Ensuring that workers comply with company communications policies is a complex task. So, not surprisingly, Orchestria Corp.s Active Policy Management 3.1 is a complex solution. But the softwares complexity ensures performance and adaptability that will provide value for companies that need to monitor message-based communications.
Click here to read the full review of Active Policy Management 3.1.
2
Ensuring that workers comply with company communications policies is a complex task. So, not surprisingly, Orchestria Corp.s Active Policy Management 3.1 is a complex solution. But the softwares complexity ensures performance and adaptability that will provide value for companies that need to monitor message-based communications.
APM 3.1, available now, is priced at $200 per user. The Orchestria product provides the broadest policy coverage eWEEK Labs has seen, using client- and server-based tools for monitoring and managing e-mail, instant messaging and Web-based communications. The results of this approach garner APM 3.1 our Analysts Choice designation.
In eWEEK Labs tests, APMs rules-oriented approach delivered a level of accuracy that will pay off for companies willing to make a substantial upfront investment in building good policies. Most competing applications use more basic, dictionary-based policies that, while faster to create initially, create a high level of false positives until the policies are tuned.
APM has another major advantage over traditional e-mail compliance tools: When client agents are used, the product can stop policy-violating e-mail messages before they reach the mail server, thus keeping them out of the archive.
Orchestria has focused on building expertise around financial institutions; therefore, the products prebuilt policy libraries target that industry. However, we believe the underlying technology can be readily adapted to other heavily regulated industries, such as health care—all that remains is for Orchestria to build out that expertise. And should the price come down considerably, the software would be more broadly applicable to general communication policies, such as ensuring that salespeople use best practices when communicating with customers.
By combining client agents and server-side gateways, APM gives companies a number of deployment options and covers a broad range of applications. We tested APM by deploying a central management server, an agent on a Microsoft Corp. Exchange server and client applications on our test desktop systems. APM also has tools for importing e-mail and IM archives.
APM focuses on Microsoft Exchange environments, with both the server-side Exchange agent and support for Microsoft Outlook in the client agent. The client agent also supports IBMs Lotus Notes client and Bloomberg LPs Bloomberg Professional messaging application.
This client-oriented approach differs from proxy- and gateway-based policy management applications, such as Clearswift Ltd.s MIMEsweeper for SMTP, in that APM can manage message traffic before it leaves the client PC. Because the traffic never gets to the e-mail server, its never captured in an archive.
Most SMTP-based policy management applications, in contrast, intercept traffic just before it leaves the companys network, making the messages discoverable, in the legal sense, on an e-mail server or archive—even if they never reach an intended recipient.
The APM agent worked well in tests, causing no noticeable performance hit on the client. APM let client agents be remotely distributed, but companies dont necessarily have to deploy client agents. The benefits of using the client were borne out in testing, however. We could use the client to block access to certain Web sites, such as Hotmail.com, or monitor and block activities on a site, such as sending restricted text or files. We could even build policies that blocked SSL (Secure Sockets Layer) sessions on certain sites to ensure that users didnt sidestep monitoring through encryption.
Page Three
A server-side agent on an Exchange server can perform the same policy enforcement. The server-side agent is both complementary and a valuable alternative to the client because it can enforce the e-mail policies designed for the client. Most companies will need to run the server-side agent anyway because it enforces policy when users access e-mail from another PC using Web mail.
Building policies and validating them was complex, however. We used the APM Administration console to build policies based on an organizations directory-based infrastructure. We could create policies at the group or individual level, with individuals inheriting policy attributes from group policy.
We liked how APMs policy framework let us build policies for inbound and outbound e-mail as well as for Web sites based on seven kinds of control triggers, such as recipients, text search and attachments. APM provides at least three triggers of each type in a policy, meaning that a company could specify as many as 30 control triggers for outbound e-mail from a group of users.
Given the large number of triggers, writing each policy is tricky. For each one, we had to determine both the trigger and an action. The trigger specifies not only the unacceptable recipients and message content but also exceptions that countermand these positive indicators. For example, we set up a policy that would block outbound e-mail based on a restricted stock list, unless the e-mail contained terms that would add the qualification that the stock was on a restricted list.
APM allowed us to create as many as 10 actions for each trigger. A trigger will call only a single action, but the options within actions are flexible.
One thing missing in the APM Administration tool is an easy way to copy an existing policy to another group. APM does have tools for migrating policies using XML as well as some policy libraries in both document and XML format, but they arent part of the main application.
APM has policy libraries to help companies more quickly address regulatory requirements. Companies will still need to tune the policies for some regulations, such as building and maintaining restricted lists or blocking communications across internal boundaries.
Companies must plan to allocate resources to managers so they can understand process and regulations to help build the policies. With a few days worth of training, staff charged with ensuring compliance should be able to write policies.
Auditors can use APMs DMC (Data Management Console) to search the APM data store for trigger events and then perform audit functions on those events.
We found DMC provided good tools for managing searches, including the ability to save both simple and complex searches. DMC also exposes the underlying SQL query for administrators who want to capture results in another application, such as Business Objects S.A.s Crystal Reports. APM supports Microsoft SQL Server and Oracle Corp. databases.
We believe auditors will be able to quickly move through a list of trigger events because the DMC interface has buttons for approving, auditing or creating e-mail based on such events .
In addition, when viewing the first trigger event in a search, we could specify that all subsequently viewed trigger events be automatically audited, saving a tedious navigation step.
Next page: Evaluation Shortlist: Related Products.
Page Four
Evaluation Shortlist
Clearswifts MIMEsweeper for SMTP 5.0 A good SMTP gateway-oriented approach to monitoring e-mail for policy adherence (www.clearswift.com)
Liquid Machines Inc.s Email Control A solid rules-based e-mail policy management application that integrates with Microsoft Exchange and Outlook (www.liquidmachines.com)
SendMail Inc.s SendMail Mailstream Manager 2.0 An SMTP-based tool for managing e-mail through policies with the ability to filter spam and viruses (www.sendmail.com)
Technical Analyst Michael Caton can be reached at michael_caton@ziffdavis.com.