Giving Users Control of E-mail Archiving for Compliance
Automated backups for compliance are essential in regulated industries, yet sometimes users need to make their own sets of compliance-related e-mails. Enter drag-and-drop archiving.
Need to automate e-mail backups for regulatory reasons, yet also allow users to selectively archive communications—sometimes for compliance and sometimes just for ease-of-retrieval?
Enter drag-and-drop archiving. Security Strategies spoke with Jon Brown, vice president of C2C Systems, the UK-based e-mail management software vendor that coined the term.
Where did the drag-and-drop archiving idea come from?
The drag-and-drop feature itself was a response to organizations [that] employ a lot of smart people. Read: they have a lot of audit teams, or legal people, and these are people they trust about deciding what is a matter of record. Government agencies and law enforcement agencies especially said, "We want to have a basic policy, but we also want to give users [the ability to decide]."
Does drag-and-drop archiving preclude using an automated policy?
We allow every organization to have multiple archives, even with one copy of the Archive One software. What we’re seeing is each one of the archives will have its own archiving policy, and it tends to break down along departmental guidelines. Maybe it’s the law that any message that’s left or [has] come in must be archived, so maybe they’re going to keep any mail—internal or external—for instance. We’re also seeing some keyword-based approaches, but not as many as we thought we’d see. Then there’s time, date, and size.
Why not just use a one-size-fits-all approach?
There are some competing objectives. One is, cover your butt. … Then on the technical side, you have a space issue—we’re trying to keep our Exchange servers lean and mean, so in the event of disaster, we can recover in two hours. Or if you’re a law firm and handle a child’s case, you have to keep the records until the child is 18. That’s completely different than if you deal with adults all the time. So to us, a good archiving system would be one system you could go to, to meet all those competing objectives. “One size fits all” doesn’t really work.
Given regulations, isn’t it dangerous to leave archiving decisions in the hands of end users?
That was our original take on it—your end users are not responsible, and they’re transient in a corporation. But despite our best advice, the feedback we got from our corporate and government customers was yes, but we’d still like our users to be able to handle this. Now if they’re a brokerage, for example, they’re not going to allow this, because there are conflicting interests.
Would training be required, then, to ensure a proper organizational backup strategy?
Yes, and when you have a drag-and-drop archive, you really do need to educate your users as to what is suitable for archiving and what is not. In a government space, it’s about how you determine what is a government record, and what is not. A constituent e-mailing about police brutality is a record. Going to lunch is not.
Can’t organizations just set up this approach themselves?
The real difference is in configuration. We’ve made it so it can be configured by a reasonably competent Exchange admin in 10 minutes. That’s very different than what the rest of the market is doing.
Have any particular industries adopted this approach?
Interestingly enough, the hardcore regulatory people are still erring on the side of paranoid archiving. … We’ve pitched to them the idea of selective archiving so senior management can decide what to put in there, but so far reception is cool on that. But there is uptake by some retail, education, and government customers, and most law firm customers are saying yes, we’re going to employ this.
Lack of Messaging Controls = Regulatory Risk
Case Study: Choosing Hosted Enterprise IM
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.