Arvind Muthukrishnan on AWS Wickr’s Data Security-First Mindset

Amidst the complex environment of sharing mission-critical information, very few communication service providers on the market have shown the capability of enabling enterprises to store data, communicate, and collaborate securely.  

One company stands out as a leader in the industry — AWS Wickr. Its single end-to-end encryption solution has played a major role in transforming the way information is protected, both during data storage and transmission.. 

As an expert in the field, Arvind Muthukrishnan, Head of Product at AWS Wickr, introduces us to the platform and lets us know how it makes it possible for end-to-end encryption and data retention.

Spotlight: AWS Wickr is an end-to-end encrypted (E2EE) communication service that’s on a mission to transform the way military, government agencies, and enterprises communicate and collaborate. Please introduce us to the platform, and tell us how it differs from competitors in the market. 

Arvind Muthukrishnan: AWS Wickr is one of the very few enterprise end-to-end encrypted (E2EE) communication services in the industry that help public and private sector organizations collaborate securely with internal and external users while meeting data retention requirements.  

One-to-one and group messaging, voice and video calling, file sharing, screen sharing, and location sharing are protected with 256-bit AES encryption.  

Communications are encrypted locally, on the sending device. Every call, message, and file is encrypted with a unique secret key and remains indecipherable in transit. No one except intended recipients can access the content.   

As a service provider, even AWS does not have the ability to access conversations, giving customers complete control of their data. After all, we truly believe data is the most valuable asset for an organization and we have designed Wickr with a security-first mindset to ensure our customer’s data is protected — both in transit and rest. 

Most consumer applications that have “E2EE” lack two key features that enterprises need: 

• One is administrative controls. Wickr has a plethora of controls that administrators can use to manage users, manage security postures, or manage data. These controls include addressing information governance policies, implementing integrations for automated workflows with Wickr bots, configuring ephemeral messaging options, and deleting credentials for lost or stolen devices. 
• Two, organizations have a need to retake data for data retention purposes. This could be for financial regulatory requirements, for example, where compliance obligations require furnishing data or facing fines costing as much as $200 million. While being E2EE, an innovative way that Wickr allows enterprises to retain data is through a customer-controlled data store. Customers can store data through either an AWS S3 bucket or their own on-premise server to store data confidentially on their end. 

Customers can also deploy Wickr based on their needs. Wickr has a multi-tenant SaaS offering but also allows customers to self-host our software to meet their authorized boundary needs. So we span the spectrum of customers in edge environments where they self-host to traditional enterprise use cases — providing customers with a flexible and scalable service for their communication needs. 

End-to-end encryption and data retention are often thought of as incompatible, but Wickr provides both. How does Wickr deliver E2EE and data retention—without breaking the encryption? 

Great question! This is one of the most differentiated and innovative features of Wickr. Wickr protects communications with 256-bit authenticated, end-to-end encryption. Every message, call and file is encrypted with a unique secret key, and remains indecipherable in transit; no one but the intended recipients can decrypt them. What most products do is provide retention through a centralized location, and provide customers access to that data.  

Because everything is E2EE on Wickr, we’ve built a unique model to deploy a retention host of the customer’s choice within their environment. What this means is that the customer’s “retention host” is nothing more but an encrypted user within their own organization. So customers have the flexibility to deploy this anywhere they want and specify a data storage location of their choice to store this data. The data retention process can run anywhere: on-premises, on an Amazon Elastic Compute Cloud (Amazon EC2) virtual machine, or at any location of the customer’s choice.  

Bottom line: for every conversation, we add an encrypted retention host so that the messages are routed to the right location for regulatory purposes. The host is encrypted too, which is how we don’t break the encryption promise. 

Security teams tend to be understaffed, so automating tasks is a priority. Is this something Wickr can help with? 

Our customers use Wickr to automate their workflows today. AWSWickr has extensible chatbots through which any organization can bring in data from any system of record. It allows people to make decisions and actions on their data and to put the data back where it belongs - enabling them to automate key workflows. 

The great thing about Wickr’s automation is that decisions get taken only when people talk to each other - after all, Wickr is the place where conversations happen. Our extensible platform allows customers to collaborate on those conversations, make decisions more effectively, provide instructions more effectively, and automate their workflow for a more efficient business need. 

