1

Email Encryption and Data Protection for Microsoft Office 365

A Comparison of Virtru and Microsoft Azure Rights Management

Microsoft Data Protection: A Critical Challenge Microsoft Office 365, Microsoft’s cloud office offering, provides excellent default email and file security, but many customers require additional encryption and data protection capabilities to meet regulatory, compliance, or privacy needs. Email remains the most common method of business communication. It’s where companies create, house, and share their most valuable information, which means it’s also where unauthorized third parties look when trying to access corporate data. By entrusting Microsoft with their email, businesses and governments solve key infrastructure and collaboration problems, but they often require additional capabilities to help with other encryption-related issues, such as:

• External sharing and control• Object-level protection• Data loss prevention (DLP)

• Cloud provider access levels• Corporate governance• Data residency

• Encryption key management• Regulatory compliance

(HIPAA, CJIS, EAR, PCI, etc.)

Given the growing number of cloud privacy and security concerns in the Microsoft ecosystem, it’s essential that organizations understand

the additional encryption options available to them…

2

According to the information technology research and advisory company Gartner, organizations face several challenges when evaluating email encryption solutions:1

• There is no standardized email encryption

solution that is easily used by all email clients and across all use cases.

• Traditional email encryption is mature and works relatively well in a business-to-business communications scenario, but it is failing to evolve to meet emerging use cases.

• Business managers typically assume email encryption is a single solution, regardless

of the use case, and provide insufficient information about current and future potential use cases to email administrators.

• Unless a vendor steps up to cover more use cases, IT organizations will be forced to adopt a patchwork of email encryption solutions that do not work well together and are expensive to replace.

As such, Gartner suggests that successful email encryption solutions should adhere to the following principles:2

• Enterprise users prefer to receive and manage

their email from multiple senders via one email client, and have a strong dislike for web-based portals to access secure content.

• Consumers typically leverage multiple web mail clients to receive their personal email and typically will not welcome the installation

of third-party software on their systems to access secured content, especially when dealing with multiple secure senders.

• Secure email solutions must seamlessly support mobile devices such as tablets and smartphones’ “anytime, anywhere” access paradigm.

Given the growing number of cloud privacy and security concerns in the Microsoft ecosystem, it’s essential that organizations understand the additional encryption options available to them, how these solutions work, and when it makes sense to deploy them.

Understanding Data Protection Options To meet advanced data protection and encryption requirements, most Office 365 customers follow one of three approaches:

1. Add Microsoft’s own email security services

2. Add third party email security solutions

3. Add third party solutions as well as Microsoft’s services

1 Define the Use Case Before Investing in Email Encryption. Gartner. ID: G00254903

2 Email Encryption: Protecting Your Content When Sending to External Recipients. Gartner. ID: G00233341

3

According to Gartner, 35% of all Office 365 customers seek third party solutions to supplement the platform’s default email security capabilities.3 It is unclear what percentage of Office 365 customers use Microsoft’s native email security add-on, Azure Rights Management (RMS), which can be purchased for an additional fee on top of a customer’s Office 365 subscription.

Azure RMS encompasses two product offerings:

• Office 365 Message Encryption (OME) – OME allows customers to send emails with encryption that exceeds the basic Transport Layer Security (TLS) built into Outlook Desktop and Outlook Web App (OWA) by default. OME also includes data loss prevention (DLP) capabilities that can automatically take actions on emails according to policies preconfigured by an administrator.

• Azure Information Protection (AIP) – AIP – and its on-premise counterpart, Information Rights Management (IRM) – enables customers to apply usage restrictions to email messages shared with other Microsoft recipients.

Several third party solutions, such as Virtru, integrate with Office 365 to combine the capabilities of OME and AIP, in addition to other features. As these products are not built directly by Microsoft, they must be purchased separately from Office 365.

Objectives of this Evaluation

As Microsoft security specialists, our customers rely on us to evaluate both Microsoft and third party encryption and data protection solutions. In recent years, two products have garnered the majority of interest from our enterprise customers: Microsoft Azure RMS and Virtru. This paper compares these options. The analysis was completed by an experienced Microsoft deployment engineer with intimate knowledge of enterprise data protection requirements and deep experience with each product.

