Data Encryption Methods

Data encryption can be divided into two scenarios: data transmission (data in transit) encryption and data storage (data at rest) encryption.

For data transmission encryption, IBM® Storage Protect for Cloud Microsoft 365 is deployed on the Microsoft Azure framework to make outbound Microsoft API calls and internal communications over HTTPS/TLS encrypted channels. Certificate-based authentication is used for internal communications.

For data storage encryption, IBM Storage Protect for Cloud Microsoft 365 encrypts all the Microsoft 365 data obtained by calling Microsoft APIs with AES 256 using keys unique to each tenant (either default keys or BYOK). The encryption happens before the data is transmitted to storage.

When transmitting the encrypted data to storage, the data transmission encryption differs depending on the target storage’s available protocols. For example, Microsoft Azure Blob Storage, Amazon S3, and SFTP have their own data transmission encryption algorithm or protocols applied, but for FTP, the data transfer protocol is not encrypted. Although the data being transferred is already encrypted with AES 256, as mentioned above, the preferred method is to use storage types other than FTP that support encrypted protocols.