It wasn't the first time that Rob Jeffords, chief compliance officer with Massachusetts securities broker/dealer Detwiler, Mitchell, Fenton & Graves, had been on the phone with his email archiving service provider. He wasn't aware that it was about to be his last.

"If I wanted to do a search [through archived email], it would take anywhere from a full minute up to 10 or 20 minutes, even a half hour," Jeffords recalls. "We were on a teleconference with the [email service provider] company president going over the problem. We gave him a search, and he told us he'd found the message. He started reading our email over the phone."

Jefford, outraged, asked the exec how he was able to read his firm's mail. " 'I have to,' the president said. 'How do you think we can archive and search it?' "

Jeffords got rid of the provider, which he won't name, on short notice, and after another disappointing encounter, found Fortiva late in 2006. Now he can do fast Boolean searches on archived email -- and he knows that no one else can read his firm's messages. Part of the setup with Fortiva is software that encrypts email at the customer site, before it is archived by Fortiva. The customer alone holds the encryption key; no one else can read the email.

The growing popularity of managed email services is forcing IT pros like Jeffords into a bind. (See Email Gets More Outsourced Options.) On the one hand, they want and need the extra help. But in doing so, they risk opening a security loophole.

"I didn't know they could read our email," Jeffords says of his old provider. "We've put so many things in place to ensure security and to keep prying eyes out... yet it breaks down when it goes to [outside providers}."

Thankfully, the growing roster of email service providers is well aware of concerns like Jeffords'. "It would be absolutely unacceptable for us to have access to any of our customers' email," says Paul D'Arcy, VP of marketing at MessageOne. His company's service uses a technique similar to Fortiva's: Email is encrypted behind the client's firewall. It then travels an SSL channel to the vendor's facility. Only the customer holds the unique key to unlock the actual message text.

D'Arcy says MessageOne's facilities are certifed by the American Institute of Certified Public Accountants to be compliant with SAS 70 (Statement on Auditing Standard 70}, a set of standards for service outsourcers dealing with financial services companies. Among the conditions for certification are personal background checks on any of the outsourcer's data center personnel.

Another managed email service provider, Postini, says it is also SAS 70 compatible. But VP of solutions Sundar Raghavan says that's a moot point, because Postini has patented a technique called "real time processing," whereby email is sent through Postini's computers in memory, without any copy being made. The computer can screen email content without any human intervention. If a message is flagged according to a company policy -- if a firm wants any outgoing attachments to be read by a specific individual, for example -- the message will show up in that individual's inbox, unread.

"Real-time processing ensures that of the 300 million to 400 million messages flowing through our system per day, none can or will be read by any human being," Raghavan asserts.

Other service providers have their own precautions in place. "Zantaz customers can send encrypted data to their Digital Safe (our outsourced archive solution)," writes Zantaz spokeswoman Tara Herberth in an email to Byte and Switch. "In addition, all of our client data is managed in a certified SAS 70 environment that meets the highest level of security and control as mandated by government and industry regulations such as SEC, NASD, and the USA Patriot Act."

Another provider offered this: "The archiving encryption technology used in the archiving service allows you to retain exclusive access to your data while outsourcing the archiving of your email. With this technology, MessageLabs guarantees security and privacy while still providing full search and discovery capabilities. Email is encrypted before it leaves your network and is stored permanently in its encrypted form. Once email is archived, data retrieval requires access to both the encryption key and the secure archive," writes David Hahn, director of product management at Messagelabs, in an email.

The service provider also claims video surveillance and full-time, around-the-clock security guards.

Other managed email providers contacted for this article, including Iron Mountain and Microsoft, were unable to respond at press time. We will add their information as it becomes available. One thing is clear, though: Customers are looking for reassurance about managed email confidentiality, and most of the leading providers can oblige.

— Mary Jander, Site Editor, Byte and Switch