Helping to protect data at rest and data in transit
Data is an organization’s most valuable and irreplaceable asset, and encryption serves as the last and strongest line of defense in a multilayered data security strategy. Microsoft business cloud services and products use encryption to safeguard customer data and help you maintain control over it. Encrypting your information renders it unreadable to unauthorized persons, even if they break through your firewalls, infiltrate your network, get physical access to your devices, or bypass the permissions on your local machine. Encryption transforms data so that only someone with the decryption key can access it.
Our products also use industry-standard secure transport protocols for data as it moves through a network—whether between user devices and Microsoft datacenters or within datacenters themselves. To help protect data at rest, Microsoft offers a range of built-in encryption capabilities.
Identity (of a user, computer, or both) is a key element in many encryption technologies. For example, in public key (asymmetric) cryptography, a key pair—consisting of a public and a private key—is issued to each user. Because only the owner of the key pair has access to the private key, the use of that key identifies the associated owner as a party to the encryption/decryption process. Microsoft Public Key Infrastructure is based on certificates that verify the identity of users and computers.
Microsoft uses multiple encryption methods, protocols, and algorithms across its products and services to help provide a secure path for data to travel through the infrastructure, and to help protect the confidentiality of data that is stored within the infrastructure. Microsoft uses some of the strongest, most secure encryption protocols in the industry to provide a barrier against unauthorized access to your data. Proper key management is an essential element in encryption best practices, and Microsoft helps ensure that encryption keys are properly secured.
Protocols and technologies examples include:
- Transport Layer Security/Secure Sockets Layer (TLS/SSL), which uses symmetric cryptography based on a shared secret to encrypt communications as they travel over the network.
- Internet Protocol Security (IPsec), an industry-standard set of protocols used to provide authentication, integrity, and confidentiality of data at the IP packet level as it’s transferred across the network.
- Advanced Encryption Standard (AES)-256, the National Institute of Standards and Technology (NIST) specification for a symmetric key data encryption that was adopted by the US government to replace Data Encryption Standard (DES) and RSA 2048 public key encryption technology.
- BitLocker encryption that uses AES to encrypt entire volumes on Windows server and client machines, which can be used to encrypt Hyper-V virtual machines when you add a virtual Trusted Platform Module (TPM). BitLocker also encrypts Shielded VMs in Windows Server 2016, to ensure that fabric administrators can’t access the information inside the virtual machine. The Shielded VMs solution includes the new Host Guardian Service feature, which is used for virtualization host attestation and encryption key release.
- Microsoft Azure Storage Service Encryption encrypts data at rest when it’s stored in Azure Blob storage. Azure Disk Encryption encrypts your Windows and Linux infrastructure as a service (IaaS) virtual machine disks by using the BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the operating system and the data disk.
- Transparent Data Encryption (TDE) encrypts data at rest when it’s stored in an Azure SQL database.
- Azure Key Vault helps you easily and cost-effectively manage and maintain control of the encryption keys used by cloud apps and services via a cloud based hardware security module (HSM).
Secure apps and data
Find out more about how encryption helps protect your data in Microsoft products and services.
Technological safeguards in Azure, such as encrypted communications and operational processes, help keep your data secure. You also have the flexibility to implement additional encryption and manage your own keys.
For data in transit, Azure uses industry-standard secure transport protocols, such as TLS/SSL, between user devices and Microsoft datacenters. You can enable encryption for traffic between your own virtual machines (VMs) and your users. With Azure Virtual Networks, you can use the industry-standard IPsec protocol to encrypt traffic between your corporate VPN gateway and Azure as well as between the VMs located on your Virtual Network.
For data at rest, Azure offers many encryption options, such as support for AES-256, giving you the flexibility to choose the data storage scenario that best meets your needs.
Technological safeguards, such as encryption, enhance the security of customer data. For data in transit, Microsoft Professional Services uses industry-standard encrypted transport protocols between user devices and Microsoft datacenters, and within datacenters themselves.
