026: Evaluate and implement special cryptographic needs (BYOK, DKE)
Overview
Implement special cryptographic methods offered by Microsoft if warranted by the sensitivity of the data. These include Double Key Encryption (DKE) to ensure data can only be accessed by internal users with access to specific on-premises resources (at the expense of access through cloud services, including web apps, search and other functionality), and Bring your own key (BYOK) to use a key that's provisioned and managed by you for content encrypted with sensitivity labels, instead of a default key generated by Microsoft.
Reference
- Double Key Encryption (DKE) https://learn.microsoft.com/en-us/purview/double-key-encryption
- Bring your own key (BYOK) details for Azure Information Protection https://learn.microsoft.com/en-us/azure/information-protection/byok-price-restrictions