
Amazon Starts Email Service for Companies - cryptoz
http://www.forbes.com/sites/benkepes/2015/01/28/amazon-changes-the-game-again-aws-introduces-workmail
======
ecaron
After trying for 3 weeks to make AWS WorkSpaces work for my company, I can
still confidently say that Amazon doesn't get it. Their solutions are more "Go
to Home Depot and get the parts to make a desk", whereas Google Apps is "go to
Ikea". The two solutions are neighbors, but not everyone is ready to buy the
individual boards and cut them down to size.

~~~
npinguy
Your comparison is bang on, except that's the point. Amazon isn't trying to be
Ikea. It is absolutely trying to provide the building blocks for small
companies and large to use their cloud platform in a very foundational manner.
Yes, the onboarding cost may be high, but Amazon doesn't mind if customers end
up using Heroku or EngineYard instead - they are customers too.

AWS is a lot like Linux that way: Deeply challenging initial learning curve,
but the only thing worth considering for serious mission critical
architecture. Stability and scalability does come at the cost of user-
friendliness.

~~~
cheriot
Are you saying there's a security and scalability to Amazon over Google Apps?
People still make that argument about in house vs hosted, but hosted vs hosted
of two major providers is new to me.

~~~
mukundmr
I don't know about security and scalability, but from what I read, it seems
that Amazon gives you fine grain control and AD integration which is nice.
Also, customer support is one area where AWS is better than Google in my
opinion. YMMV.

~~~
busterarm
Amazon's customer service basically exists where Google's doesn't.

People often don't realize what a chasm of difference that is.

It doesn't help Google any that Amazon's customer service is _great_.

------
nullrouted
Everyone is talking KMS which is nice but I don't think that is the biggest
selling point. Being able to say in which region your email is stored is huge
for customers who don't want their data shipped all over the world.

[http://arstechnica.com/information-
technology/2015/01/amazon...](http://arstechnica.com/information-
technology/2015/01/amazon-goes-after-office365-with-workmail-hosted-e-mail-
service/)

"Another notable feature of WorkMail is that users can specify what Amazon
region their e-mail is stored in. Customers can choose a specific, relatively
close data center to reduce latency in retrieving e-mail or for compliance
purposes—such as European privacy regulations. The feature means that users
won’t get the benefit of failover to another data center in the event of an
outage, but Amazon may offer mirroring services later."

That is a big differentiator for many companies right there.

~~~
rodgerd
> or for compliance purposes—such as European privacy regulations

That sounds nice, but Amazon is still a US company, and the US government
seems pretty staunch in their view that US law trumps country-of-residence
law.

~~~
nullrouted
I can understand why you would say that after the big fight with Microsoft.
What if Amazon makes it so the only employees with keys to be able to decrypt
data in that region, live in that region. I think that could be the failsafe
right there to where even if the government says "hand over the data", Amazon
says "we can't and the only people that can are Citizens of xyz and we can't
compel them to break the law of their home country".

I'm not saying that is what they are doing but it would be a very interesting
strategy.

~~~
thanksgiving
You can bet there will be some bs charges like obstruction of justice or
whatever and it might even fly depending on how much of an asshole the judge
is...

~~~
gnopgnip
What if the company was Enron 2.0 and was keeping their tax records and other
incriminating emails on a server in another country that was under the control
of an American company? Should the US justice system just accept it is outside
of their control, or pursue the American company to turn over material in
their control for the case?

~~~
toyg
That would depend on the law about "where should an American company store its
emails". If they are not allowed to store stuff abroad, then you can throw the
book at them regardless of whether you get those emails or not.

Like for tax evasion vs tax avoidance, law enforcement cannot complain that
individuals and companies use rules to their advantage, they just have to make
smarter rules.

------
rdl
Wow, I loled.

This uses Amazon KMS. Amazon KMS is PC backed ("HSA"), which means all your
mail is encrypted to a key which it now takes two Amazon employees acting
under court order to get access to, rather than a court order and one
employee.

Google's internal controls are at least this robust, and they have similar key
management systems internally.

There might be a reason to buy Amazon WorkMail, but it's not for security
advantages over Gmail.

