IRM, OME, S/MIME, and more: Managing Encryption in Exchange Online
In this webinar we’ll cover all the different types of encryption available in Exchange Online. We’ll talk about everything from how to set each encryption technology up, to when is the best time to use each technology. If your organization is using Office 365, but is not taking advantage of the built-in encryption technology available, you won’t want to miss this session.
1. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Managing Encryption in Exchange Online
2. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
@enowconsulting
Find us!
ENow Software
ENowSoftware
ENowSoftware.com
Some of ENow’s Loyal Customers
• Microsoft Silver ISV & Messaging Microsoft Partner
• Focused on building software solutions that simplify the life of IT administrators
• Software architected by MVPs with >15 years experience in high-end Microsoft
consulting and management
• Customers in over 60 countries ENow Software
About ENow
3. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
4. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
About the Speaker
• Office 365 MVP
• Microsoft Certified Solutions
Master: Messaging
• Consultant @ SPS (spscom.com)
• @MCSMLab
• Nathan@MCSMLab.com
• Linkedin.com/in/nathanobryan
• http://www.mcsmlab.com
5. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Introduction
• Why encrypt?
• Transport Layer Security
• Office 365 Message Encryption
• Information Rights Management
• Secure/Multipurpose Internet Mail Extensions
6. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Why encrypt email?
• The vast majority of email is sent over the Internet in plain text
• Reasons to encrypt:
• Compliance
• Protect organizational Intellectual Property
• Security
• Expand your job role
7. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
About compliance
• Four main areas to focus on when thinking about compliance
o Retain and Remove
o Discover and Search
o Protection against disclosure
o Protection against misuse
• In this webcast, we’ll be focusing on protecting against disclosure and
misuse
8. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Transport Layer Security (TLS)
• TLS creates a point to point encrypted tunnel between two
organizations
• Using specific connectors, TLS sends all traffic between two
organizations over port 587
• Domain Secure is not available in Office 365
9. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Domain Security in Exchange On-prem
• TLS + end user notification that message delivery is secured
• Uses mutual TLS
• Requires edge servers
10. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring TLS
• Office 365 Admin Portal >
Exchange > mail flow >
connectors
• + to add a new connector
• From: Office 365
• To: Partner organization
• Next
11. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring TLS
• Give the new connector a name
and description that will be
meaningful to your
organization’s IT staff
• Next
12. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring TLS
• Specify the domain or domains that
you want to use this connector
• Next
• On the next page, specify if you want
to route messages via MX record or to
a specific smart host
13. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring TLS
• Check the box to use TLS,
and specify the details for
the expected certificate
• Confirm your settings on the
final page of the wizard
• After the configuration runs,
you’ll be asked to provide an
email address to use in
validating the connector
14. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
When is TLS the right choice?
• Many users in your organization send many sensitive messages to
another organization
• Message traffic between two separate organizations are considered
internal
• It can be set up between two separate Office 365 tenants
15. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Office 365 Message Encryption (OME)
• Simple way for users to send secure messages over the internet
• Using transport rules, OME will secure messages that meet specific
conditions
• OME encrypted messages can be sent to users on any platform
16. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring OME
17. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring OME
• North America: Set-IRMConfiguration -
RMSOnlineKeySharingLocation https://sp-
rms.na.aadrm.com/TenantManagement/
ServicePartner.svc
•
European Union: Set-IRMConfiguration -
RMSOnlineKeySharingLocation https://sp-
rms.eu.aadrm.com/TenantManagement/
ServicePartner.svc
•
Asia-Pacific: Set-IRMConfiguration -
RMSOnlineKeySharingLocation https://sp-
rms.ap.aadrm.com/TenantManagement/
ServicePartner.svc
18. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring OME
• Import-
RMSTrustedPublishingDo
main -RMSOnline -name
“RMS Online”
• Set-IRMConfiguration -
InternalLicensingEnabled
$True
19. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring OME
20. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring OME
• Adding Disclaimer and branding
• Get-OMEConfiguration
• Set-OMEConfiguration
21. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring OME
Customize this feature Use commands
Default text
Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter> -EmailText "up to 1024
characters"
Disclaimer statement
Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter> DisclaimerText "1024
characters"
Text at the top of the encrypted mail portal
Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter> -PortalText "128
characters"
Logo
Set-OMEConfiguration -Identity
<OMEConfigurationIdParameter> -Image <Byte[]>
22. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Using OME
23. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
When is OME the right choice?