The purpose of this document is to provide a head-to-head comparison of Virtru and Azure RMS within the context of an Office 365 email deployment.

We list out the full functionality of each product in the “Feature Comparison Matrix” section, which assesses capabilities across the following areas:

1. Sender User Experience2. Recipient User Experience3. Mobile User Experience

4. Administrator User Experience

5. Control Features6. Encryption

7. E-Discovery8. DLP Types 9. DLP Options

3 Gartner Market Guide for Secure Email Gateways, Neil Wynne, Senior Research Analyst, May 3, 2017

4

When evaluating any data protection solution, our team prioritizes three qualities, which we have highlighted here for Virtru and Azure RMS in the “Key Findings” section of this document:

1. Ease of Use 2. Security 3. Control

To perform our evaluation, our security experts deployed both Virtru and Azure RMS within the same Office 365 domain, using the same default email settings that Microsoft provides for its customers. In certain instances, we had to adjust these settings in order to best compare functionality across products.

Architecture Comparison

• Choose to encrypt and decrypt content on the client-side, at the network level, or both to ensure protection from the time of creation no matter where data travels.

• No provider, including Virtru and Microsoft, has access to unencrypted content.

• Senders and receivers can use their native email clients or device; no portal, passwords, or other service is required.

• Customers manage access to encryption keys.

5

• Unencrypted plain text is sent via TLS connection.

• Microsoft has access to the customer’s unencrypted content.

• Recipients must download an attachment to read content, unless they are already OME users, in which case messages appear transparently in their inbox.

Feature Comparison Matrix

Category Functionality Virtru Microsoft Azure RMS

Sender UX

Max Attachment Size 100 MB 25 MB

Read Receipt / Audit Only for MSFT Recipients

Sent Label Encrypted

Encrypted Inbox Discovery

Encrypt Notification

Above Line Plain Text

Delegated Inbox (View Access)

Share with Anyone Only for OME4

4 AIP senders can only share messages with other Microsoft users.

6

Category Functionality Virtru Microsoft Azure RMS

Recipient UX

Microsoft Auth

No New Password Required

Only for MSFT Recipients

Branded Recipient Email Template

Customized Recipient UX

Reply Encrypted

Send to Anyone

Mobile UXBrowser Access

Dedicated Mobile App

Admin UX

Roles

Push Notifications and Alerts

Revoke

Expiration

Admin Console

Configure from Exchange Online

Licensing Reports

Customizable Portal

Siloed E-Discovery Role

Admin Reporting / Auditing

Control Features

End User Revoke

End User Forwarding Control Only for MSFT Recipients

End User Message Expiration

End User PDF Watermarking

End User Read Receipt Only for MSFT Recipients

Admin Read Receipt

Admin User Revoke

7

Category Functionality Virtru Microsoft Azure RMS

Control Features

Admin User Forwarding Control Only for MSFT Recipients

Admin User Message Expiration

Admin User PDF Watermarking

E-DiscoveryEnd user Encrypted Search

Bulk Decrypt and Export for E-Discovery

Encryption

Client-Side

Server-Side

Customer Can Host Encryption Keys Exclusively

5

Customer Can Choose Key Location

In-Transit Encryption

No Third-Party Access to Plain Text

Object-Centric Protection6

DLP Types

Client-Side Scanning

Server-Side Scanning

Inbound Encryption Options

Message Scanning

Attachment Scanning .PDF and .TXT Files Only Most File Types

DLP Options

IP Address Out of the box Custom MSFT regex

Credit Card Number Out of the box Custom MSFT regex

Federal EIN Number Out of the box Custom MSFT regex

Possibly Sensitive Out of the box Custom MSFT regex

Social Security Number Out of the box Custom MSFT regex

5 Microsoft allows customers to host their own keys, but customers do not maintain exclusive access to the keys, which is

a requirement for many enterprises. Additionally, there are several limitations to Azure RMS when deployed with Microsoft’s

customer-hosted key configuration.

