Instead, Microsoft will encrypt data every time it passes between the many small services that make up a sweeping online operation such as Windows Azure. In other words, it will encrypt information before it leaves individual servers inside the data center — whether that information is traveling to another data center or not. “You need a more distributed way of handling the problem: Every individual service — whenever it talks to another service — should encrypt that channel,” Russinovich explains. “Then the price for the encryption is paid for with the resources of the individual data centers.”
So, the thousands of servers inside the data center provide the processing power needed to encrypt — “you got all these servers sitting around and they’re not fully utilized anyway. Why not use their CPUs to do the encryption, rather than these monster routers?” — and encryption is spread across many different keys. Matthew Green, an assistant research professor at the Johns Hopkins Information Security Institute who has closely followed the NSA scandal, likes the argument, though he warns that there are still pitfalls.
“It’s a better way, but it’s a little more difficult,” he says. “It requires the right custom software — software that must be installed on every single machine — and it requires some extra computation, which is going to have some impact. Somehow, you have to soak up that burden.”
This is how Azure was operating before the NSA revelations — though it was using a weaker form of encryption. As detailed in a blog post from Microsoft general counsel Brad Smith, the company will now use encryption keys that span 2,048 bits and use “best-in-class industry cryptography.”
Like many other web giants, Microsoft will also encrypt data using what’s called “Perfect Forward Secrecy,” where keys are discarded after they’re used. This means that if attackers gain access to a key, they can’t use it to unlock data they’ve collected in the past. All this, Smith says in the post, will be in place on Microsoft’s most popular online services by the end of 2014, including Outlook.com, Office 365, SkyDrive, and Windows Azure.