Keys Upon Keys Upon Keys
One of the interesting aspects of how Office 365 has developed over the past few years is the increasing use of SharePoint Online. Some of the use comes from organizations migrating on-premises SharePoint to the cloud, but the biggest factor driving SharePoint usage for many tenants is the growth in Teams.
If you’re an Office 365 administrator, apart from making sure that you have enough SharePoint storage and what sites are using the storage, you probably don’t think too much about where that storage is and how it’s organized. SharePoint aficionados know that SQL is the basic platform and that SharePoint organizes itself into server farms, but after that, knowledge soon runs out. This is typical of cloud systems: all you care about is the functionality delivered by an application, you don’t need to know its internal architecture.
Microsoft Documents SharePoint Storage
Microsoft’s online documentation for Office 365 is getting better and better. Among the recent jewels I found is a Microsoft article published on March 1 covering the encryption used to protect data used by Office 365 applications like Exchange Online and SharePoint Online. Many interesting facts about SharePoint storage are revealed in the discussion including:
- How Microsoft manages the encryption keys used to secure SharePoint Online and OneDrive for Business data.
- How SharePoint splits data up into chunks, each encrypted with its own unique AES 256-bit key.
- The chunks (files, pieces of files, and update deltas) are held in multiple Azure storage accounts where they are stored as encrypted blobs.
- How an SQL database tracks the different chunks of data so that they can be assembled and provided to clients. The database also holds the keys needed to decrypt the content.
- How three keys are used to access data and that data is useless unless all the keys are available. As the document says: ” Without access to all three, it is impossible to retrieve the keys to the chunks, decrypt the keys to make them usable, associate the keys with their corresponding chunks, decrypt each chunk, or reconstruct a document from its constituent chunks “
The page is full of interesting information that should assuage any doubts that security personnel have about sharing confidential information in the cloud. And remember, this scheme is for unprotected content. If you want to have a greater level of security, you can use Office 365 sensitivity labels to apply encryption to your most valuable documents. It’s amazing what exists in Microsoft’s documentation, if only we had the time to read it all.
SharePoint Online and Office 365 Sensitivity Labels are covered in the Office 365 for IT Pros eBook. We don’t get down into the weeds of how SharePoint Online data is protected in Microsoft datacenters, but we do cover a lot of other valuable stuff.