To give an example, the U.S. Army Telemedicine & Advanced Technology Research Center (TATRC) uses Wickr to automate telemedicine workflows. They built a bot that works with Wickr which can help fighters on the field get instant responses and medical diagnoses for the injuries that have occurred. The workforce understands what’s needed, and if required, can escalate from a chat to an audio-video call with a telehealth professional for additional help. 

So in summary, customers can bring data inside Wickr, allow people to converse with that particular data, and build logic to escalate into other workflows. It’s an exciting area for us as we explore other future generative AI capabilities. And this all builds on Wickr’s core offering of encrypted communications — so these conversations and workflows can occur in secure environments where only individuals cleared for access can engage in these workflows. 

Privacy and data protection are obviously important for Wickr: Can you please expand on ways you ensure partners and customers' communications remain secured and protected? 

One of our differentiated value propositions is to enable secure and compliant external collaboration with partners and customers. Our customers often say that while many enterprise communication products provide a friction-free experience for internal collaboration within their organization, they are not very easy to use for collaborating with external users outside their organization.  

For example, one has to incur the overhead of inviting external users as a guest to their organization to collaborate. External users will also have to switch between different accounts in order to collaborate with their partners, even though they are using the same communication product. One of the main reasons for this limitation is a fundamental security principle that a user has to have a presence within an organization to access resources and collaborate. Due to this experience, email continues to be the preferred mode of communication with external users in a lot of organizations. 

Since Wickr, with our end-to-end encryption, has a higher security posture by default, our customers seamlessly collaborate with their partners (both organizations and individuals) through federation. There is no need to invite or bring external users into an organization's network to collaborate. Users from different organizations can use their own accounts to collaborate with others — both inside and outside their organization, just like email. 

Can you explain how Wickr complies with industry standards and regulations like ACSM, and what measures are in place to ensure that data is kept safe and private? 

Wickr’s ability to help customers retain data allows them to also adhere to their regulatory requirements with that data. When we think about regulatory requirements, there are two primary angles we consider: 

1. Making Wickr compliant with industry standards such as GDPR 
2. Enabling customers to meet their regulatory requirements such as SEC 17a-4 

As a communications service, Wickr is GDPR-compliant and HIPAA-compliant, and we recently received ISO authorization as well, providing the assurance to our customers that we operate at industry standards.  

We also know certain boundaries and authorizations are critical for our public sector customers to use Wickr. To that extent, we launched Wickr in AWS GovCloud and are currently under assessment for FedRAMP and DoD Impact Level authorizations. We expect to receive them soon. 

Most of our customers also have regulatory requirements on how they process and store data for audit purposes. With our unique data retention capability, we enable our customers to selectively retain all conversational data in a data store of their choice. This is important because Wickr is one of the very few enterprise communication applications that do not retain data in a centralized store and provide flexibility for customers to retain their data wherever they desire, be it their own data center, in their AWS S3 bucket, or a locally hosted database. By providing complete ownership of data, we enable our customers to have access to all conversations that happen within their organizations and meet data regulatory requirements such as SEC 17a-4 in the financial industry or the Freedom of Information Act (FOIA) in the federal space. 

Apart from enhanced security and data retention, what are other key features of Wickr? 

We’ve covered quite a few in the course of this conversation, but the complete list is on our product description page. Wickr hosts a lot of secure capabilities, such as burn-on notice/read timers, an Android Tactical Assault Kit for military use, open access to disguise traffic on restricted and monitored networks, and more. Stay tuned for future news and updates as we add more features to Wickr! 

What’s on the roadmap for future Wickr developments and updates? Are there any post-quantum plans? 

You’ll have to stay tuned as we announce future developments and updates, but we can say that our roadmap is centered around three broad themes.  

First, we’re interested in making Wickr available everywhere. As I mentioned earlier, we expanded Wickr to AWS GovCloud earlier this year. We are already working on expanding Wickr as a regional offering to international regions, enabling our customers to meet their data residency requirements. 

Second, we're looking to enable Wickr for all communication workloads. We are investing in better messaging, meeting, workflow automation, and administrative capabilities for better customer adoption. 

Third, we’re investing in strengthening our security postures. We’ve already begun thinking about our post-quantum plans, and we want to stay ahead of the curve in keeping communications secure in a quantum-enabled future. We are actively involved in next-generation standards for encryption as we work with the broader field around the future of encryption. 

Thank you for your time, Arvind Muthukrishnan. Best of luck to you and AWS Wickr!  

Keep up with AWS Wickr on LinkedIn and read about other successful businesses here.