~~~
_almosnow
Mmm, how is it less secure to add another "employee" to the equation?

~~~
rdl
The court order is the bar, not the second employee.

Google's keyservers also don't have single employee control. The ones used for
encrypting gmail behind the scenes, and other Google services. This is just
table stakes for any large system.

This is in contrast to something like Azure Key Vault, which is HSM backed. A
court order should not be sufficient to compel Microsoft to turn over a key
from Azure Key Vault; it _should_ be impossible for them (or for nCipher) to
do so.

~~~
mey
It isn't impossible to unwrap a key from an nCipher system. Getting out the
master HSM key is harder but still possible. Really the important part if the
steps required to get it out to prove authorization, aka a quorum on the
security world. The quorum size is an implementation/configuration detail and
only MS would know that on hand to speak to that depth.

~~~
rdl
If it can be done through policy they can be ordered to do it, but they don't
have to physically subvert their hardware. (not a lawyer, but this is an
opinion a lot of people have had...)

It depends on how you configure the HSMs whether you can extract and decrypt
keys.

------
rdl
I'm curious about two things:

1) Where does this use Key Management Service to encrypt? At the SMTPD? With
keys unique to each end user? S/MIME? What?

2) What's the real security model of KMS? Is it using HSMs for keys, or just
shipping keys to systems? Does it use any other hardware/platform security
features to protect keys, or just basically a "soft HSM" running in Dom0 on
each machine? Or something purely network based, and also done in software
only?

------
__Joker
Sometimes it feels Amazon does a lot of "throwing at the wall and see what
sticks". Not sure how this fits better at their vision ?

~~~
flurdy
Scatter gun + Lean Startup principles. Not entirely wrong, though wish some
more initial refinement was included, but if the brand doesn't take a hit then
fair enough.

~~~
jdub
Plus, because almost all of what they do is based on customer demand, they
haven't killed many products. Whereas Google…

------
jcreedon
I think the biggest distinguishing feature of this is being able to have it
encrypt emails with customer provided keys stored on their Key Management
Service. This hypothetically should prevent three letter agencies from
accessing emails, but I'm not sure that is the top feature on everyone's mind
when they are looking to set up email for their company. It definitely piques
my interest though.

~~~
hackuser
If your mail is encrypted, how do you search it?

EDIT:

That is, assuming the mail is stored on the server and it's encrypted, how do
you search it efficiently?

It does not seem efficient to download every byte of mail, decrypt it, and
search it on your local machine (especially a phone). Perhaps you could build
an index locally, but could you keep it updated? And even that requires
downloading and reading every byte at least once.

This is something I've always wondered about encrypting hosted email.

~~~
boomzilla
The actual content is encrypted, but one can still build an index that points
to individual email IDs and score the search results properly. Only when
returning the top N results that one needs to decrypt those N emails with the
right keys. The index would be kept in the server. Of course, the devil is in
the details and things like email threading, order by by date or group by
senders will make or break the user experience.

~~~
mseebach
A full text index that's actually useful will allow you to largely piece back
together the original content, modulo stemming and stopwords.

I guess it would be something like encrypting the index, then decrypt it on
demand, just like you would decrypt individual messages on demand.

~~~
swehner
Not if the index values are encrypted (public-key) too.

hashed-word => encrypted-list-of-msg-indices

something like that.

------
burtr85
I've been a user of Rackspace E-mail. It's one of the last services I still
have with Rackspace and it's been a good platform for my company. I can't tell
you the last time I had an issue. Looks like this is on the road to making
Rackspace irrelevant on yet another level.

~~~
bretpiatt
Racker here responsible for our mail services. Thanks for the positive
feedback and for being a customer. Curious why you say this would make our
offering irrelevant?

~~~
burtr85
Hi Racker: I dont think this statement is necessarily specific to the mail
offering. It's more about the pace of innovation or lack thereof @ Rackspace
these days. There just seems to be a better fit for everything Rackspace used
to do well somewhere else. :(

I want support and someone I can call, but I can honestly say that the support
that I receive at AWS is more comprehensive and detailed that the typical
response I got from Rackspace, which is really disappointing. Once I
discovered that, I couldnt justify the 2x+ premium that I had been paying.

I also wish some of the more interesting things you have like Airbrake,
Mailgun, Exceptional got more love. Instead, the focus seems to be on the non-
differentiated stuff and all the "enterprise" stuff that matters less and less
everyday.

------
flowerpot
I'm actually not too surprised. It seems like Amazon feels like they have to
have every online service possible, however, some of their services could be
better if they focused on fewer.

