Control 1.15: Encryption: Data in Transit and at Rest
Control ID: 1.15 Pillar: Security Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, SEC 17a-4, PCI DSS 4.0 Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Ensure all data processed by Copilot Studio agents is protected with TLS 1.2+ encryption in transit and AES-256 encryption at rest, with customer-managed keys (CMK) for regulated environments and documented key rotation procedures.
Why This Matters for FSI
- GLBA 501(b): Safeguards customer NPI with TLS 1.2+ in transit, AES-256 at rest
- SOX 404: Customer-managed keys provide internal controls for financial record storage
- FINRA 4511: Encrypted storage with audit trail protects books and records
- SEC 17a-4: WORM storage with encryption meets non-rewritable requirements
- PCI DSS 4.0: Strong cryptography protects cardholder data transmission
Control Description
This control establishes encryption through:
- TLS 1.2+ Enforcement - Verify all agent communications use TLS 1.2 or higher with legacy TLS disabled
- Microsoft Service Encryption - Confirm default AES-256 encryption for Exchange, SharePoint, OneDrive, Teams
- Customer Key for Microsoft 365 - Configure customer-managed keys using Azure Key Vault for Zone 2/3 environments
- Power Platform CMK - Enable customer-managed encryption for Dataverse and Copilot Studio environments
- SharePoint Customer Key - Apply Data Encryption Policies to agent knowledge source sites
- Key Rotation Schedule - Establish rotation schedule: annual for Zone 1, semi-annual for Zone 2, quarterly for Zone 3
Key Configuration Points
- Verify TLS 1.2+ enforcement at network level (test with SSL Labs)
- Create two Azure Key Vaults in different regions for Customer Key redundancy
- Use Premium SKU with HSM backing for regulated environments
- Create Data Encryption Policy (DEP) and assign to agent data locations
- Configure CMK for Power Platform environments via admin center
- Enable soft delete and purge protection on Key Vaults
- Document key rotation procedures and test recovery process
- Configure Customer Key for Copilot interactions by assigning DEPs to the underlying workloads (Exchange Online, SharePoint Online, Teams) — Copilot prompts and responses inherit encryption from these workload DEPs. Note: A dedicated Copilot-specific DEP assignment may not be available in all tenants; Copilot interactions inherit encryption from underlying workload DEPs. Verify current DEP assignment options with Microsoft support for your tenant.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Microsoft-managed encryption; TLS 1.2; Microsoft-managed keys | Low risk, standard protection |
| Zone 2 (Team) | Customer-managed key (Azure Key Vault Standard); TLS 1.2+; annual rotation | Team data requires additional control |
| Zone 3 (Enterprise) | CMK with HSM backing; TLS 1.3 + MTLS; quarterly rotation; double encryption for MNPI | Customer-facing requires maximum protection |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Entra Security Admin | Configure Customer Key, manage Key Vault access |
| SharePoint Admin | Apply DEP to SharePoint sites |
| Power Platform Admin | Configure CMK for environments |
| Compliance Officer | Validate key rotation compliance, audit encryption status |
Related Controls
| Control | Relationship |
|---|---|
| 1.5 - DLP and Sensitivity Labels | Label-based encryption |
| 1.16 - IRM for Documents | Document-level protection |
| 1.7 - Audit Logging | Encryption audit events |
| 2.1 - Managed Environments | Environment encryption |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- SSL Labs test confirms TLS 1.2+ with no legacy TLS support
- Data Encryption Policy shows Active status in Microsoft Purview
- Key Vault diagnostic logs flow to SIEM with access logging
- Power Platform environment shows "Encryption key managed by customer"
- Key rotation completed within scheduled timeframe with documentation
Additional Resources
- Microsoft Learn: Service encryption overview
- Microsoft Learn: Customer Key for Microsoft 365
- Microsoft Learn: Power Platform encryption
- Microsoft Learn: Azure Key Vault overview
Updated: January 2026 | Version: v1.2 | UI Verification Status: Current