SharePoint Online Storage Protected by Keys Upon Keys Upon Keys
Updated 19 February 2023
One of the interesting aspects of how Microsoft 365 has developed over the past few years is the increasing use of SharePoint Online. Some of the use comes from organizations migrating on-premises SharePoint to the cloud, but the biggest factor driving SharePoint usage for many tenants is the growth in Teams. (in January 2023, Microsoft reported that Teams had 280 million monthly active users).
If you’re a Microsoft 365 tenant administrator, apart from making sure that you have enough SharePoint storage and what sites are using the storage, you probably don’t think too much about where that storage is and how it’s organized. SharePoint aficionados know that Azure SQL is the basic platform and that SharePoint organizes itself into server farms, but after that, knowledge soon runs out. This is typical of cloud systems: all you care about is the functionality delivered by an application, you don’t need to know its internal architecture and the details of how the application stores objects like documents and lists.
Microsoft Documents Protection for SharePoint Online Storage
Microsoft’s online documentation for Microsoft 365 is getting better and better. Among the recent jewels I found is a Microsoft article published on March 1, 2019 covering the encryption used to protect data used by Microsoft 365 applications like Exchange Online and SharePoint Online. Many interesting facts about SharePoint storage are revealed in the discussion including:
- How Microsoft manages the encryption keys used to secure SharePoint Online and OneDrive for Business data.
- How SharePoint splits data up into chunks, each encrypted with its own unique AES 256-bit key.
- The chunks (files, pieces of files, and update deltas) are held in multiple Azure storage accounts where they are stored as encrypted blobs.
- How an SQL database tracks the different chunks of data so that they can be assembled and provided to clients. The database also holds the keys needed to decrypt the content.
- How three keys are used to access data and that data is useless unless all the keys are available. As the document says: ” Without access to all three, it is impossible to retrieve the keys to the chunks, decrypt the keys to make them usable, associate the keys with their corresponding chunks, decrypt each chunk, or reconstruct a document from its constituent chunks “
Microsoft’s description emphasizes the complex network of protection they use to protect customer information. Even if a hacker managed to penetrate a Microsoft 365 datacenter, they would face considerable challenges to figure out what data is present and how to access that data. This is why it’s important to protect against account compromise because the easiest way for a hacker to gain access to confidential customer data is to use compromised account credentials.
Sensitivity Labels Delivers More Protection
The page is full of interesting information that should assuage any doubts that security personnel have about sharing confidential information in the cloud. And remember, this scheme applies to all content in SharePoint Online storage. If you want to have an even greater level of security, you can use Microsoft Purview sensitivity labels to apply rights management-based encryption to protect your most valuable documents.
It’s amazing what exists in Microsoft’s documentation, if only we had the time to read it all. I guess that’s why books exist to distil and explain the most important items tenant administrators need to understand about managing the Microsoft 365 applications.
SharePoint Online and Purview Sensitivity Labels are covered in the Office 365 for IT Pros eBook. We don’t get down into the weeds of how SharePoint Online storage is protected in Microsoft datacenters, but we do cover a lot of other valuable stuff.