Microsoft 365 encryption capabilities for Australian Government compliance with PSPF
This article provides an overview of Microsoft 365 encryption capabilities relevant to Australian Government organizations. Its purpose is to help government organizations to increase their data security maturity while adhering with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
Encryption is an important part of your file protection and information protection strategy and is a requirement of the Protective Security Policy Framework (PSPF) Policy 8 Annex A.
Microsoft 365 services provide encryption for data at rest and in transit. For more information, see encryption and how it works in Microsoft 365.
Encryption capabilities inherent to the Microsoft 365 platform, such as BitLocker and TLS encryption should be considered relevant to Australian Government encryption requirements. In addition to these innate capabilities, there are other optional encryption features that can be applied to items to ensure that only authorized users can gain access to them. Relevant to PSPF alignment are:
Encryption is straightforward to apply to within an organization. Sharing of encrypted with external organizations requires extra consideration, which this guide covers, to ensure alignment within the context of Australian Government and PSPF requirements.
Australian government encryption requirements
Encryption, transmission, and access requirements detailed in PSPF Policy 8 Annex A.
Encryption in general is relevant to transmission requirements, but different types of encryption are also relevant to access and need-to-know, for example Azure Rights Management. Azure Rights Management confirms permission to access items at time of access. Azure Rights Management ensures that information exfiltrated or distributed inappropriately isn't accessed by unauthorized persons. The following is an excerpt of relevant PSPF requirements.
| Classification | Requirements |
|---|---|
| OFFICIAL1 | It's recommended that any information communicated over public network infrastructure is encrypted. The need-to-know principle is recommended for OFFICIAL information. There are no security clearance requirements for access to OFFICIAL information. |
| OFFICIAL: Sensitive | Encrypt OFFICIAL: Sensitive information transferred over public network infrastructure, or through unsecured spaces (including Zone 1 security areas), unless the residual security risk of not doing so has been recognized and accepted by the entity. The need-to-know principle applies to all OFFICIAL: Sensitive information. There are no security clearance requirements for access to OFFICIAL: Sensitive information. |
| PROTECTED | Encrypt PROTECTED information for any communication that isn't over a PROTECTED network (or network of higher classification). The need-to-know principle applies to all PROTECTED information. Ongoing access to PROTECTED information requires a Baseline security clearance or higher. |
Tip
1 Optional Microsoft 365 encryption capabilities, like Azure Rights Management, affects both internal users and external users receiving items from your organization. When planning to use use advanced tools such as Azure Rights Managment, a staged approach is recommended, with optional encryption capabilities applied to higher sensitivity items initially. Organizations should consider internal and external user use cases when deciding how to follow the PSPF recommended approach of encrypting OFFICIAL information. This decision should be carefully risk-assessed; balancing the risk of content interception for relatively low sensitivity items against the organizational impact of items not being sent or being inaccessible by a recipient.
The following table describes the requirement and the method of achieving the requirement.
| Requirement category | Method of achieving |
|---|---|
| Encryption during transmission | - TLS Encryption meets transmission requirements by encrypting files and emails during transmission as well as interactions between client device and Microsoft 365 services. - Sensitivity label encryption applies to both files and emails. When items are encrypted, they're encrypted during transmission, continuing to meet PSPF encryption requirements. - Microsoft Purview Message Encryption creates the rules to apply encryption to email and attachments during transmission. |
| Ensure need-to-know | - Sensitivity label encryption ensures need-to-know by permitting only authenticated users who are granted permissions to items can open them. - Microsoft Purview Message Encryption ensures that only specified recipients have the ability open encrypted emails and their attachments. |
| Ensure security clearance | - Sensitivity label encryption ensures that users have appropriate clearances by permitting only users that have permissions to open encrypted items. |
Australian Government encryption considerations
Within Australian Government, collaboration and information distribution requirements vary depending on the type of organization. Some organizations work largely in isolation, making encryption configuration straightforward. Others have requirements to continually share sensitive information with other organizations and need to plan accordingly.
Encrypted transmission requirements are met via PROTECTED networks. For email, use of label-based TLS configuration as discussed in Requiring TLS encryption for sensitive email transmission is beneficial. Alternatively, secure partner connectors can be configured, as discussed in set up connectors for secure mail flow with a partner organization in Exchange Online.
Encryption controls that apply during transmission, don't protect individual items such as a use of a USB. Government organizations implement other controls to mitigate such risks, which can vary depending on the device. For example, disabling USB ports in the UEFI, is straightforward with a Microsoft Surface laptop.. Other options for non-Microsoft devices used are gluing USB ports, and device management software that enforces the use of encrypted USB drives. Label-based encryption offers an alternative to some of these controls, and in addition protects items from unauthorized access if they're ever exfiltrated.
To help navigate the options, this guide discusses encryption options in line with the following organization categories:
Organizations with simple information collaboration and distribution requirements
Organizations with straightforward requirements for sharing of sensitive information benefit greatly from label-based encryption and organizations who need to meet the most basic transmission and access requirements. These organizations:
- Need to ensure that their encryption permissions cater for the guests or organizations that they're collaborating with or sending encrypted information to, and
- Gain assurance that only those added to their encryption permissions can access encrypted items, helping to ensure that need-to-know principles are adhered to.
Tip
State government organizations are more likely to fall into this category as their information sharing scenarios are simpler than those of federal government.
Organizations with complex information collaboration and distribution requirements
Organizations with complex requirements typically include larger departments who share large volumes of information with other organizations. These types of organizations are likely to already have established processes for meeting encryption requirements, including access to protected networks for inter-department communication. These organizations:
- Benefit from cloud-based Microsoft 365 label encryption, particularly in situations where items are exfiltrated as encryption ensures that only authorized users can access items regardless of where they reside.
- Should consider a more open encryption configuration, including use of lists of government domains in their encryption permissions to ensure that users from other departments can access items sent to them.
- Need to test that Microsoft 365 encryption doesn't interfere with existing controls, including any current use of connectors to route Exchange Online generated email back to on-premises services so that it can then be sent via protected networks.
Note
Azure Rights Management encryption isn't a hard requirement for the deployment of Microsoft Purview or for the protection of information in Microsoft 365 services. However, label-based encryption is considered one of the most effective methods of ensuring that data originating from or residing on Microsoft 365 environments is protected from unauthorized access, especially once it has left the organisation.