Protecting your sensitive data with double key encryption

Do you trust your cloud service provider (CSP) to protect your most sensitive data?When simply trusting isn’t enough, the answer might beto add another layer of encryption to your data.

Why trust isn’t enough

Between Exchange Online, SharePoint Online and OneDrive, enterprises store a significant amount of sensitive information on Office 365. Recent reports from Microsoft for Office 365 show that it is the most popular enterprise cloud service as indicated by the number of active users.

Like most cloud service providers (CSPs), Microsoft operates under a shared responsibility model. It is responsible for Office 365 platform security, including preventing intrusions and DDoS, malware and APT protection. In turn, its customers are responsible for ensuring their employees do not misuse corporate data stored on Office 365 and that their login credentials do not fall into the wrong hands.

Highly regulated industries are increasingly focused on enhancing their data protection and privacy programs due to the rising threat of data breaches and identity theft. In August 2021, thousands of Microsoft customers, including some of the world’s largest companies, were warned that intruders may have the ability to read, change or even delete their main databases. The vulnerability was in Microsoft Azure’s flagship Cosmos DB — a globally distributed, multi-model database service. A research team at the security company, Wiz, discovered that it was able to access keys that control access to databases held by thousands of companies. Microsoft cannot change those keys by itself, so it emailed customers and instructed them to create new ones.

Securing data throughout its lifecycle is of paramount importance to any organization. While data is mostly encrypted at rest and in transit, vulnerabilities may occur when data is in use or at runtime. When protecting data in public cloud environments, a new approach has emerged around Bring Your Own Key (BYOK) and Customer Encryption Key (CEK) available for major public cloud like AWS, Google GCP and Azure. With a BYOK approach, the CSP holds an organization’s keys to encrypt and decrypt data. However, even this may not be enough to guarantee privacy and strong data protection rules for regulated customers.

Double Key Encryption and how it works

Microsoft introduced Double Key Encryption (DKE) for Office 365 in 2021. The objective was to make it easy for enterprise customers to provide an extra level of security over critical content stored in Azure by supporting the second level of encryption with a customer-controlled key.

The process for decrypting a document using DKE is explained in this sequence diagram:

Securing data with a DEK and HSM

The important feature of this process is that at no moment can the CSP access the data encryption key (DEK) because it is stored and secured by a hardware security module (HSM), hosted at the customer location or by a sovereign cloud provider (for example a SecNumCloud provider).

This guarantees that Microsoft can’t access or read sensitive documents or data encrypted using this process. We call this Hold Your Own Key (HYOK), because the encryption keys are not controlled by the cloud provider. Even if a cloud data breach occurs at the CSP end, the data will remain protected against offline decryption, since the attacker will not have access to the DEK.

Data is an invaluable asset for every organization and sensitive data encryption is the way of the future. As more companies move more data online, it becomes increasingly important to protect this goldmine of information and unlock its full value.

Separating encryption key and data is best practice as organizations encrypt more and more data. It becomes increasingly difficult to manage keys using manual processes. Once you have hundreds or thousands of encryption keys, a centralized key management system (KMS) becomes a necessity. Given the high value of DEK encryption keys, they are an attractive target to cyber criminals, especially where multiple DEK are stored in the same place. Best practice is to utilize a hardware security module (HSM) to store a Master Key that encrypt all CEK keys that protect the data.

Share this article

About the author

Nagib Aouini

DuoKey CEO and founder

Nagib Aouini holds a Master’s Degree in Computer Science, Applied Mathematics and Cryptography from the French university ENSIMAG. He is a former CISO at SEBA Bank which is one of the 1st licensed crypto bank. In 2020, Nagib founded DuoKey a cybersecurity startup focus on encryption and key management, which enables customers to confidently move sensitive workloads to the cloud where they can benefit from strong security controls that help meet internal and external compliance requirements. Nagib has more than 20 years of experience in the field of digital identity and smartcards and has proven experience in the implementation of complex technical projects with high added value. Previously, he held key positions in a number of large companies specializing in digital security, such as Gemalto, Thales Security, and Accenture. Nagib has worked with governments on large-scale ID projects (e.g. the French Ministry of the Interior on the biometric e-passport project, the Kingdom of Morocco on the biometric identity card program, and the US Department of Defense [DoD] on the CAC access card program).

Follow or contact Nagib