Escaping the Legacy Trap: A Bank’s Playbook for Cloud Encryption
Access & Authentication Encryption Features
March 17, 2026
We recently completed a migration for a Canadian financial institution. Like many organizations in regulated, high-stakes environments, they were using a rigid and reactive legacy Zix solution. They faced challenges meeting new compliance mandates, and their system couldn’t keep pace with their changing architecture.
If you are navigating similar regulatory shifts or trying to figure out how to untangle your own encryption bottlenecks, we wanted to share a few practical takeaways from how this bank transformed their security posture.
The S/MIME Nightmare and the Legacy Wall
We used to think secure gateways were enough. You set them up, establish a few rules, and cross encryption off your list. The reality looks pretty different these days.
This particular bank reached a familiar point. Their legacy system created major blind spots and persistent friction. The biggest hurdle? They needed to mandate Two-Factor Authentication (2FA) for all external contacts to address compliance requirements, and their old system simply could not do it.
On top of that, they were living the classic “S/MIME nightmare.” Managing S/MIME certificates at an enterprise scale is tedious, highly manual, and prone to expiration gaps. When you add the complexity of shared mailboxes—which their client base relied on heavily—the old system routinely caused operational gridlock. They needed security, they needed simplicity, and they needed sovereignty. They needed an overhaul.
The “Big Bang” Migration
Migration often comes up as a major sticking point in these conversations. Everyone has heard the stories about downtime, complex phased rollouts, and user confusion. But honestly, staying put with a first-generation platform is a far bigger liability.
To avoid the slow bleed of a phased transition, we executed a complete “Big Bang” migration to our cloud-native AWS platform. Everything switched over instantly.
To keep things simple for users, we kept the bank’s original keyword for triggering encryption in Outlook. On the day of the cutover, employees continued with their usual process—typing the same keyword as before—while their messages were now routed through updated security infrastructure. There was no learning curve or disruption to daily operations.
Mandating Trust with 2FA
This conversation about auditable trust comes up constantly in the financial sector. Passwords alone simply do not cut it anymore. Regulators demand proof of identity, and this bank wanted every single sensitive message locked down.
By moving to Echoworx, the bank was able to consistently enforce mandatory 2FA for all external recipients. To keep security flexible, we integrated with their existing Sinch subscription to provide SMS-based verification codes. For users who didn’t want to share their personal phone numbers, we also enabled support for TOTP authenticator apps.
They mandated the trust, but they gave the users the choice. The security uplift was absolute, but it didn’t slow anyone down.
Playing Nice with the Ecosystem: Proofpoint and Splunk
Security does not exist in a vacuum. Your tools have to talk to each other. One of the bank’s absolute requirements was finding a solution that could integrate flawlessly with two major ongoing IT initiatives: a company-wide Proofpoint migration and a mandate for real-time SIEM oversight.
We engineered the Echoworx platform to work perfectly in parallel with their active Proofpoint deployment. There was no complex re-engineering. There were no competing policies. Just a unified, streamlined defense perimeter.
For visibility, we connected directly to their Splunk environment. Using our web APIs, the bank now pulls detailed, real-time audit data directly into their SIEM. This lets them monitor events as they happen, enabling prompt event correlation and threat analysis. It moved their security posture from limited insight to practical, data-driven awareness.
Total Control: Cloud-Native Sovereignty
When you operate in the cloud, the ultimate question is always: “Who holds the keys?”
Because this solution was built on our AWS-native platform, we integrated directly with AWS CloudHSM for Key Management Service (KMS). This provided the bank with hardware-backed, FIPS 140-3 validated key generation.
They maintained clear, auditable control over their encryption keys. With the flexibility and scale of the cloud, they addressed data residency and ownership requirements without compromise. This approach puts practical digital sovereignty into action.
Empowering the End User
The most secure system in the world is useless if people route around it because it is too hard to use. We focused heavily on user enablement to make sure the secure method became the default method.
- The M365 Add-in: We rolled out a web-based Microsoft 365 Outlook add-in. No software to install on endpoints, completely cross-platform (Windows, Mac, Web), and effortless to manage.
- Solving the Shared Mailbox: We gave users the ability to choose their delivery preference. They could use our secure web portal for temporary storage, or they could opt for direct-to-inbox pushed PDF/Office documents natively encrypted with a password. This completely solved the shared mailbox dilemma, as the payload goes directly to the shared inbox in a format everyone understands.
- The Recall Button That Actually Works: We gave senders deep visibility into their messages. They can see read receipts, track downloaded attachments, and most importantly, they have access to an instant message recall function that actually works. If an employee makes a mistake, they can pull the message back immediately without ever having to call the helpdesk.
Final Thoughts
If your environment is facing similar hurdles, whether that means rigid legacy tools, mounting compliance pressures, or user frustration, there are some deeply practical takeaways here. Migrating from a legacy encryption provider does not have to be a high-risk, multi-year endeavor.
By shifting to a cloud-native architecture, this bank addressed their security challenges, improved operational simplicity, and made secure communications more manageable for users.
If escaping the legacy trap is on your team’s radar this year, this approach is definitely worth a closer look. Let us know if you want to discuss on how this might apply to your own infrastructure.