• Users need to send secure email to recipients outside your
organization
• Recipients may be on any email platform
• Users and/or recipients may not have technical sophistication for
S/MIME
24. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Rights Management Services (RMS)
• Uses encryption to enforce usage rights on messages and documents
• Using controls in Office applications (or OWA) users can apply
templates to messages and documents
• Most functionality of RMS works best within the same organization
25. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
RMS options
Feature
RMS for
Office 365
EMS or Azure RMS
Standalone
Users can create and consume protected content by using Windows clients and Office applications yes yes
Users can create and consume protected content by using mobile devices yes yes
Integrates with Exchange Online, SharePoint Online, and OneDrive for Business yes yes
Integrates with Exchange Server 2013/Exchange Server 2010 and SharePoint Server 2013/SharePoint Server 2010 on-premises via the RMS connector yes yes
Administrators can create departmental templates yes yes
Organizations can create and manage their own RMS tenant key in a hardware security module (the Bring Your Own Key solution) yes yes
Supports non-Office file formats: Text and image files are natively protected; other files are generically protected yes yes
RMS SDK for all platforms: Windows, Windows Phone, iOS, Mac OSX, and Android yes yes
Integrates with Windows file servers for automatic protection with FCI via the RMS connector yes
Preview: Users can track usage of their documents During preview only yes
Preview: Users can revoke access to their documents During preview only yes
https://technet.microsoft.com/en-us/network/dn858608.aspx
26. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring RMS
• See OME section
• Three default templates
o Do Not Forward
o Company – Confidential - View,
Reply, Reply All, Save, Edit, and
Forward.
o Company – Confidential View
Only - View
• Use advanced features button to
create new templates
• On-premises AD can be used for RMS
in Exchange Online
27. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring RMS
Advanced features > Rights
Management
28. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
RMS Sharing App
• https://portal.azurerms.com
• Allows you to see who has
opened your RMS protected
documents
• Allows you to revoke access
29. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Using RMS
• Templates that start with Company are only useable within that
tenant
• Do Not Forward template can be used with other Office 365 tenants,
but does not work well with non-Office 365 mail systems
• BYOK is available in Azure AD, but currently does not work with RMS
• RMS is not a foolproof protector against violations
• Templates are usable in other Office applications
30. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
When is RMS the right choice?
• Sensitive documents and messages need to be protected internally
• Recipients need time limited access to documents and messages
• Should be considered a tool to assist users in following policy
31. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Secure/Multipurpose Internet Mail
Extensions (S/MIME)
• Developed in 1995, V3 in 1999 and achieved wide acceptance
• Provides:
oDigital signatures
oEnd-to-end message encryption
32. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Obstacles to using S/MIME
• Not all email software supports S/MIME
• Because S/MIME encryption and decryption is done at client,
message traffic is not inspected by transport stack
• Requires SSL certificate to be installed on client machine
33. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
S/MIME digital signatures
Digital signatures provide:
• Authentication
• Nonrepudiation
• Data integrity
Digital signatures DO NOT provide:
• Confidentiality
34. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
S/MIME signing process
When a message is signed:
• The text of the message and the user’s private key are processed together
• The output is a signature that is appended to the message
When recipient receives a message:
• The digital signature process is repeated using public key
• The output is compared to the original signature
35. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
S/MIME message encryption
Message encryption provides:
• Confidentiality
• Data integrity
Message encryption DOES NOT provide:
• Authentication
• Nonrepudiation
36. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
S/MIME message encryption
• S/MIME message encryption works backward
• You install an SSL certificate so others can send you encrypted
messages
37. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
S/MIME digital signatures + message encryption
• Both can be applied to the same message
• Provides all the benefits
• For added security, use one certificate for signing and one certificate for
encryption
• By default OWA “triple wraps” messages that are signed and encrypted
• Outlook does not “triple wrap” messages, but can read triple-wrapped
messages
38. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring S/MIME
• Install your SSL certificate on
your PC - Free certificate from
http://startssl.com/
• Certmgr.msc
• Export
• Select Microsoft Serialized
Certificate Store (.SST)
39. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Configuring S/MIME
• $sst = Get-Content <sst
filename>.sst -Encoding Byte
• Set-SmimeConfig -
SMIMECertificateIssuingCA $sst
• Outlook > File > Options > Trust
Center > Trust Center Settings…
> Email Security > Settings…
40. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
S/MIME with on-premises PKI
• You can use an on-premises PKI to set up S/MIME in Office 365
• Once on-premises CA is in place, enabling S/MIME for users is much
the same process
41. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Using S/MIME in Outlook
• Options > More Options
• Security settings
42. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Using S/MIME in OWA
• From new message select …
• Show message options
• Under options > S/MIME you
can set default to encrypt
and/or sign all messages
• Must install S/MIME control on
each PC in addition to
certificate
43. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
S/MIME messages
44. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
When is S/MIME the right choice?
• Small number of sophisticated users send and receive many highly
sensitive messages
• IT staff has the technical knowledge to manage complex encryption
• Sensitive messages need to be secured from end to end
45. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
What doesn’t work in Exchange Online
• Journal report decryption
• Outlook Protection Rules
• Domain Security
46. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Summary
• Why encrypt?
• Transport Layer Security
• Office 365 Message Encryption
• Information Rights Management
• Secure/Multipurpose Internet
Mail Extensions
• Questions?
47. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Q&A
48. A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Thank You
www.enowsoftware.com
To configure OME, first you need to active IRM on your tenant.
In the Office 365 Admin Center > service settings > rights management
You will be redirected to the page on the right. Choose “activate”.
Remaining configuration is done in PowerShell.
Connect to your tenant via remote PowerShell
designate your IRM online key sharing location.