For data in transit, Microsoft encrypts connections established between customers and our datacenters using industry-standard AES and TLS. TLS establishes a security-enhanced browser-to-server connection to help ensure the confidentiality and integrity of data moving between desktops and datacenters.
For data at rest, Dynamics 365 encrypts its databases using FIPS 140-2-compliant TDE.
You can use Intune to encrypt app data by using AES 128-bit encryption. Apps associated with an Intune management policy have their data encrypted at rest by using device-level encryption. When a PIN is required, the data will be encrypted based on these policy settings.
iOS modules are FIPS 140-2 certified. Microsoft encrypts Android apps that are associated with an Intune mobile application management policy. Managed apps on Android use AES-128, which is not FIPS 140-2 certified. Content on device storage will always be encrypted.
Office 365 services for consumers and businesses follow industry cryptographic standards such as TLS/SSL and AES to protect the confidentiality and integrity of customer data.
In some scenarios, we use file-level encryption. For example, the files and presentations uploaded by meeting participants are encrypted by using AES encryption. OneDrive and SharePoint Online also use file-level encryption to encrypt data at rest. Office 365 moves beyond a single encryption key per disk to deliver a unique encryption key so that every file stored in SharePoint Online—including OneDrive folders—is encrypted with its own key. Your organization’s files are distributed across multiple Azure Storage containers, each with separate credentials, rather than storing them in a single database. Spreading encrypted files across storage locations, encrypting the map of file locations itself, and physically separating master encryption keys from both content and the file map make OneDrive and SharePoint Online a highly secure environment for stored files.
For data in transit, all customer-facing servers negotiate a secure session by using TLS/SSL with client machines to secure the customer data. This applies to protocols on any device used by clients, such as Skype for Business Online, OneDrive, Outlook, and Outlook on the web.
For data at rest, Office 365 deploys BitLocker with AES 256-bit encryption on servers that hold all messaging data, including email and IM conversations, as well as content stored in SharePoint Online and OneDrive. BitLocker volume encryption addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers and disks.
For data in transit, all data requested and transmitted by Power BI is encrypted in transit by using HTTPS to connect from the data source to the Power BI service. A secure connection is established with the data provider before data can traverse the network.
For data at rest, Power BI encrypts certain key data when at rest, including Direct Query datasets as well as Power BI desktop and Excel reports. Other data, such as for Extract, Transform, and Load (ETL), is generally not encrypted.
For data in transit, Visual Studio Team Services (Team Services) encrypts data in transit between the user and the service, using HTTPS/SSL, and encrypts all connections to Azure Storage and SQL databases to preserve data integrity.
For data at rest, Team Services uses Azure Storage as the primary repository for service metadata and customer data. Depending on the type of data and the storage and retrieval needs, Microsoft uses Azure SQL data storage for project metadata, including file structure, changeset details, and work item fields. Microsoft uses Azure Blob (binary large objects) storage for unstructured storage, such as work item attachments and file contents. Team Services utilizes SQL TDE support to protect against the threat of malicious activity by performing real-time encryption of the database, associated backups, and transaction log files at rest.
Windows Server 2016 includes familiar encryption technologies for protecting data at rest, such as BitLocker full volume encryption and Encrypting File System (EFS) file-level encryption. Popular VPN protocols and TLS/SSL encrypted sessions help protect data in transit.
Datacenters today are built on virtual machines, and modern cyberattacks often target the virtualization fabric and environment. Windows Server 2016 Hyper-V adds the ability to configure a virtual TPM so you can encrypt virtual machines with BitLocker. Windows Server 2016 also provides for “encryption supported” mode and “shielded” mode for protecting virtual machines via TPM, disk encryption, and live migration traffic encryption. Encryption is only one of multiple security mechanisms (including Guarded Fabric) that work together to protect Shielded VMs.