6 Data is encrypted the moment it is created and remains encrypted no matter where it travels.

8

Category Functionality Virtru Microsoft Azure RMS

DLP Options

Account Number Out of the box Custom MSFT regex

Confidential Out of the box Custom MSFT regex

FINRA Out of the box Custom MSFT regex

HIPAA Out of the box Custom MSFT regex

Non Disclosure Agreement Out of the box Custom MSFT regex

Off the Record Out of the box Custom MSFT regex

Password Out of the box Custom MSFT regex

PII Out of the box Custom MSFT regex

Proprietary Out of the box Custom MSFT regex

Subpoena Out of the box Custom MSFT regex

Key Findings Azure RMS and Virtru both enable email and attachment file encryption for communications within Office 365, but they do so using very different approaches.

Azure RMS processes email security policies at the network level, after messages have left the sender’s browser/mail client and been received by Microsoft’s mail servers.

In addition to its Network Data Protection option, which encrypts data at the server-side no matter where it’s shared from, Virtru provides client-side encryption that protects emails from the moment they are created and keeps them secure at all times, wherever they travel.

This distinction means that Microsoft and other intermediary third-party providers can access Azure RMS customer content, whereas only senders and receivers ever have access to Virtru customer content. Ease of Use: End Users According to Gartner,7 cross-platform sender ease of use is critical for any data protection solution.

Virtru integrates encryption directly into the sender experience in major browsers, email clients, and devices with minimal disruption or change to the way users work. With a simple toggle in Microsoft Outlook or

7 Define the Use Case Before Investing in Email Encryption. Gartner. ID: G00254903

9

OWA, senders can decide on-demand which messages and files to encrypt, and they can indicate which messages were sent out with encryption.

In addition, Virtru’s DLP allows administrators to set policies that automatically encrypt certain messages.

Sending with Azure RMS relies on customers to build policies that match a particular text string, such as “encrypt,” in the subject line or message body in order to activate encryption. If users forget to utilize keyword triggers, their emails may be sent without encryption. In addition, senders do not have an easy way to determine which of their outbound emails end up being encrypted, which creates a “black box” scenario for end-users.

For recipients, Virtru uses existing platform credentials to enable recipients to decrypt and consume messages and content. This can occur using either federated identity (OAuth, OpenID, SAML) or using an email confirmation loop. Virtru provides recipients with two authentication options:

• Users can activate a browser extension or desktop plugin that enables them to read their messages, as well as send their own encrypted messages, directly from OWA, Windows Outlook, or mobile.

Virtru Integrates Directly into OWA.

Virtru OWA Recipient Experience

10

• Users can read via a secure web reader that opens in the browser.

In both cases, Virtru enables authentication with existing platform credentials. No new software, accounts, or passwords are required.

Recipients who have already configured Azure RMS onto their email servers can read Azure RMS messages transparently. If recipients do not have Azure RMS configured, they will receive an email containing an HTML attachment and instructions on how to download it:

Virtru In-Browser Recipient Experience

Required Azure RMS Recipient Download

11

A common complaint from Azure RMS users is that recipients often refuse to download the attachment included in this first message due to fear of phishing attacks. Microsoft administrators report that this experience can be frustrating because it requires them to deviate from their security policies that caution against the downloading of suspicious attachments. As anti-phishing software, end-user training, and policies become more pervasive, this problem is only likely to increase.

If they are able to download the attachment, recipients will then have the option of creating a new Microsoft account, signing in with their existing Microsoft account, or accessing a one-time email code. Unlike Virtru, Azure RMS recipients cannot authenticate using non-Microsoft accounts, which adds some friction to the authentication process for external users.

After authenticating, recipients can view and reply to the decrypted message in a web reader that is hosted on Microsoft’s servers.

Ease of Use: Administrators

Virtru configuration is straightforward. Individuals can download the client-side plugins directly from Virtru’s website, or administrators can push them out directly to their end-users. To enable Virtru encryption at the server-level via Virtru’s Network Data Protection, administrators must perform an installation on their servers or in a cloud environment.

For backend integration with On-Premise, Azure, and Federated AD environments, Virtru provides instructions and an installer that can be configured in minutes.

