Real life examples of policy based encryption?

shivajikobardanshivajikobardan Member Posts: 9 ■■□□□□□□□□
edited March 1 in General Certification

This is what our college website (which is only resource to learn this topic btw) says about Policy Based Encryption-:

- Policy based encryption is the service that allows customers to set up filters based on the content of the messages.
- The customers are able to set criteria for acceptance of the messages.
- The messages get encrypted only if they meet the defined criteria.
- All the messages to external recipients are first routed to the special gateway.
- The gateway checks the compliance of all the messages to policy settings.
- Based on the defined conditions or policies, the messages are encrypted, send to the receiver, discarded or returned to the sender.

I am not quite clear without figures and stuffs like that. Can you tell me examples of it so that I can relate to it?


  • FluffyBunnyFluffyBunny CISSP, OSCP, CEH, RHCE, GCCC, Pentest+, PSM-1, alphabet soupMember Posts: 209 ■■■■■□□□□□
    edited March 17
    It seems you're really banging out your exam questions here... So, I have literally entered "policy based message encryption" into Google and the first hit was this ->

    So, Office365 / Microsoft365 has a email service, which is a real-world application of this concept. 

    Nice! It seems that, to use these policy-based encryption features, you need the E3 tier of O365 which is part of the MS Action Pack. That means MS partners get to play and test with those features. 
    CISSP, OSCP, CEH, GCCC, RHCSA, RHCE, Pentest+, Linux+, PSM-1, alphabet soup...

    2020: Renew RHCE (with EX407), CompTIA CTT+, Autopsy forensics, Applied Purple Teaming (BHIS) All done!
    2021: Modern Web-app pen-testing (BHIS), PDSO CDP, Docker DCA, PortSwigger Burp Suite class.
  • MooseboostMooseboost Senior Member Member Posts: 778 ■■■■□□□□□□
    There are plenty of real-world scenarios where policy-based encryption is applied. It happens all the time with email. Policy here applies to both the policy as a written and technological mechanism.


    - Emailing internal confidential information to third-party external vendors with a legitimate business need. Email is flagged for encryption based on: Recipient outside org has an attachment and/or contains DLP flagged context.

    - Internal and external controlled information (PII). HR sends an email to an employee containing confidential information. Email is flagged based on DLP flagged context.

    - Document is stored in a central repo. The document goes through a DLP analysis on upload, DLP is triggered and the permissions of the document reflect restricted access. The stored document is then encrypted on disk.

    It is not uncommon to find gaps. A perfect example is the encryption policy only covering externally sent emails or DLP only monitoring specific outbound channels.

Sign In or Register to comment.