On July 16th, 2020 the European Court of Justice issued its decision on the adequacy of the protection provided by the EU-US Data Protection Shield for the transfer of personal data for commercial purposes by an economic operator established in an EU Member State to another economic operator established in a third country. The use of cloud services is now commonplace and has been increased due to the need for working from home due to the coronavirus pandemic. In addition, unstructured files like documents, spreadsheets and slide decks that are stored in these services often contain personal data. Most of these services are owned and run by service providers located in a Third Country.
What does this judgement mean in detail for organizations using these services and how does Double Key Encryption for Microsoft 365 help?
Risk
There are three points at which the confidentiality, integrity or availability of the personal data can be compromised by public authorities in Third Countries:
- During its transfer across networks, it may be accessed by third parties including governments. This access may be passive where the contents of the communication are simply copied. However, public authorities may also interpose themselves into the communication process and not only read the content, but also manipulate or suppress parts of it.
- During its storage, by either accessing the processing facilities themselves, or by requiring the recipient of the data to locate, and extract data of interest and turn it over.
- During processing, the data could be accessed while it is being used or analyzed. For example, when a service is being provided remotely.
EDPB Recommendations
In November 2020, the EDPB (European Data Protection Board) recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data were approved. These recommendations provide exporters with a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place. These recommendations cover contractual tools such as:
- standard data protection clauses (SCCs).
- binding corporate rules (BCRs).
- codes of conduct.
- certification mechanisms.
- ad hoc contractual clauses.
Note that - while the contractual tools are important – this blog does not provide legal advice will focus on the technical supplementary measures recommended.
Supplementary Technical Steps
The recommendations go further and indicate that contractual tools may not be sufficient and that organizations need to take supplementary technical steps to ensure the adequacy of the protection of personal data transferred. In summary the recommendations identify three major technical approaches for which example use cases are provided. These technical steps include:
- Encryption – strong state of the art encryption provides adequate protection providing the keys are managed correctly.
- Pseudonymization – as opposed to anonymization - is explicitly allowed by GDPR providing the addition data needed to reconstitute the personal data is adequately protected.
- Multi party computing – protocols that split the data into parts that can be processed independently without any of the processors being able to reconstitute any personal data.
Encryption
Strong encryption can provide adequate protection for data being transferred against its interception and manipulation by a third-party including government actors. It also provides protection for stored data in the event that the recipient of the data is forced to locate, and extract data of interest and turn it over to the authorities.
According to the EDPB encryption offers adequate protection providing:
- The encryption algorithm and its, key length, and operation conform to the state-of-the-art.
- The strength of the encryption considers the length of time the data must remain confidential.
- The encryption algorithm is flawlessly implemented, and algorithm has been verified, e.g., by certification.
- The keys are reliably managed and are retained solely under the control of the data exporter.
Public key encryption techniques can also limit access as well as detect where data has been changed. However, public key encryption depends upon the trustworthiness of the certificate authority as well as control over private keys.
However, in general, encrypted data needs to be decrypted for it to be processed and so further measures are needed to protect personal data during processing. Homomorphic encryption is often proposed as a technique that also provides protection during processing. However, there are still concerns about the processing overhead that limits the practicality of this approach.
Microsoft Double Key Encryption
Most cloud service providers encrypt data that is held in their service – however, by default they usually control the encryption keys. While this protects against certain threats such as media loss it clearly does not meet the above requirements. Some services provide a way for the customer to securely control the encryption keys – for example, the keys are held in an HSM (Hardware Security Module) which has been certified to be tamper proof FIPS 140-2. In addition, they may support a secure key management protocol KMIP. These are fine for certain use cases but for unstructured data more is needed.
In July 2020 Microsoft announced their Double Key Encryption for Microsoft 365 to help organizations to protect their mission-critical data. This is in addition to the data protection capabilities based on content offered by Microsoft Information Protection’s classification and labeling.
Double Key Encryption for Microsoft 365 uses two keys to protect data; one key in the customer’s control and a second key stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, protected data remains inaccessible to Microsoft, ensuring that the customer has full control over their data privacy and security.
The protected data can only be viewed and processed by the desktop apps. That is to say that it cannot be viewed using the Microsoft 365 Web apps since this would mean that the data would have to be decrypted within the Microsoft server i.e., it would potentially beat risk during processing. The data can be shared but only if those users:
- Have the required permission to access the customer’s key in your Double Key Encryption service.
- Have the required permission to access the customer’s key in Microsoft Azure.
However, it is not possible to access that data in a non-Microsoft air gapped environment because the service requires access to Microsoft Azure.
Opinion
The risk of personal data being held in unstructured office productivity tools is often forgotten. While it is easy for end users to inadvertently include personal data there are existing tools that can protect against it being exported (DLP for example). However, there may be a legitimate need to use office productivity tools with this kind of data and to use cloud services to store and share this data. Microsoft Double Key Encryption adds an extra layer of protection on top of what is already offered through the Microsoft Information Protection tools. If properly managed this would appear to satisfy the EDPB criteria for supplementary technical controls needed for compliance. As always security comes at a price. Even with standard Microsoft Azure Information Protection, some capabilities such as joint editing of documents are not available. In addition, when implementing DKE, the cost and complexity of managing the keys should not be underestimated.
For more information see: