Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:50 AM
Connect Directly

Encrypting Cloud Email Isn�t as Easy as You'd Think

Fund managers need to consider who holds the encryption keys for cloud-based email, or face potential legal risks.

One of the major stumbling blocks of moving email into the cloud is the perceived data security problem. While there are many benefits to using cloud-based systems, the downside is that data security and privacy is always a top concern for financial firms.

Sandton Capital, a New York-based private equity firm focused on alternative credit opportunities, decided not to host email on its own premises. Instead, it chose to use Gmail, hosted by Google. As the investment firm grew, and it looked at the kind of data it was emailing, it began to focus on the safety and security of this information. With so much of its confidential data related to investors and lenders via email, Sandton turned to cloud-based encryption to protect its data.

“We looked at Gmail for a number of ways to encrypt it, and none of them were very seamless,” says Rael Nurick, managing partner at Sandton Capital, which manages a $750 million investment fund. While Google offered email encryption, the process required the recipient to register on a different website to decrypt and open the email. In addition, Sandton used Google Apps and found it wasn’t that good at seamlessly syncing with other devices.

While hackers and cyber security data breaches are always a concern, this was not the reason that Sandton was concerned about protecting its email. With $750 million under management, there are several hundred positions in its portfolio. “We send emails about those positions, and there’s information on investors, too,” Nurick tells us.

[Do you aspire to the C-suite, or some other spot in upper IT management? Then bulk up your credentials around today's most pressing IT movement, digital business, at the InformationWeek IT Leadership Summit.]

Nurick says that, although security from hackers is important, the firm was even more concerned about outside parties accessing Sandton’s emails through a subpoena or legal proceeding. Often, when an email hosting provider is issued a subpoena, it complies immediately and turns over the required emails immediately. Without any oversight by Sandton, he felt, the actions by an email hosting service could add vulnerabilities.

Since Sandton’s specialty is purchasing under-performing bank loans and providing rescue finance to troubled companies, it does get into litigation occasionally. The private equity firm had two different sets of data it needed to protect:

  • Investor information (bank account and personal info)
  • Borrower information (loans to businesses)

Most importantly, Sandton needs “to make sure that no outside party, even if they get hold of the data, can read the information,” Nurick says.

Different flavors of cloud encryption
Nurick feared that he would lose control of his data to third-party hosting companies if they were to receive a court order to turn over confidential email. “Big hosting companies like Microsoft and Google have no incentive to do anything but give away all of your emails.”

In light of these factors, Sandton was motivated to investigate other options.

To control its data, Sandton wanted to find an encryption provider that worked with a cloud-hosting agent and could still allow it to hold the encryption and decryption key.

In June, Sandton moved its email over to the cloud-based Office 365 hosted by Microsoft, while simultaneously deploying Vaultive’s cloud-based encryption technology. The investment firm uses Rackspace to host that encryption feature. “Our email gets fed through another server that does the encryption. It goes to Microsoft encrypted, and it comes out of Microsoft encrypted. It’s a seamless process,” says Nurick.

However, recent legal cases show that cloud-based service providers cannot fully protect their customers when the government bangs on the door.

Next page: A legal gray area

Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio

1 of 2
Register for Wall Street & Technology Newsletters