Teams End-to-End Encryption

First announced in early 2021, Microsoft has now started the public preview roll out of Teams E2EE (end-to-end encryption). Their blog post is insightful, but as someone not directly involved in the security aspects of Teams communication, you’d be forgiven for not understanding what the use cases or differences are in contrast to the encryption that Teams already applies to real-time voice and video traffic. Almost everyone has heard or read the mantra “Microsoft 365 data is encrypted at rest and in transit.” So if our Teams calls are already encrypted in transit, what does E2EE bring to the table?

The difference is less to do with the actual encryption of the data (both result in a secure media stream), but more with the management of the keys that are used to encrypt it. In laymen’s terms, a key is a random string that we use to scramble and unscramble data; if someone has scrambled data using a specific key then you’ll need the matching key to unscramble it. So when we talk about key management we’re considering how and where these keys are generated, who has access to them, and how easy they are to intrusively obtain. Key management is the difference between the two.

Deep-dive key negotiation and complexities aside, the sum of the parts is that traditional encrypted in transit Teams calls are encrypted using keys that are shared to Microsoft and any other authorised (or perhaps unauthorised) service. This is how Microsoft are able to provide many of the Teams features that would be otherwise impossible against an encrypted media stream that they can’t decrypt such as call recording, live captions, and transcription etc. But it’s also the reason why you might not wish to pass sensitive information over such a call; your trust in this encryption is only as good as your trust in the services that have the ability to decrypt it.

In contrast, E2EE uses encryption keys generated by the client endpoint certificates themselves. In a peer-to-peer call this means that there are only two parties with access to these keys; the sender and the recipient. Ultimately the call is encrypted on the sender's device and can only be decrypted on the recipient's device. Keys are not shared with any service or server, and the only way the data can be accessed by any other party (including Microsoft) is if the actual endpoint is compromised. Confidential information and details can be passed with much greater peace of mind in this manner. You may have seen news articles regarding several governments objecting to the use of E2EE by social media and messaging companies; these companies aren’t able to provide traceability of messages to government or law enforcement agencies because they simply don’t have access to the data. A debate for another day!

The use of E2EE communication within Teams will be limited. The reality is that most peoples day-to-day conversations are absent of any highly-sensitive information, but there’s now at least increased flexibility for those niche job roles and business areas where communicating confidential data such as passwords and bank details is a required activity. Organisations will need to consider where E2EE fits alongside their existing compliance policies and the impact that its availability might have on any compliance recording solutions and end-user functionality. There’s a greater consideration than you might first imagine beyond the idea of E2EE itself.

Details on how Microsoft is implementing this functionality within Teams, its limitations, and the end-user experience are contained within their recent E2EE blog post. It’ll be interesting to see the expansion of the capability across the Teams service and close the gap on Zooms own offerings in this space!

Contact us today to hear more about how we can help empower your employees to work smarter and faster, wherever they are.