News

Microsoft Supporting S/MIME Security for Exchange Server, Outlook and Office 365

• By Kurt Mackie
• 02/26/2014

Microsoft has implemented the S/MIME e-mail security standard across its hosted and server-based Exchange products, the company announced this month.

The Secure/Multipurpose Internet Mail Extensions standard, currently at version 3, has been used in past Microsoft e-mail solutions, including older Outlook client products and Exchange Server 5.5 on up, according to Microsoft's TechNet description of S/MIME. However, this month, Microsoft added it to Exchange Online as part of its Office 365 services, as well as to Exchange Server 2013 via this week's release of Service Pack 1.

In addition, Microsoft disclosed this week that Outlook Web App, its browser-based version of the Outlook e-mail client, will be getting support for S/MIME by "early April" this year. However, the use of S/MIME in the Outlook Web App is only supported using Microsoft's Internet Explorer 9 browser or later versions at present. In contrast to Outlook Web Apps, the Outlook desktop e-mail client already has S/MIME support via the use of Microsoft's Exchange ActiveSync protocol, according to Microsoft's announcement today.

S/MIME offers both digital signatures for e-mail traffic along with message encryption. The certificates and keys are controlled by the sending organization, which has to set up the S/MIME process. With S/MIME support now enabled across both Office 365 and Exchange Server 2013 SP1, it's now possible to organizations tapping hybrid e-mail infrastructures using Microsoft's hosted and server products to exchange S/MIME e-mails, Microsoft explained.

One key piece for IT pros managing hybrid e-mail scenarios is the use of Microsoft's DirSync protocol, which synchronizes local Active Directory log-on identities with the cloud-based Windows Azure Active Directory. However, for its Outlook Web App, Microsoft indicated that it is planning to introduce "a new OWA control that helps in creating and consuming S/MIME mails," according to the announcement, although the details weren't explained.

Microsoft also will be bringing PowerShell commands that IT pros can use to manage the behavior of S/MIME on Outlook Web Apps. The PowerShell scripts will work across both Exchange Online and Exchange Server 2013 SP1, according to Microsoft's announcement.

When S/MIME is implemented this spring for Microsoft's Outlook Web App, users also will have some control options. They will have the ability to encrypt messages or add digital signatures to them through a checkbox control. They also will be able to apply those actions to some messages or to all messages, according to Microsoft's explanation.

Microsoft's announcement took pains to distinguish the S/MIME e-mail protection scheme from the new Office 365 Message Encryption service, which Microsoft started offering last week. Microsoft's hasn't explained it in great detail, but the upshot seems to be that the Office 365 Message Encryption service adds more controls for IT pros.

"Office 365 Message Encryption is a policy-based encryption service that can be configured and enforced by an administrator to encrypt mail sent to anyone inside or outside of the organization," Microsoft's announcement explained.

Presumably, it's easier to set up and use Microsoft's Message Encryption service in comparison with S/MIME. Organizations using S/MIME have to set up a local Certificate Authority for on-premises users and use DirSync to connect the local Active Directory with Windows Azure Active Directory for hosted e-mail support, among other details.

In addition to Microsoft's approaches, encryption protections are offered by various providers, typically leveraging cloud services. A profile of five such vendors can be found in this Redmond article.