Azure’s Hold Your Own Key (HYOK) has been released in preview form

Dave W. Shanahan

Azure Servers

Today, Microsoft released the preview of Azure Information Protection Hold Your Own Key (HYOK). HYOK is an information security feature designed to support enterprise customers that need to adhere to strict regulation and compliance policies. Microsoft is tasked with guarding organizations’ most sensitive data while still allowing organizations to have full control over the encryption keys and authorization process for the “highly-classified” company data.

Microsoft uses Azure Information Protection to secure a large chunk of sensitive data to take advantage of features that are only available in the cloud with Azure. Azure provides document tracking, departmental templates, B2B and B2C (business-to-consumer) email and document sharing, mobile device support, and Office 365 integration support.

The Azure Information Protection HYOK feature is about enabling enterprise customers to secure their company data where they “hold the key.” On the other hand, BYOK (Bring Your Own Key) hosts the RMS key in Azure Key Vault HSMs. HYOK allows enterprise customers to host on their own RMS server and use their own HSMs for key retention.

Here, Microsoft explains how a company would set up HYOK:

  1. You deploy Azure Information Protection in your organization as per usual guidance. In effect, the Azure Information Protection services (Azure RMS, Admin Information protection configuration in Azure) are always cloud hosted but they enable you to operate in a cloud-only, hybrid, or on-premises only (via the RMS connector) deployment.
  2. Azure RMS is where you define your Azure RMS protection policies for sensitive data.
  3. AD RMS is where you define your AD RMS protection policies, for ‘top-secret’ data.
  4. Your Azure Information Protection service is where you define all your classification labels. Most of them will be bound to an Azure RMS server but some can now be bound to an AD RMS server.

When an end user makes use of their classification user interface, they see labels not really knowing which RMS server is used… by design! They pick the label and you, as IT, set the policy that gets applied. That’s it! By way of example, in this label taxonomy, My Group could be bound to AD RMS and All Employees bound to Azure RMS. Your users need not care.

For more information on HYOK availability, requirements, and configuration, visit Microsoft’s Enterprise Mobility and Security Blog.