Required Azure RMS Recipient Download

12

Azure RMS configuration is more complicated, specifically with regard to AIP.

After activating Azure RMS, administrators must use Exchange Online to access PowerShell, Microsoft’s task automation and configuration management framework, which consists of a command-line shell and associated .NET scripting language. Administrators must have experience with PowerShell in order to configure Exchange to use AIP.

Once configured, Virtru offers a centralized dashboard from which administrators can:

• View active Virtru users

• Track where end-user emails travel and control access

• Configure DLP rules

° On the client-side or the network level

° For the entire domain or for specific OUs and groups

Microsoft AIP Configuration Requires PowerShell

13

Compared to Azure RMS and other Microsoft DLP options, Virtru’s dashboard provides a flexible, straightforward interface:

Virtru’s DLP capabilities do not require specific Office 365 license functionality or regex syntaxes.

In addition to message bodies and metadata, Virtru’s DLP can scan the content of .PDF and .TXT attachments, where Azure RMS’ DLP can scan a wider variety of attachment types. However, Virtru customers looking for enhanced attachment scanning capabilities can use Virtru with existing third-party DLP solutions that support these and other features.

Virtru Forwarding Tree for Administrators

Virtru’s DLP Rule Builder

14

With Azure RMS, DLP setup occurs in the Exchange Online Admin Center. Here, administrators can choose from more actions for their policies (pictured below) than they would be able to with Virtru. With regard to encryption, administrators can add mandatory TLS encryption or Office 365 Message Encryption to their DLP rules:

Unlike Virtru, Azure RMS DLP can only scan end-user content at the network level. This means that, in order to use Azure RMS DLP policies, the customer must give Microsoft the ability to scan their unencrypted content to identify policy indicators. Since Virtru offers client-side DLP, they can enable DLP policies without accessing customer plaintext, which is sometimes necessary for regulatory and business privacy requirements.

DLP Encryption Policies for Azure RMS

Additional Azure RMS DLP Options

15

Azure RMS allows administrators to set up Outlook and OWA alerts for their users when their messages:

• Violate DLP policies • Cannot be delivered • Are forwarded by recipients

Azure RMS administrators can also choose to have these alerts emailed to themselves, a ticket system, or specific end-users based on the DLP actions that are triggered.

Virtru does not currently support automated incident alerts, but it does enable administrators to view most of this information via the Virtru Dashboard on behalf of their end-users.

Azure RMS includes the following incident reports out-of-the-box:

• Top DLP Policies Triggered • DLP Policy Search by Overrides and False Positives

• DLP Policy Search by Severity

Both Virtru and Azure RMS enable DLP enforcement for outbound emails and files, but Virtru also provides the ability to enforce DLP rules for messages entering a customer’s domain.

SecurityVirtru protects emails and attachments using object-level, or data-centric, encryption. This means that data is encrypted the moment it is created, and it remains encrypted no matter where it travels. Like regular Outlook and OWA messages, content is transmitted and stored on Microsoft’s (or any recipient’s mail provider’s) servers, but in encrypted form. The encryption keys that protect these emails are stored on Virtru’s servers, and access to them is always managed by the customer.

DLP Notifications for Azure RMS

16

Since protected content and encryption keys are stored separately, neither Microsoft nor Virtru – nor any other cloud provider – can access unencrypted customer content.

Azure RMS protects emails and attachments after they have left the sender’s device. Messages are encrypted in transit via Transport Layer Security (TLS) until they reach Microsoft’s servers, at which point Microsoft stores the customer’s unencrypted content on a hosted portal.

Unlike Virtru, Microsoft can access the unencrypted content shared by Azure RMS customers, which makes it more difficult for them to meet certain data residency, privacy, and compliance (CJIS, EAR, etc.) requirements that Virtru can satisfy out-of-the-box.

Virtru also offers a Customer Key Server (CKS) feature that enables organizations to maintain complete and exclusive access to the encryption keys that protect their data. The CKS adds public key encryption to Virtru’s standard SaaS product, so that the encryption keys hosted on Virtru’s servers are encrypted by additional keys that only the customer can access.

