Microsoft Exchange Hosted Encryption

On This Page How it Works Solution Overview Benefits Next Steps

Exchange Hosted Encryption is a convenient, easy-to-use e-mail encryption service that helps to safely deliver your confidential business communications.

Government and industry regulations, such as those posed by Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley, offer even more compelling reasons for corporations to increase the security of messages to help meet compliance requirements. However, existing solutions—such as server-to-server level encryption, public key infrastructure (PKI), and password-protected files—can be expensive and complicated to integrate and deploy for communication with parties outside of your organization. These solutions do not provide the flexibility, sophistication, or ease of use that corporate users need to deploy e-mail encryption for external communications.

Exchange Hosted Encryption is one of four distinct services in the Microsoft Exchange Hosted Services portfolio. The service enables users to send and receive encrypted e-mail directly from their desktops as easily as regular e-mail. Using a simple process, users can encrypt and deliver any business communication without complex hardware and software to purchase, configure, and maintain. Exchange Hosted Encryption is deployed over the Internet, which helps minimize up-front capital investment, free up IT resources to focus on value-producing initiatives, and mitigate messaging risks before they reach the corporate network.

Microsoft Exchange Hosted Encryption Flow Diagram

How it Works

In traditional encryption systems such as PKI, certificates bind public keys to identities. Users must pre-enroll in server systems to receive a certificate, which is signed by a certification authority, so that they can send and receive secure messages.

Exchange Hosted Encryption incorporates Identity-Based Encryption (IBE) technology in a managed service platform. Developed by Voltage Security, a Microsoft technology partner, IBE is a breakthrough in security and usability for message encryption. Exchange Hosted Encryption eliminates the need for certificates and uses a recipient’s e-mail address as the public key; IBE automatically binds the user’s identity to the public key and eliminates the need for certificates.

Top of page

Solution Overview

Transparent Encryption and E-Mail Delivery
When a user sends an e-mail message, it travels to the Microsoft global network through a Transport Layer Security (TLS)-encrypted tunnel, and is automatically encrypted at the gateway according to rules created and managed within the Microsoft Exchange Hosted Filtering module.

When a message is encrypted, a private key for the recipient is created and stored in a security-enhanced environment on the Microsoft network. The private key is made available to the message recipient when the recipient decrypts the message. The recipient does not have to pre-enroll to receive and decrypt the message. In fact, the recipient may have never received a prior e-mail from the sender.

The Microsoft encryption process is entirely transparent to the sender, who does not need to do anything other than write and send the message as usual.

Simple Authentication and Security-Enhanced, Web-based Decryption
Upon receiving a Microsoft Exchange encrypted message, the recipient completes an easy two-step authentication process through e-mail answerback to verify the recipient’s identity.

After completing the authentication process, the recipient decrypts and views the message using the Zero Download Messenger (ZDM). The ZDM is a clientless, browser-based method that enables a recipient to have confidence decrypting and reading a message and its attachments and then replying. Furthermore, the encrypted message remains in the recipient’s e-mail inbox for access at any time.

Top of page

Benefits

Top of page

Next Steps

Top of page