Executive Summary:

Are you ready to move to the software as a service model to administer portions of Exchange? Explore the offerings in the Exchange Hosted Services portfolio: hosted filtering, hosted continuity, hosted archive and hosted encryption. And review the licensing plan to see if its simplicity suits your needs.

The Software as a Service (SaaS) business model (also known as the software and services or S+S) appears to be gaining popularity in the marketplace, with SaaS offerings (called hosted services) spreading to a variety of organizations. The Cutter Consortium, an IT analysis firm, released a study in January 2007 claiming that 74 percent of their participants were either using or seriously evaluating SaaS. Of course, we’ve had email SaaS for a long while—think of the old days of CompuServe, AOL, and Prodigy. More recently, vendors large and small have started offering SaaS versions of conventional applications such as customer relationship management (CRM), sales force automation, enterprise resource planning, and other mainstays of the data center. Messaging services have been a big part of this trend; a number of vendors have offered hosted Exchange mailboxes for several years, and vendors of other messaging-related services—including antispam, antivirus, archiving, and encryption—are in the SaaS market, as well.

When Microsoft purchased FrontBridge in 2005, the company bought into software plus services in a big way. Although you can argue that offering individual services such as Windows Live Hotmail and the entire Windows Live portfolio are SaaS, the integration of FrontBridge with Exchange and rebranding as Exchange Hosted Services, marked a significant entry into offering an integrated service as part of a major product’s portfolio.

NOTE: Before proceeding, it’s important to understand a bit of confusing nomenclature. Exchange Hosted Services is what Microsoft calls their S+S offering for email processing. Hosted Exchange, on the other hand, means something completely different: It’s the process of hosting Exchange itself as a service.

The Exchange Hosted Services Portfolio
Exchange Hosted Services comprises four related but separate services:

  • Exchange Hosted Filtering provides antispam and anti-malware filtering for inbound and outbound mail. There are lots of players in this area, including Postini (now part of Google), MessageLabs, and vendors who–like Symantec--make their existing filtering products available through SaaS.
  • Exchange Hosted Continuity keeps a rolling 30-day archive of an organization’s email available at Microsoft’s data centers so that, in case of an outage, you can still get access to it via the Web. The nearest competitor is MessageOne’s Email Management Services.
  • Exchange Hosted Archive provides a long-term, searchable archive of your email messages with a suite of tools to help you meet various regulatory compliance requirements. The hosted archive service includes tools for setting retention policies and generating reports suitable for use with various regulatory systems.
  • Exchange Hosted Encryption uses a nifty cryptographic technique known as identity-based encryption (IBE) to eliminate much of the overhead of traditional public key infrastructure (PKI)-based encryption.

These services are nominally separate because their licensing requirements vary. In some cases, licensing one service may require you to add other services.

Exchange Hosted Filtering
One of the quickest ways to improve your work life is to deploy a hosted spam filtering service. Hosted filtering services benefit from economies of scale. These services remove unwanted messages before they get into your server, saving you bandwidth and computing resources. And they reduce the amount of junk your users have to wade through, which translates directly into job satisfaction.

As with other filtering services you “install” it by pointing your inbound mail exchanger (MX) records at the Exchange Hosted Services server farm. After you do so, inbound messages flow from the sender across the Internet to Exchange Hosted Filtering, where they are filtered in two ways. First, the filtering service uses Microsoft’s proprietary spam filtering system to clean spam. The filtering service doesn’t currently use the SmartScreen filtering system that forms the basis of the Microsoft Exchange Intelligent Message Filter (IMF), the Windows Live Mail filter, and the Outlook Junk Mail Filter.

Figure 1 shows the operational flow of Exchange Hosted Filtering. The filtering service first discards or blocks connections by analyzing sender information, both in headers and from the IP address of the connection itself. Then, the origin and reputation filtering steps include checks against Exchange Hosted Filtering’s database of sender reputations, authentication based on the sending IP address (the equivalent of Exchange’s IP filtering list), and rate-of-arrival controls that block out spam floods. Origin and reputation filtering are applied against all messages for all customers. For the subsequent steps, you can set your own domain-specific rules. Virus scanning is performed with multiple antivirus engines, as it is with Microsoft’s Forefront Security for Exchange Server. However, Exchange Hosted Filtering uses a different set of engines than Forefront Security does.

