Exchange Online 如何保護您的電子郵件機密資料How Exchange Online secures your email secrets

本文說明 Microsoft 如何在其資料中心內保護您的電子郵件機密。This article describes how Microsoft secures your email secrets in its datacenters.

如何保護您所提供的機密資訊的安全性?How do we secure secret information provided by you?

除了提供office 365 的安全性、隱私權及合規性資訊的 Office 365 信任中心之外,您可能還想知道 Microsoft 如何協助保護您在其資料中心內提供的機密。In addition to the Office 365 Trust Center which provides Security, Privacy and Compliance Information for Office 365, you might want to know how Microsoft helps protects secrets you provide in its datacenters. 我們使用稱為「分散式金鑰管理員」(DKM)的技術。We use a technology called Distributed Key Manager (DKM).

分散式金鑰管理員」(DKM)是一種用戶端功能,使用一組機密金鑰來加密及解密資訊。Distributed Key Manager (DKM) is a client-side functionality that uses a set of secret keys to encrypt and decrypt information. 只有 Active Directory 網域服務中特定安全性群組的成員才能存取這些機碼,以便解密由 DKM 所加密的資料。Only members of a specific security group in Active Directory Domain Services can access those keys in order to decrypt the data that is encrypted by DKM. 在 Exchange Online 中,只有在執行 Exchange 程式的特定服務帳戶才屬於該安全性群組。In Exchange Online, only certain service accounts under which the Exchange processes run are part of that security group. 在資料中心的標準作業程式中,未被任何人提供此安全性群組的一部分認證,因此沒有人員可以存取可將這些機密解密的金鑰。As part of standard operating procedure in the datacenter, no human is given credentials that are part of this security group and therefore no human has access to the keys that can decrypt these secrets.

針對調試、疑難排解或審計目的,資料中心管理員必須要求提升存取權,才可取得屬於安全性群組一部分的臨時認證。For debugging, troubleshooting, or auditing purposes, a datacenter administrator must request elevated access to gain temporary credentials that are part of the security group. 此程式需要多個合法的法律核准層級。This process requires multiple levels of legal approval. 若授予存取權,就會記錄並審核所有活動。If access is granted, all activity is logged and audited. 此外,access 只會被授與已設定的時間間隔之後自動到期。In addition access is only granted for a set interval of time after which it automatically expires.

針對額外的保護,DKM 技術包含自動化金鑰翻轉和封存。For extra protection, DKM technology includes automated key rollover and archiving. 這也可確保您可以繼續存取較舊的內容,而不需要無限期地依賴相同的金鑰。This also ensures that you can continue to access your older content without having to rely on the same key indefinitely.

Exchange Online 利用 DKM 的位置如何?Where does Exchange Online make use of DKM?

Microsoft 使用 [分散式金鑰管理員],在 Exchange Online 資料中心內加密您的機密。Microsoft uses Distributed Key Manager to encrypt your secrets in Exchange Online datacenters. 例如:For example:

  • 已線上帳戶的電子郵件帳戶認證。Email account credentials for connected accounts. 連線的帳戶是協力廠商帳戶,例如 Hotmail、Gmail 和 Yahoo!Connected accounts are third-party accounts such as Hotmail, Gmail, and Yahoo! 郵件帳戶。mail accounts.

  • 客戶金鑰。Customer key. 如果您使用服務加密搭配客戶金鑰,您將使用Azure 金鑰 Vault來保護您的機密。If you are using Service encryption with Customer Key, you'll use Azure Key Vault to safeguard your secrets.

Office 365 中的加密Encryption in Office 365

有關加密的技術參考詳細資料Technical reference details about encryption

安全性&與合規性中心的服務保證Service assurance in the Security & Compliance Center