Exchange provides some of the basic requirements for a discovery, compliance, archiving, and retention (DCAR) solution. However, to complete your DCAR solution, you'll probably need additional capabilities—such as PST management, policy-based archiving, and access control and auditing—that third-party products provide. Let's look at these capabilities in more detail.
On an individual level, personal folder files (PSTs) are extremely convenient. But the price of that convenience is loss of control. PSTs give users a great way to collect and store information; they also provide a great way for users to accidentally (or intentionally) violate archiving and retention policies and leak protected information past access control and audit mechanisms.
Whether you completely prohibit PSTs or permit their use only under certain conditions, you must have some technical means to keep control. Many administrators I've talked to consider PST management to be one of the hardest technical concerns they face during their DCAR implementations. If you don't agree, think about how you'd answer these questions:
- How do I index the contents of PSTs that are defined in users' Outlook profiles?
- How do I discover PSTs that are on users' hard drives but not part of their profiles?
- How do I discover PSTs that are on file servers, including those stored in roaming user profiles?
- Can I detect PSTs if a user renames the PST and changes the extension?
- How do I enforce proper access and audit ACLs on PSTs?
- How do I enforce proper access and audit ACLs on PSTs stored on FAT partitions?
- Do I need to use Group Policy Objects (GPOs) to prevent my Outlook users from creating or opening PSTs?
- How do I mimic the functionality of GPOs for users and machines (e.g., home users, laptops) that aren't domain-joined or that spend most of their time not connected to the corporate network?
- Which other mail clients are in use that can create PSTs?
- If I prohibit PSTs, what alternative functionality do users have to perform some of the same functions in an approved and manageable fashion?
The PST management component of your DCAR solution must be able to address these concerns.
Many users like to save email messages for as long as they can. Although many sound technical reasons support using message quotas, they aren't the answer. In fact, technical measures rarely, if ever, solve behavioral issues. In my experience, quotas just inspire users to find and exploit loopholes—unless they have an easy way to save the email messages they need to be able to reference in the future.
For this reason, your DCAR solution needs to address the matter of policy-based archiving. You want to encourage what users want to do (save email messages that they need to do their work) and what managers want to do (save email messages that they need for compliance and litigation). At the same time, to achieve consistent results, you need to limit or eliminate the role that human judgment plays in selecting which email messages are archived. Most users don't have the necessary training or experience to determine which messages are safe to keep and which should be deleted.
Additionally, the archived data must be easy to access. What good does it do to store the right messaging data if you and your users can't get to it when it's needed? The mechanisms that provide storage with easy access vary.
- Custom client applications have specialized search and retrieval interfaces. The interfaces make them great for ad hoc searches, especially when you need to search across multiple mailboxes. On the other hand, IT gains another client application to deploy and manage. Although users aren't limited to the interface restrictions of an email client (even one as flexible as Outlook), they must be online to run searches. Additionally, needing to use multiple programs to follow up on an email conversation can be inconvenient.
- Outlook extensions work around the inconvenience of using multiple applications with vendor-provided client-side extensions for Outlook. Users see all the email messages stored in the archiving system as if the messages were still in their mailboxes. In reality, what users see are small stubs that point to copies of email messages and data in the archiving database. The actual data is retrieved only when required. Mail client extensions let users be offline and still read, compose, and search email messages in their inboxes. They can then gain access to the archived data when they're online.
To offset the weaknesses of each interface, you'll probably want to combine them in your environment.
Archiving and retention policies are perfect examples of using technology to solve the type of problem that technology solves well. You might already have ideas about how to define the types of email messages you need to archive. Make sure that the provider you choose understands your needs—and can show you how well the product works in your environment to accurately process the data in your messaging system.
Access Control and Auditing
By using the native access-control and auditing facilities in Windows and Exchange, you can lock down and audit access on the individual mailbox level. However, this level of access isn't sufficient. If I can open another user's mailbox, you have no native way of knowing which objects I read. Was I merely looking at the calendar, or was I searching through sent email messages to get contact information for a sales lead so I can filch some business? Improper handling of backup tapes and data can make this situation even worse because backup systems by design must be able to access all the data in every mailbox. It's dangerous if someone can gain access to that data because it's rarely encrypted or protected in any way.
DCAR access control. Therefore, proper access control systems are mandatory for your DCAR solutions, especially in vertical industries (e.g., healthcare) in which the applicable laws mandate strict access control to protected information. You must enforce this access control at multiple locations within your messaging system:
- Backup and restore facilities—Only authorized employees should be able to perform backups and restores or access the data from tapes and disk images. Keep in mind your disaster recovery scenarios; the definition of "authorized employees" might be different in the wake of an emergency or natural disaster such as Hurricane Katrina, when your usual IT staff might not be around.
- Internet gateways—All outgoing email messages must be inspected to ensure that their contents don't fall into protected categories. As an example, you don't want doctors sending patient data to a mailing list—but if they've referred a patient to a specialist in another organization, they might need to send patient data to their colleagues. Ideally, your system should be able to ensure that only the intended recipient can read the data.
- Archiving systems—After an email message is imported into the archiving system, it must be protected from inappropriate access. Users shouldn't be able to access email messages from other users' mailboxes just because they've been collected into the archiving database. At the same time, people who have a legitimate need to search across multiple mailboxes should be granted that ability easily.
- Within clients—It would be nice if the native Exchange and Outlook functionality included the ability to designate granular access control on a folder-by-folder, message-by-message level—equivalent to access control on a file system. You might not be able to do it within those applications natively, but what if there were a way to make the email message itself enforce the access control? Digital Rights Management (DRM) is precisely the technology to accomplish such control. It lets content creators specify an access policy that's attached to the content and enforced upon access. Many vendors (including Microsoft) have DRM offerings suitable for use as part of a complete DCAR solution.
DCAR auditing. Access control is one side of the coin; auditing is the flip side. No matter which measures you put into effect, you can't know that they're working unless you can validate that they are and can prove it when necessary. Auditing also helps you determine whether your current access control measures have been properly designed or need to be changed.
The auditing component should let you generate automated reports regularly. At the same time, these reports must provide a useful overview of the audit rather than burying you with every detail of the previous day's mailbox accesses. You should be able to quickly identify anomalous events and get more detail about them. You also need to be able to retrieve complete historical data by using a comprehensive search feature. This retrieval feature can be useful during external audits—and you can use it to develop internal baselines and trends.