How managed PKI safeguards email communication at financial services leader Finance In Motion

If you’re a major impact asset manager and you’ve stopped feeling encryption was enough… what do you turn to in its place?

Posted 8 June 2020 by Gary Flood

One of the world’s leading impact asset managers, Luxembourg-headquartered Finance In Motion develops and advises impact investment funds that focus on small business development, energy and resource efficiency, conservation of biodiversity, and climate action.

Working to harness the power of finance to make a positive difference for people and the planet. It responsibly invests public and private capital where needed to address the world’s social and environmental challenges, since being set   up in 2009 it’s relied on email to communicate effectively across the more than 30 different countries it operates in.

The problem: concerns were starting to be raised about whether email was still a secure enough communication channel to do this. Due to the financial and personal nature of communications occurring between its employees, and clients, the company absolutely needs to ensure the privacy and security of all parties involved.

From three weeks to a couple of minutes

In order to implement solid business best practices and stay ahead of the curve when it comes to safeguarding clients’ and investors’ sensitive information, the company’s leaders decided a next step was needed; to be able to digitally sign and encrypt all internal and external client communications. But any such solution had to meet some very specific requirements of the 230-strong company. For one, a seamless implementation was a top priority, and a mobile-friendly solution to meet the needs of its connected workforce was another key project goal but probably the stiffest test was that whatever new way of working was identified, it would have to meet the demanding standards of the Federal Financial Supervisory Authority in Germany, also known as BaFin.

The good news is that all of these KPIs have been met via the implementation of the S/MIME email service and integration from Qualified Trust Service Provider (QTSP) GlobalSign, a Managed PKI (Public Key Infrastructure) platform that makes it easy for enterprises to issue, deploy, and manage multi-functional certificates from one central location.

As a result, working with IT security provider KeyTalk a new secure comms structure is now in place at the firm. This ensures Finance in Motion employees are all able to easily and securely send encrypted internal and external email—and from any device, as mandated. What that looks like in practice: now, a Finance in Motion employee can invite an external user who does not have an S/MIME certificate to quickly create one, so they can have fully encrypted email conversation within minutes. Previously, this scenario would take up to three weeks.

Ability to encrypt communications between employees and external contacts

In technical terms, users have been given a personal S/MIME certificate and secure access to an email client app developed by KeyTalk for Windows, OS X, Android, and iOS. The app handles the request, installation, and configuration of the S/MIME certificate for the mail program of the user (e.g. Microsoft Outlook), while on the backend, the supplier partners have helped the customer’s IT team configure a new Lightweight Directory Access Protocol (LDAP) directory service in which every user of the secure email service will be registered and where the public keys for these users will be stored. 

Another key part of the solution is KeyTalk’s certificate and key management system that was designed to securely manage the crypto key pairs used for the encryption and decryption of email messages and for the enrollment and management of the certificates at various endpoints (workstations, laptops, tablets, and smartphones). That matters, as one of the specific Finance in Motion business targets here was the ability to encrypt communications between employees and external contacts. This was achieved by allowing users to request a GlobalSign PS1 S/MIME certificate with a validity of a year for the external contact in question; an automated email to both the requester and the receiver of the PS1 certificate is then generated, at which point the encrypted correspondence between the two contacts can start.

Sounds all very complex but the system was introduced with no disruption to users, confirms Finance in Motion’s Head of IT, Matteo Snidero, and the changeover occurred in just two weeks instead of the anticipated three months. Even better, “There is virtually no change in the end-user experience, although we did send some internal communication explaining the scope and importance of the implementation,” he states.

“For them, there is the addition of a small symbol added to their Outlook emails; that’s it. But the power of the security happening behind the scenes is huge.” 

No wonder, then, that’s he’s happy to add that, “I would wholeheartedly recommend GlobalSign as a solution for other organisations who have the same type of security needs for their internal and external communications.”

GlobalSign is the leading provider of trusted identity and security solutions enabling businesses, large enterprises, cloud service providers and IoT innovators around the world to secure online communications, manage millions of verified digital identities and automate authentication and encryption. Its high-scale Public Key Infrastructure (PKI) and identity solutions support the billions of services, devices, people and things comprising the Internet of Everything (IoE). Its digital signatures help or meet the requirements of many national and industry-specific regulations regarding the legal acceptance of electronic signatures in place of wet ink signatures, including but not limited to:

  • eIDAS (advanced & qualified e-signatures, eSeals) 
  • UN Model Electronic Signature Law
  • And Sarbanes-Oxley (SOX).