~~~
_almosnow
You misspelled Google. Most of AWS are products that have a consistent user
base and profitable almost from day one.

~~~
efiftythree
My personal opinion is that there is a divergence product types between
traditional AWS offerings and their new desire to break into traditional
Enterprise offerings. The Workspaces and managed Directory Services are nods
to the Enterprise space but they are currently getting more shakes of the head
back rather than nods.

------
hackuser
To qualify any hosted mail service to handle valuable, confidential data seems
difficult. For example:

What are the confidentiality provisions? Can they be changed without your
consent? Does Amazon possess cleartext data and metadata? Do they monitor it
to collect customer data? Who at Amazon can access it and when? What is their
retention policy? Is non-retained data destroyed or just left on the storage
medium until overwritten? How will they respond to subpoenas, warrants, and
similar requests from counterparties in lawsuits or from government? And
perhaps most importantly, how able are they to execute their policies and what
deters Amazon from violating them (i.e., what is the penalty?)?

Is there any service that satisfies these requirements?

~~~
hellbanner
Isn't the NSA/CIA hosting with Amazon nowadays?

~~~
ForHackernews
Maybe their website. Not for anything that matters. They're not building
billion-dollar datacenters in Utah for fun.

~~~
karambahh
I think I read somewhere about rumors of intelligence agencies availabilty
zone, under physical control of US intelligence agencies.

After all, at a massive scale, having access to industry standard tools for
provisionning makes sense: give $$$ to AMZN for their software stack and hw
integration cost probably less than building your own...?

AWS GovCloud exist solely for this purpose:
[http://docs.aws.amazon.com/govcloud-
us/latest/UserGuide/what...](http://docs.aws.amazon.com/govcloud-
us/latest/UserGuide/whatis.html)

A really private AV zone is just a step away: put gov guards at the entrance
of DCs, replace all AWS teams by in-house personnel (or have AWS teams sworned
in at the relevant level...?)

~~~
dbarlett
"a $600 million computing cloud developed by Amazon Web Services for the
Central Intelligence Agency over the past year will begin servicing all 17
agencies that make up the intelligence community."

[http://www.theatlantic.com/technology/archive/2014/07/the-
de...](http://www.theatlantic.com/technology/archive/2014/07/the-details-
about-the-cias-deal-with-amazon/374632/)

------
dflock
I wonder if Amazon has switched their internal email over to use WorkMail?

~~~
efiftythree
No, they are running Exchange 2013.

------
ghobs91
I get the feeling they haven't learned from Microsoft's mistakes when trying
to spread themselves too thin.

------
KeepTalking
They seem to be scant on security details. Its great to say you are built on
the tenant of security but its the details that matter.

What sort of protection do they offer for phishing , spam and AV ?

Do they offer integration with other security , DLP suits ?

------
peteretep
To run a "real" company, of let's say, 200 people or more, dealing with mildly
sensitive data, you need Microsoft[1][2][3][4]. You need Microsoft because you
need:

* Calendaring that Just Works, and a capable client for it. This involves an Exchange server and MS Office;

* You need mail that Just Works, and Just Works in conjunction with the above calendaring; this involves an Exchange server and MS Office;

* You need an easily controllable and relatively cheap OS that can run Word, Excel, and a web-browser for non-technical staff, and can be run on cheap-ass Dell boxes; currently this involves Windows and MS Office;

* You need a shared fileserver for people to upload company party photos to, storing improperly protected financial spreadsheets, and so on;

* You need a central identity system to tie the whole shebang together; this involves Active Directory

To summarise, you need:

* ActiveDirectory, for which there is now Amazon WorkMail

* Exchange, for which there is now Amazon WorkMail

* Windows File Sharing, for which there is now Amazon WorkDocs

* Windows desktops that can run MS Office ... for which there is sort of Amazon WorkSpaces

The question now becomes: can I get away with running a 200-person company
with no relationship with MS by deploying cheap-cheap Linux machines with a
VNC-client to Amazon WorkSpaces for non-technical staff? And the answer is ...
perhaps, but I need my people to be able to work without an internet
connection, so probably not.

