Thursday, September 13, 2012

Office 365 data not encrypted at rest

One of the questions that was posed in todays Office 365 Security session hosted by Scorpion Software that I appeared on

 

https://www.youtube.com/watch?v=RvDB3vOFpEI&feature=player_embedded

 

was whether the data in Office 365 was encrypted ‘at rest’. I said that I thought it would be but as it turns out I was wrong. The following document:

 

Standard Response to Request for Information O365 – Security Privacy v2 - http://www.microsoft.com/en-us/download/details.aspx?id=26647

 

says clearly:

 

“Office 365 currently does not encrypt data at rest, however, the customer may do so through IRM or RMS.”

 

in multiple places (one instance is on p26, in the IS-18 Information Security Encryption section).

 

However, before everyone starts jumping up and down about this, can I ask whether the information on your local server is encrypted at rest? It can be (using Bit Locker and what not) but it isn’t be default I believe. However, I’d like to know the reason why it is not, so let me see what I can find on that score and report back.