Video conferencing and online collaboration tooling has been extremely important the past year or so in light of hybrid work environments during the ongoing pandemic. This is why Microsoft regularly updates Teams with new features such as Webinars, Reading Progress, and live transcription, among many others.
Now, the Redmond tech giant has made Microsoft 365 Customer Key generally available for Teams.
Although Microsoft already ensures that all customer data is encrypted at rest using BitLocker and Distributed Key Manager (DKM), another layer of security it adds at the application layer for tools such as OneDrive, SharePoint Online, and Teams is "service encryption". This layer offers encryption either via Microsoft-managed keys or through Customer Key. While the former is self-explanatory, the latter allows customers to generate their own cryptographic keys, manage them, and use them in keychains that encrypt content. Previously, Microsoft 365 Customer Key was only available for Exchange Online, SharePoint Online, and OneDrive for Business, but support for Teams is now generally available too.
Organizations can use Customer Key to develop their own data encryption policy (DEP) and utilize it to enforce encryption of certain content for all tenant users. While customers can create multiple policies, only one can be applied at a time. The following data can be encrypted using Customer Key:
- Teams chat messages (1:1 chats, group chats, meeting chats and channel conversations)
- Teams media messages (images, code snippets, video messages, audio messages, wiki images)
- Teams call and meeting recordings stored in Teams storage
- Teams chat notifications, Teams chat suggestions by Cortana, Teams status messages
- User and signal information for Exchange Online
- Exchange Online mailboxes that aren't already encrypted using mailbox level DEPs
- Microsoft Information Protection exact data match (EDM) data – (data file schemas, rule packages, and the salts used to hash the sensitive data)
Microsoft has cautioned that while encryption begins automatically once a DEP is assigned, it is important to note that the process may take some time to complete depending on the volume of data in your organization. For data in Teams and Microsoft Information Protection, encryption will be enabled for all data following DEP assignment while historical data will remain as-is. The company aims to bring automatic encryption of historical data via Customer Key for these services eventually too.