What is an HSM in Office 365’s Azure RMS?

Security is a big focus for Microsoft, especially with Office 365; their enterprise-class data centers are some of the most secure in the world.  Above and beyond data center security, Microsoft has implemented technologies that allow organizations to further secure their data, even from Microsoft themselves.  One way this is done is with Rights Management Services, or RMS.  The mile high explanation for RMS is that it “provides the ability to safeguard sensitive information created using Office applications and services such as email or other memos or correspondence that requires confidential treatment. Rights are assigned to content when it is published and the content is distributed in an encrypted form that provides persistent protection wherever the content travels. Rights that can be assigned include the ability to allow or deny viewing, printing, copying of messages or documents as needed using template-based assignment.” (http://technet.microsoft.com/en-us/library/jj585024.aspx)

“Well, that’s great – but if Microsoft is securing their own data, how does that prevent their own engineers from decrypting the data themselves,” you ask, long-windedly.  That is done by deploying a Thales Hardware Security Module, of course referred to as an HSM.  According to Thales, “Thales nShield HSMs create tight controls around the management and use of the keys used by Microsoft Rights Management Services (RMS)” and “Thales nShield HSMs ensure that your key is always under  your control and never visible to Microsoft. The capability neutralizes the  perception that sensitive data maintained in the cloud is vulnerable because  the cloud can only be a shared service with a shared security infrastructure.”  Thales provides a 3rd party security mechanism to encrypt RMS data, leaving even Microsoft in a position where they need to gain access to the security mechanism in order to decrypt the information – an action that can be logged, with logs that are visible to the tenant owner.

HSM-1

“Okay,” my skeptical reader thinks, “but if Thales is held in the data center, Microsoft can just access Thales to get the key.  Logged or not, they still have access to my data.” Microsoft and Thales are on top of that one, too, by allowing organizations the option of Bring Your Own Key or…you guessed it, BYOK.  Per Thales, “Organizations subscribing to Windows Azure RMS in the cloud can choose to generate and maintain custody of their own key independent of Microsoft”.  This means you have the option to revoke your key, rendering RMS-encrypted data unreadable.  Future capabilities even include the option “lend” your key to Microsoft for short periods of time, meaning that revocation would not need to be proactive; rather, permission would need to be persistent to keep functionality, maximizing security of the data.

HSM-BYOK

So, as you can see, organizations can secure their data, using Azure RMS, from even Microsoft themselves.  This functionality comes “out of the box” with Azure RMS, no added hardware or licensing purchases required.

The images used are from the Thales cloud security solution brief, which can be found/downloaded here: http://www.thales-esecurity.com/msrms/cloud

One thought on “What is an HSM in Office 365’s Azure RMS?

  1. Pingback: RMS with Azure and O365 | All about Office365

Leave a Reply