But still, that's fucking huge.

The one piece missing in this lineup is capable local Office apps. You simply
cannot get away with not having Excel, Word, and Outlook's Calendar
functionality ... yet. Finance, Admin, Management, and non-dev IT will riot
without Excel; Admin, Sales, and Management will riot without Word; Sales and
Management will riot without Outlook, and blood will be spilled over the
management of more than two meeting rooms. OpenOffice, LibreOffice, whatever,
they don't cut it in the real world.

So while it doesn't sound like their game, if Amazon were to release a lock-
down-able Linux and some high-quality Office apps, they can take SME IT away
from Microsoft. That's is HUGE. Hell, if they can put together a package that
can run Office under WINE reliably, and sort sensible licensing terms, it's
just as huge, but I can't see MS allowing that licensing part to happen,
because it would be suicide.

Interesting times!

[1] I don't care how Canonical or RedHat manage their internal IT

[2] Nor do I care about how your 11 person social media startup does it

[3] I too did all my best IT management before I became responsible for it

[4] Seriously.

~~~
quonn
OpenOffice is not good enough but you still think Amazon can release something
better just like that? Oo shows how hard the problem is, even if you have
decades of experience. Amazon has almost no experience with huge desktop
applications, they can't possibly release something that can seriously compete
with MS Office.

~~~
peteretep
Probably, but the stakes are high enough, and they have enough cash, that who
knows? Or they could just buy SoftMaker, and then throw money at that...

------
ukigumo
Hopefully this means AWS will also be implementing DNSSEC which I need in
order to implement DANE on my own secure mail solution.

------
mathattack
I'm scratching my head wondering, "You mean they haven't done this already?"

------
chatman
And Amazon uses Outlook for internal office mail and calendar. What an irony?

~~~
jdub
Why irony? You can use Outlook as a client for WorkMail. I wouldn't be
surprised if they shift to WorkMail once it satisfies their large enterprise
requirements (given that it's an MVP right now).

------
known
What's it USP?

------
cryptoz
Here is a link that goes through Google:
[https://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd...](https://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CDoQqQIwAA&url=http%3A%2F%2Fwww.wsj.com%2Farticles%2Famazon-
starts-selling-an-email-service-to-
companies-1422468169&ei=oijJVMaJEJShyATDpoDgBw&usg=AFQjCNEBxqsxa2zHwdufPj-F6J9Hsy3YEQ&bvm=bv.84607526,d.aWw)

I tried to submit that to HN, but it didn't seem to work.

~~~
riledhel
No luck, I can't see the article with that link either

~~~
_neil
Same, but if you go type the headline into Google and follow the WSJ link, you
should be able to read it.

------
e0m
This to me just emphasizes the need for services like Nilas' email APIs. I
don't want to have to worry about integrating with yet another email provider.

That being said, I trust Amazon's data centers and API stack far more then
Microsoft alone.

~~~
calpaterson
Email can go better than APIs - it has publicly available protocols and there
are many implementations of them (including many good FOSS implementations).
They are called IMAP and SMTP! Any email client can integrate with any email
server, and has been able to since the beginning of email

~~~
martinesko36
Sounds wonderful until you have actually tried to integrate IMAP "supported"
email services, such as Gmail. What makes it hard is that different providers
have different implementations which very often do not follow the protocol
spec. Microsoft, Google, Yahoo all have their own higher-level API for email
access, and every modern email tool ends up making something like Nilas, with
a server taking care of pushes and managing logic for each provider. The
industry needs a new standard, and that is why ideas such as Nilas seem
exciting.

~~~
ForHackernews
That's an argument for providers implementing the spec correctly, not an
argument for abandoning specifications in favor of various proprietary APIs.

We've already learned this lesson with web browsers and HTML specs, maybe
we'll have to learn it again for email.