In the policy enforcement step, the rules you create for blocking, allowing, or quarantining messages according to their content, their attachments, and so on are enforced. When you quarantine messages, for example, the Exchange Hosted Filtering servers store the messages so you can inspect them without hosting them on your own servers. Next, during the spam filtering step, several spam filtering measures are applied, including fingerprinting and rule-based scoring. You can quarantine spam messages for future inspection.

Exchange Hosted Filtering accepts mail on behalf of your domain, and it also stores that mail. An interesting side benefit is that Exchange Hosted Filtering can act as a bare-bones continuity service. If your servers aren’t able to accept mail, the hosted filtering service can store your mail and deliver it once your servers come back online. It’s nice to have because it provides some protection against temporary outages, especially for smaller companies that don’t have a solution such as clustering in place.

Exchange Hosted Continuity
Exchange Hosted Filtering’s store-and-forward capability doesn’t provide true continuity, of course. Microsoft has been adding continuity features to Exchange since the early days. Such features include the recovery storage group (which provides a quick way to get dial-tone messaging set up), the Exchange Server 2007 replication feature set, and steadily improving clustering performance and reliability. There’s clearly a market for continuity services that are simple to set up and maintain, and that ensure continued operation of messaging systems during an outage or disaster. While you can always host and switch to an alternative mail system when necessary, you’d lose access to the accumulated corpus of mail that your staff depends on to get their jobs done

Exchange Hosted Continuity, Microsoft’s continuity solution, addresses the issue of providing an integrated service that’s simple to set up and maintain, and that provides access to mail during an outage. The hosted continuity service captures inbound and outbound messages, then maintains a rolling 30-day archive of mail for the users you enroll in it. Enrolled users have access to the last 30 days of their messages through the hosted continuity service’s Web interface, effectively providing them a way to keep receiving new mail, sending new mail, and referring to old mail.

To enable Exchange Hosted Continuity to grab incoming messages, set up the same kind of MX redirection that you’d use for Exchange Hosted Filtering. In fact, the Exchange Hosted Filtering service is included with Exchange Hosted Continuity.

To capture internal messages, Exchange Hosted Continuity depends on Exchange’s envelope journaling feature. To use Exchange Hosted Continuity, you must enable journaling for all the users whose mail you want to protect, then set up a server-side Exchange rule to forward journaled messages to the offsite address of the Exchange Hosted Continuity service. Exchange 2000 Server and Exchange Server 2003 allow you to journal at the mailbox database level, as does the standard Client Access License (CAL) for Exchange 2007. If you add the Exchange 2007 Enterprise CAL, you can configure journaling for individual users or distribution lists.

During an outage, new mail flows into Exchange Hosted Continuity. As users reply to those messages or create new ones, they’re added to the hosted continuity service pool. When the outage ends and your servers become available again, deactivating Exchange Hosted Continuity enables you to move those messages back into your production system.

Exchange Hosted Continuity provides a Web interface called Microsoft Web Access (MWA) for users to send and receive mail. By default, users get access to the last 7 days of mail, although they can search for and restore messages from the 30-day rolling archive. You can use MWA’s administrative tools to create notifications, manage which users have access to recover data, and so on.

Exchange Hosted Archive
Archiving and compliance go together like peanut butter and chocolate, so it’s no surprise that the Exchange Hosted Archive solution provides compliance tools. When you subscribe to Exchange Hosted Archive, you can enable MX redirection to capture inbound messages, then use journaling to capture internal messages, just as with Exchange Hosted Continuity. The biggest difference between Exchange Hosted Archive and Exchange Hosted Continuity is the former’s tools for harvesting messages, allowing them to be inspected and audited, and providing compliance-oriented tools and reports. Exchange Hosted Archive’s toolset supports both keyword-based and percentage-based message harvesting. During the review process, you can tag and annotate messages for action. (There’s also an attorney-client privilege tag that lets you shield messages from some user roles.) Exchange Hosted Archive lets you define compliance managers who can inspect messages and generate evidentiary reports, and you can use the hosted archive service to set policies for automated destruction of messages after their retention period has expired. Exchange Hosted Archive also provides a legal hold mechanism to temporarily avoid destroying needed messages.

