Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:50 AM
Connect Directly

Encrypting Cloud Email Isn�t as Easy as You'd Think

Fund managers need to consider who holds the encryption keys for cloud-based email, or face potential legal risks.

A legal gray area
Earlier this year, Microsoft fought a US warrant ordering it to turn over customer emails stored in the company’s datacenter in Dublin, Ireland. On July 31, after a trial, Microsoft was ordered to produce the emails. The search warrant was related to a criminal investigation whose details remain secret, according to The New York Times.

Lawyers for Microsoft argued that the court needed to obtain the emails through a foreign treaty with Ireland. But a judge in Manhattan district court said the location was irrelevant because Microsoft controlled the emails from the US.

Even though Microsoft fought the US government, the case raises important issues about who controls the data once it leaves a company’s firewalls.

Ayelet Wiedermann wrote on the Vaultive blog:

However, the core issue considered in this trial is not security and privacy of data but that of control and ownership. Regardless of Microsoft’s security and their best intentions with respect to privacy, as long as Microsoft retains access to customer data, when the government comes knocking – whether the data is stored in the U.S. or anywhere else in the world, Microsoft is forced to hand over the customer data... the fact that Microsoft provides a cloud service that hosts and processes customer data, means according to U.S. district court that Microsoft owns and controls the customer data.

In a second case, Lavabit, an email service that was used by National Security Agency whistleblower Edward Snowden, was forced to comply with a court order to provide the encryption key that protected his email. Lavabit founder Lavar Levison told The Guardian that the government forced him to provide SSL encryption keys to his secure emailing service as part of its investigation into Snowden, leading him to shutter his business because he and his users rely on secure messaging capabilities.

Who has the keys?
The solution to this legal dilemma is to use an encryption service where the customer holds the key, says Matt Little, VP of product development at PKware in Milwaukee. “Email is not secure, because there is a copy in your own inbox and the copy in someone else’s sent box. Just protecting your own copy is just part of it.”

He works with major financial services customers and understands the security and encryption challenges that hedge funds face when migrating to the cloud. “You want to look for security management solutions that allow you to manage the key. A lot of cloud providers advertise your data is encrypted, but they are controlling the encryption keys,” he says. “It’s up to their discretion as to how they are controlling it.” Looking for a solution that allows you to manage your own keys gives you ultimate control of the data. “Email is the dominant program on the Internet and is still very insecure.”

Both Microsoft and Google are working on solutions for their email products. Gmail is working on a solution that will allow someone to use PGP, an open-source crypto-program. PKware supports PGP, according to Little. Microsoft will also allow companies to control their own encryption, he tells us.  

However, there are  many encryption companies that continue to maintain the keys. “What you want to look for is solutions that allow you to generate your own keys on your device and then apply them on your technology,” says Little, noting that his firm has this capability.

Some email hosting services provide "gateway solutions" that are not ideal from a user experience perspective, he says. For instance, Microsoft has an encryption service but it requires the receiver to log onto another website before he can decrypt the email, notes Nurick. “This would have been devastating to communications” and productivity of both Sandton and its clients.

The real challenge comes down to usable encryption, according to Little. “At some point, a user has to consume data that has been encrypted in a database or application. It has to be decrypted and presented to them.”

That’s where the third-party encryption vendors differentiate themselves, he contends. Once it’s decrypted the data is vulnerable to a number of attacks. “Personnel and administrators have access to the data, so don’t give anyone the keys to the kingdom.”

In its blog, Vaultive said it provides the only encryption gateway where the customer data, including the email subject, body, attachments, calendar items, and tasks, is encrypted prior to sending to Microsoft, while the customer secures the key.

By using Vaultive, Sandton has an additional layer of protection. A judge can go to Microsoft and ask it to turnover emails, but Sandton is protected because it has the key for its own encryption. “For me, even if a judge tells Microsoft to hand it over, they can’t do it; they don’t have the key. That’s a critical piece,” says Nurick. “Now we’re comfortable it’s protected.”

Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio

2 of 2
Register for Wall Street & Technology Newsletters