Back to Blog

Key Management & BYOK in Microsoft 365 for GDPR Compliance

by | Oct 17, 2023

Data Sovereignty Challenges

Microsoft Azure and Microsoft 365 are among the leading cloud services globally, but their limited Bring Your Own Key (BYOK) capabilities pose potential data security and compliance issues for organisations that must comply with the EU and global data sovereignty laws. Increased government concern over protecting sensitive personal, business, government and defence data in the Cloud has led to a complex regulatory landscape that aims to maintain control of citizen and government data.

Regulations such as the EU’s GDPR aimed at controlling ‘data sovereignty’, where a country or jurisdiction has the right to govern and control digital data collection, storage, processing, and distribution within its borders, come with both obligations and challenges for global entities.

Organisations operating across international borders must comply with each country/jurisdiction’s rules where their data resides. Learn more about the different laws impacting data sovereignty in this blog.

Why Encryption Aids in Compliance

The data sovereignty of information hinges on the location of where the data is stored. However, encrypting data changes everything.

Once encrypted, data can be stored anywhere without breaking sovereignty, as the encrypted data is useless without the key. The enforcement of data sovereignty then entails ensuring the encryption keys are stored in the correct jurisdiction and access to the encrypted data only occurs in the correct jurisdiction.

While encryption solves many data sovereignty issues when using CSPs, it also introduces new challenges – encryption key management and tightly controlling data access.

Risks When A CSP Holds Encryption Keys

CSPs, including Microsoft, offer an array of data security capabilities to help organisations protect their data, including key management (KM) and encryption services. However, in CSP-provisioned HSM or KM services, the provider creates, can access and retains control over your encryption keys.

Understanding the security and compliance risks of access to data and encryption keys by the CSP is critical. Especially since some of these regulations allow jurisdictions to demand CSPs provide them with a customer’s encrypted material.

Potential Data Exposure

With Microsoft or any CSP possessing the encryption keys, there is an inherent risk of unauthorised data exposure. While Microsoft has security protocols in place, the possibility of internal vulnerabilities or successful cyber attacks could expose sensitive data.

Legal and Governmental Access

Without BYOK, any CSP can be compelled to provide access to your data through legal processes. This is especially concerning given the U.S. CLOUD Act and Australian TOLA Act, which can potentially conflict with EU data protection laws.

Loss of Control and Data Sovereignty

Having encryption keys managed by a third-party provider like Microsoft limits an organisation’s control over its data, affecting data sovereignty—an essential requirement under EU laws.

Non-Compliance Penalties

Failure to fully control access to sensitive data could result in regulatory non-compliance, subjecting organisations to financial penalties. For example, GDPR fines of up to 10 million euros, or up to 2% of an organisation’s global turnover of the preceding fiscal year, whichever is higher, can be levied.

How BYOK Helps Mitigate These Risks in Microsoft 365

Bring Your Own Key (BYOK) is an option that allows organisations to create, retain control of and manage their encryption keys for added security. The main objective of BYOK is to mitigate the risk that a CSP or SaaS vendor may not provide the desired level of protection and control over your data, given that it has the ability to decrypt your data.

However, not all BYOK systems are the same. For the majority of CSPs, BYOK typically involves uploading a customer-specific certificate into the CSP. This certificate is then used to secure the encryption keys. Under this model, however, the CSP still has access to the encryption keys to perform the encrypt/decrypt actions.  Therefore, the CSP could still be mandated to hand over the keys by the legislation applying to the CSP itself.

To be secure and compliant, BYOK must put complete control of the encryption keys in the hands of the customer. For example, on a device such as a hardware security module (HSM) that the customer exclusively controls within their secure intranet.

For organisations to remain GDPR compliant, maintaining complete control over their data—down to the encryption keys—is essential. The absence of robust BYOK options in Azure and M365 makes it challenging to manage this.

Gain Control of Your Keys with BYOK for Microsoft 365

NC Protect, paired with NC Encrypt from archTIS, offers an integrated BYOK solution for M365. It provides independent key management, policy-based dynamic encryption and data access controls to meet the compliance and information security needs of organisations.

Add Dynamic Encryption, Independent Key Management & BYOK to M365

The NC Encrypt module provides dynamic encryption capabilities and critical BYOK and key management services to empower organisations to maintain data sovereignty and control over their encryption keys in M365.

With NC Encrypt’s key management capabilities, sensitive documents are dynamically secured using a system-generated encryption key based on the policies you define. Data can be dynamically encrypted at rest and in motion. For example, build a policy that automatically encrypts any GDPR-controlled personal data stored in M365 or when emailed via Exchange.

You can also extend the Bring Your Own Key (BYOK) approach through a seamless integration with Thales CipherTrust Manager to utilize keys from other HSM platforms.

NC Encrypt streamlines M365 encryption with automatic key generation and efficient and independent key management to provide dynamic protection and encryption of your valuable data, no matter where it lives or travels.

Segment Access to Data in M365 with Attribute-based Access Control

Encrypting data at rest is the bare minimum to protect sensitive data in a public cloud. It’s also important to note that Gartner recommends that if specific datasets need more robust access controls, you should deploy more granular protection at the individual file level.2

NC Protect uses dynamic attribute-based access control (ABAC) policies to control data access and security. Policies can be based on any combination of user (i.e., position, nationality), content (via discovery process rules) and environment (access point to information) attributes to control access to, usage and sharing of individual files. This allows organisations to apply fine-grain access controls to data based on geographical conditions to meet GDPR requirements.

By understanding the limitations of encryption key management, BYOK and access control capabilities in M365, organisations can make more informed decisions to better comply with GDPR and other regional data protection laws.

Contact us to learn how we can help you achieve your key management goals in M365.

eBook: The BYOK Gap in Microsoft 365

What Organisations Doing Business in the EU Need to Know

Share This