Microsoft's Live@edu email not encrypted on cloud servers

Thousands of universities, and millions of people, are turning to Microsoft Live@edu for cloud applications. But Live@edu "enhanced privacy and security features" do not include encrypting email on servers.

Current Job Listings

Microsoft promises that its free Live@edu e-mail and collaboration tool is better than the rest because it still meets a university’s security and “privacy” needs. But it appears to be missing one critical step in doing so -- encrypting data stored on servers.

By going with a free, cloud-based offering from Microsoft, schools and states can supply email and other information-sharing tools while keeping down IT-related costs. That’s good, but it also means trusting your data to the vendor and the promises it makes about securing it.

“Universities require security-enhanced, world-class cloud services, but today’s budget constraints present an extraordinary challenge. Live@edu combines Microsoft’s exceptional products that incorporate the company’s deep investments in cloud computing to provide the enhanced privacy and security features that institutions require," stated Microsoft's general manager for U.S. Public Sector Education, Sig Behrens.

Many universities can't beat the low, low price of free and slashed IT infrastructure costs by moving to Microsoft’s cloud services and Live@edu. In fact, more than 11 million people in more than 10,000 schools worldwide are depending on Microsoft’s cloud services and Live@edu.  Microsoft said that its Live@edu cloud application advantages include Office Web Apps and Windows Live SkyDrive for sharing information and working together with teams of people and Microsoft Exchange Server 2010 and Outlook Live for e-mail, calendar sharing and managing tasks and contacts.

When you send email through the Windows Live ID authentication process, people see the padlock in their browser and feel secure in using the HTTPS 128-bit SSL-enabled connection. Yet people might feel slightly less confident about Live@edu's cloud computing "enhanced privacy and security features" if they knew that once their data is received on the other side, encryption stops. Their stored online communication isn't encrypted on cloud servers.

Take for example this quote from Dr. Loey Knapp, associate chief information officer, University of Montana. “With Live@edu, we are confident our students’ data is fully protected. We know and can control who has access to the data, and we have assurances that the data won’t be mined.”

At the European Identity Award, in the category “Best Project B2C”, the University of Washington was honored for its identity federation solution in research and education which was developed together with Microsoft and is intended to form part of their “Live@Edu” initiative. To me, that makes Live@edu sound both fairly secure and as if it honors privacy. However, according to Microsoft's "Securing the Cloud" documentation, high impact data "is subject to encryption requirements for storage and for internal system network transfers as well." But students' data is regarded as a low category of data assets.

ZDnet's Zack Whittaker contacted a Microsoft director, who confirmed after many stages of negotiating dialogue:

The connection for mail is via SSL and the password is encrypted on the server. The data on the server is not encrypted. It is perhaps worth noting that access to the server doesn’t equal access to the mail file, as the data is stored in a database which requires specific client software to access it.

I, too, contacted Microsoft and asked point blank if Microsoft encrypts data stored on servers for Live@edu users. Microsoft avoided an answer, instead giving me a standard non answer quote linked to Microsoft's privacy guideline document, which said that encryption should be reserved for data considered important, like credit card numbers. So I’ll take that answer as a no.

The thing about reliable cloud services that are housed in the United States, such as Microsoft Live@edu, is that the data is housed where the Patriot Act has jurisdiction. As Whittaker stated, "While students studying in the United States can be provided student email through Outlook Live and similar competing service, a Patriot Act request would be made all the more easy in that the federal authorities have been given the cloud-stored, unencrypted email data handed to them on a plate.”

Live@edu may have many benefits, but unless you personally encrypt your data, your e-mail is like a giant digital blackboard...you can get to your information easily enough, but if anyone else accesses it, they too can read it. Unless you are a government entity or someone else whose data is considered highly sensitive, then cloud computing is still fraught with security and privacy issues.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.