gosphotodesign - Fotolia


Weighing double key encryption challenges, payoffs

Microsoft's new double key encryption offering brings data security and compliance benefits. Are they worth the implementation challenges?

Encryption is one of the cornerstones of cybersecurity. Organizations rely on this technology to protect data while it is in transit over a network or when it is stored on a disk. Encryption relies on mathematical algorithms that perform intense computations that obscure data so it cannot be retrieved without access to the appropriate decryption key. That decryption key essentially serves as a password for the data. Thus, whoever holds the decryption key may unlock the data, while preventing access to those without it.

If encryption is good for data protection, double key encryption must be twice as good, right? Well, not necessarily. Performing encryption twice does not inherently add value in every situation. Organizations using an encryption algorithm with a strong key to protect data will likely not significantly improve security by encrypting data twice with double key encryption technology.

Double key encryption was created to solve a pressing cloud computing services problem: Where should users store their decryption keys? If the cloud provider has access to the decryption key, it also has access to decrypt the data stored in its service.

Double key encryption provides a second key in addition to the key used by the cloud provider. The second key is held only by the customer, therefore preventing the cloud provider from accessing sensitive data. Even in cases when the cloud provider decrypts the data with its key, any data it accesses is still encrypted.

Double key encryption use cases

When determining whether the benefits justify the investment in building a double key encryption environment, decision-makers should consider their organization's data security needs. Use cases for which double key encryption may be effective include the following:

  • organizations with sensitive proprietary data that must be protected from sophisticated intrusion attempts;
  • organizations facing regulatory requirements that prevent them from granting their cloud providers access to data; and
  • organizations with data sovereignty needs that require the decryption key to be stored in a particular geographic region to avoid foreign countries from compelling the service provider to grant access to the data.

In the past, organizations facing conditions described above simply ran their own services and avoided using SaaS offerings. The availability of double key encryption technology may enable greater cloud service adoption for these organizations.

Double key encryption provides a second key in addition to the key used by the cloud provider.

Microsoft's double key encryption service

Microsoft recently announced the availability of double key encryption technology for Microsoft 365 platform users. Current and prospective Microsoft 365 users should be informed about the technology's features and benefits to make informed decisions about whether double key encryption is appropriate for their organization's environment.

Unlike many features of Microsoft 365 and other cloud services, deploying the double key encryption capability requires far more than just clicking a checkbox. Security teams will need to obtain the double key encryption code from a GitHub repository and also build a double key encryption server that will manage all encryption keys. Finally, this server must be integrated with the Microsoft 365 deployment.

This is a time-consuming and labor-intensive undertaking. For these reasons, some organizations will decide against deploying Microsoft Double Key Encryption unless there is a compelling business or regulatory requirement for this level of protection.

Keep in mind that Microsoft's current double key encryption offering is not only potentially cumbersome to set up, but it is also still in the public preview phase. And the technology is not yet fully supported. Organizations can use it, but it may be wise to postpone any widespread or critical deployments until the feature is officially released.

Next Steps

Hackers build a better timing attack to crack encryption keys

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing