Microsoft just beefed up security encryption for its Outlook.com Web mail and OneDrive cloud storage properties. The move appears to be a response to Google calling out Redmond, among other cloud computing providers, in June for not doing enough to protect the privacy of users.
Microsoft first announced plans to bolster security of customer data and reinforce legal protections in December. The company also pledged to increase the transparency in how it engages with international governments around the world. With that said, Matt Thomlinson, vice president of Trustworthy Computing Security at Microsoft, announced three milestones toward those commitments.
"First, Outlook.com is now further protected by Transport Layer Security, or TLS, encryption for both outbound and inbound e-mail," Thomlinson said. "This means that when you send an e-mail to someone, your e-mail is encrypted and thus better protected as it travels between Microsoft and other e-mail providers. Of course, this requires their e-mail service provider to also have TLS support."
Closing Back Doors
Over the past six months, Thomlinson said, Microsoft has been working with international providers, including Deutsche Telekom, Yandex and Mail.Ru to test that e-mail stays encrypted as it goes to and from various e-mail services.
"In addition to the availability of TLS, Outlook.com has also enabled Perfect Forward Secrecy (PFS) encryption support for sending and receiving mail between e-mail providers," Thomlinson said. "Forward secrecy uses a different encryption key for every connection, making it more difficult for attackers to decrypt connections."
OneDrive has also enabled PFS encryption support. That means OneDrive customers get automatic forward secrecy when accessing the cloud storage service through OneDrive.Live.com, the OneDrive application and sync clients.
Finally, Thomlinson shared how the company opened its first Microsoft Transparency Center on its Redmond, Washington, campus. As he describes it, the Transparency Centers will let participating governments review source code for key Microsoft products, assure themselves of their software integrity, and confirm there are no "back doors."
"As with most things relating to security, the landscape is ever-changing," Thomlinson said. "Our work is ongoing and we are continuing to advance on engineering and policy commitments with the goal of increasing protection for your data and increasing transparency in our processes."
A Good Move
We caught up with Wes Miller, an analyst at Directions on Microsoft, to get his thoughts on the beefed-up security. He told us Microsoft had this in the works for a while, though the company probably accelerated the new protection levels after Google called it out. The question is, does it matter as much as Google said it did?
"I think with consumers it matters to a degree. With businesses it matters more but the business subscriptions actually had pretty strong encryption for some time," Miller said.
"Anything that U.S. hosting providers can do to ease concerns for consumers or businesses that they are the only ones who have access to their documents is a good thing."