Thanks to Client Side Encryption (CSE), companies can protect their data before it is transmitted to a hosting provider. An ideal solution for organizations wishing to use SaaS services such as Google Workspace or Microsoft 365, while ensuring that the hyperscaler cannot gain unencrypted access to their strategic data.

The arrival of client-side encryption within the Microsoft 365 cloud is recent and currently limited to a few flagship applications. Note that CSE is known at Microsoft as DKE, for Double Key Exchange.

Current support limited to Office and Outlook

To date, DKE is only available for the three main applications in the Microsoft Office suite (Word, Excel, PowerPoint), as well as for Outlook. Please note, however, that depending on whether you’re using a web client, a mobile application or a desktop version of Office or Outlook, not all DKE functionalities will be accessible. Other popular applications, such as Microsoft Teams, do not yet support DKE.

Encrypting a document involves applying a specific confidentiality label. Document tagging is a feature that has become commonplace on the Microsoft 365 cloud and on the Microsoft Windows operating system. It facilitates the management of rights within teams, as well as taking into account the accreditation levels of each employee. Organizations that have already implemented a document labeling policy will be immediately up and running in their use of DKE confidentiality labels, drastically limiting change management efforts.

Double Key Exchange is a ready-to-use solution that can be activated by all Microsoft 365 E5 license holders. An encryption key management tool (also known as KMS, for Key Management System) will need to be installed to make the system operational. The Cosmian kms solution is natively compatible with Microsoft 365, but also with other SaaS services, such as Google Workspace. Open source, auditable and verifiable. Cosmian kms can be deployed as a secure cloud instance, via the Microsoft 365 marketplace.

Some limitations to consider

The main limitation of Microsoft DKE is that it forces organizations to rely on the Microsoft Entra identity management tool, which remains a weakness when it comes to data confidentiality. Another limitation is that the Microsoft 365 cloud does not yet support S/MIME for e-mail (unlike Outlook). Emails will therefore only be protected through DKE, and only on internal flows, as data encryption cannot be extended to exchanges with third parties, as is the case with the S/MIME standard.

Protect your data with native encryption integration for Microsoft 365 collaborative applications with Cosmian kms. Contact us for more information.