not only safeguards against unauthorised data access, including bad actors and potential government surveillance, but also ensures compliance with strict regulatory requirements.
With Double Key Encryption, organisations mitigate the risks associated with cloud computing by maintaining control over their data and encryption keys. This solution helps them secure their most sensitive assets in Microsoft.
References
https://duokey.com/products/microsoft-365
https://learn.microsoft.com/en-us/purview/double-key-encryption
https://www.linkedin.com/pulse/unseen-power-storm-0558-attack-microsofts-email-ashkon-yasseri
https://learn.microsoft.com/en-us/compliance/assurance/assurance-encryption
https://finance.yahoo.com/news/microsoft-corp-msft-reports-robust-213557942.html