Exchange Hosted Encryption
One of the biggest roadblocks to widespread deployment of encryption technology is something simple: It’s hard to securely distribute and manage encryption keys. PKI systems are supposed to lower the degree of complexity and cost, and they do in many circumstances. However, PKIs depend on enrollment. Before you can send encrypted mail to people, they have to join the PKI and receive a certificate. Enrollment is difficult if you want to enroll, say, everyone in your state who has a driver’s license. Unfortunately, in today’s regulatory environment, many companies have no choice but to provide encryption to ensure that they’re adequately protecting their customers against theft or other loss of their personal information.

Exchange Hosted Encryption uses a system known as identity-based encryption (IBE) to generate a unique public encryption key for a user based on his or her email address. This cuts through the thicket of PKI deployment issues and delivers the desired capability: if you know someone’s email address, you can send an encrypted message that only that person can read. The Exchange Hosted Encryption IBE system uses a set of cryptographic algorithms collectively known as elliptic-curve cryptography. Compared with the much more common RSA public-key algorithms, elliptic curve algorithms are faster and can use smaller key sizes to provide equivalent security.

Set up Exchange Hosted Encryption by defining an SMTP connector to the service so that outbound mail flows through it, using Transport Layer Security (TLS) to protect messages in transit. Use the hosted encryption service management interface to define policy rules to control which messages must (or must not) be encrypted. Messages to the specified domains or addressees will be processed accordingly. If your policy specifies that a given message should be encrypted, Exchange Hosted Encryption encrypts it to the recipient and sends the encrypted message as a MIME part in a multipart message. To decrypt the message, the recipient opens it, confirms his or her identity (and thus the validity of the key) via a return email to the Exchange Hosted Encryption service, and then reads the mail in a Web browser using the Zero Download Messenger (ZDM). The original encrypted mail remains stored in the recipient’s inbox, and the original unencrypted version is still in the sender’s sent items folder. Replies are handled differently: The recipient can use ZDM to reply directly, or Exchange Hosted Encryption can be configured to allow encryption of replies (which requires MX redirection).

Exchange Hosted Services Licensing
One advantage of SaaS is supposed to be simplified licensing: Instead of per-CPU, per-server, or per-site licenses, you pay a per-user fee every month or year and buy exactly as much capacity as you need. Compared to complex licensing models such as those for IBM’s DB2 or Oracle products, SaaS licensing might sound good. For Microsoft services, you pay a per-user, per-month fee for each service that you buy. Microsoft explains its pricing and licensing model for Exchange Hosted Services in “How to Buy Exchange Services,” at http://www.microsoft.com/exchange/services/buy.mspx.

Be aware of some interdependencies among the licenses for the hosted Exchange offerings. Let’s start with Exchange Hosted Filtering, arguably the most popular of these Exchange services. The hosted filtering service is available as part of the Exchange Enterprise Client Access License (ECAL). The ECAL also includes the right to use Forefront Security for Exchange Server, Exchange Unified Messaging (UM), and some advanced compliance features. Microsoft’s goal is to price the ECAL lower than the cost of buying similar capabilities from third parties. The list price for the ECAL is $25, so I think they’re probably well within reach of that goal. However, if you plan to use Exchange Hosted Filtering you have to buy the ECAL for every user in your organization. Microsoft assumes that you’re going to use Exchange Hosted Filtering for all your users. Note that if you’re deploying Exchange UM or advanced compliance, you can buy the ECAL only for those users who need access to those individual features.

Exchange Hosted Continuity and Exchange Hosted Archive both include licenses to use Exchange Hosted Filtering. In addition, when you buy the hosted archive service you get the hosted continuity capability. If you’re not sure which Microsoft service to buy, contact your Microsoft licensing specialist for more details on license policies and costs.

Are Hosted Services for You?
SaaS is proving to be a viable economic model for the numerous customers of companies such as Salesforce.com, which provides an immediate benefit to the end-user. Microsoft obviously saw the possibilities inherent in this model and now embraces it actively. The Exchange Hosted Services portfolio offers some valuable capabilities for administrators, but you’ll need to consider how comfortable you are with SaaS versus self-hosted capabilities. Do some comparison shopping for the SaaS features you want. Take a look at the specific offerings in Exchange Hosted Services and compare them with its competitors.