As a result, Virtru customers can choose where their encryption keys are stored, either in the cloud or on a physical device. Azure RMS customers require special arrangements and significant engineering support from Microsoft in order to manage or host their own encryption keys or choose where they are located.

ControlWhile Azure RMS leverages a traditional network-centric approach to email protection, Virtru offers a more modern, object-level architecture, which affords users and administrators the ability to exercise granular, persistent control of emails and files across different platforms. Since its secure sharing is tied to the Microsoft network, Azure RMS does not offer the ability to add information protection capabilities to emails that leave Microsoft’s systems.

Virtru Customer Key Server Option

17

Virtru allows both senders and administrators to manage access to encryption keys so users can control their encrypted emails and files in several ways even after they’ve been read.

Senders can use these features for the emails they send, while Microsoft administrators can use them on behalf of any of the encrypted emails sent by users in their organization:

• Revoke message access

• Expire message access

• Disable message forwarding

• Track where messages have been forwarded

• See when messages have been read

• Watermark PDF attachments with recipient email addresses

Via AIP, Azure RMS customers can add some of these permissions to individual emails, but only recipients at other Microsoft organizations can read messages sent with them, which poses a risk when sharing externally.

Virtru Sender Control Capabilities

Azure RMS Control for Internal Emails

18

As a result, most Azure RMS customers can only use control capabilities after confirming that each of their recipients has the technical requirements needed to view AIP-protected messages; this is similar to sending emails via PGP or S/MIME.

Summary

Azure RMS can be difficult for administrators to deploy, but it provides a seamless experience when sharing with recipients whose organizations also use Office 365 Message Encryption. It meets some Microsoft security use cases, but does not offer client-side encryption or control, and as a result, many privacy and regulatory requirements may not be covered. Since certain protected-messages can only be read by other Microsoft customers, Azure RMS does not seem to satisfy Gartner’s ease of use and cross-platform accessibility expectations for enterprise-grade encryption.

Virtru’s integration directly into existing email platforms provides a user experience that mirrors Outlook and OWA. The combination of client-side encryption with customer-managed keys provides enhanced levels of privacy and control that enables organizations to protect data even when it leaves the Microsoft ecosystem. Since there is no third-party or provider access to unencrypted content, Virtru’s encryption meets most privacy and regulatory requirements.

For organizations that communicate primarily with other OME customers or want to rely on Microsoft’s native tools for advanced DLP actions and reporting, Azure RMS is a good fit.

For other Microsoft organizations evaluating encryption, we recommend Virtru for three reasons:

1. Message control capabilities allow customers to manage and control access to emails and files shared with non-Microsoft recipients.

2. On-demand Outlook and OWA encryption, combined with cross-platform authentication options and lack of recipient download requirements, provide excellent ease of use.

3. Client-side encryption prevents third parties from viewing customer content – a security requirement for many organizations with regulatory or privacy requirements.

About Skill Will Skill Will is a nonprofit scientific research organization on a mission to use science, technology, and communication tools to simplify and secure data and information exchange. The company conducts research in the areas of national security, enterprise engineering, content management, and educational research. Skill Will partners with Robert Half Technology to make the results of our applied research available to government and commercial entities. Skill Will actively shares research findings and supports companies that are establishing cloud-based infrastructures, streamlining their operations to gain operational efficiencies.

19

About The Author With more than 15 years of IT infrastructure experience, Yuri Sky is a member of both the Microsoft Research Panel and Microsoft Partner Network with Gold Collaboration, which is awarded to partners with an excellent track record in service delivery. He has been deploying Office 365 since the service was launched in 2011, and has also configured Azure RMS and other data protection solutions for large enterprises and government organizations.

Prior to joining Skill Will in 2012, Yuri worked as a Microsoft researcher and analyst on various U.S. government and commercial assignments. His technical certifications include Microsoft Certified IT Professional (MCITP), Certified Information Systems Security Professional (CISSP), and ISACA Certified in Risk and Information Systems Control (CRISC). Yuri earned his Master of Science from the University of Maryland, where he specialized in Database Systems and Security.