With an ever-rising tide of corporate e-mail, companies face numerous difficulties as they attempt to meet regulatory requirements aimed at ensuring their e-mail communications are auditable.
As part of these challenges, companies must deploy products and technologies for creating policies, ensuring secure delivery of content, tracking communications to prove that they are auditable and audited, and retrieving archived messages as needed. Complicating these processes is the need to also deal with communications that are outside corporate e-mail, including instant messaging, Web-based e-mail services and Web-based discussion boards.
Policies are the key element for ensuring that organizations meet regulatory requirements. In addition, policies help ensure that companies follow specific workflow procedures and that the resulting actions are auditable.
Because policy engines can be found in many technologies and products in the e-mail delivery and archival chain, companies need to figure out how best to tap one or two policy engines to fill multiple gaps.
For example, to determine if users are sending Social Security numbers in clear text, many policy engines can be configured to look for numerical data in “XXX-XX-XXXX” format. If an e-mail message contains such data, the policy engine can be configured to take action such as returning it to the sender with an explanation of the policy violation or automatically encrypting the message.
Companies can tap workflow management tools, such as Liquid Machines Inc.s Email Control, which works closely with Microsoft Corp.s Exchange to manage message workflow between the user and the Exchange server. With Email Control, rules can be used to ensure messages are encrypted or to limit user actions permitted on forwarding or printing messages. These internal systems can make it easier to manage cross-group communications in an organization.
Another option is to use a perimeter-oriented product, such as messaging gateway appliances from IronPort Systems Inc. or CipherTrust Inc., to enforce policy. These systems guard inbound and outbound communications and can work with other products to automate mail functions.
A growing number of vendors are working to integrate compliance tools with instant messaging networks, but monitoring IM and other communications is more difficult and involves blocking sites or more actively monitoring individual user behavior.
Orchestria Corp.s Active Policy Management 3.0, for example, looks at unstructured text-based communications as well as at file activity using client-based software and server-based administration tools.
Enterprises have secured their cross-domain e-mail communications for years using S/MIME (Secure Multipurpose Internet Mail Extension). However, data security regulations such as HIPAA (Health Insurance Portability and Accountability Act) focus on securing recipients and require companies to invest in encryption and public-key technologies that improve message encryption. These data security measures mandate that communications are encrypted, at a minimum, from the senders gateway to the recipients e-mail client—and preferably all the way from the senders e-mail client to the recipients e-mail client.
The user experience with these products doesnt differ much from going to a Web site to securely view data and rids companies of the burden of hosting data securely on Web site. This is because the content sent to the user in e-mail is the encrypted data.
A key element of managing e-mail-based communications is providing the tools necessary to ensure that communications comply with policies and that steps are in place to take corrective action when communications deviate from policies.
There are two e-mail auditing approaches to consider: flagging messages that potentially violate policy for corrective action, or sampling messages to ensure that communications are being monitored for potential violations of policy.
When flagging messages for further review, multilevel auditing is required to ensure that auditing occurs with consistency and that proper follow-up procedures for rectifying violations can be easily defended in case questions of discovery occur.
For the second auditing choice, companies must sample messages and make them available for easy discovery in the event of external audits on policies to demonstrate that they are monitoring communications that should be monitored and that e-mail does not include any violations.
Technical Analyst Michael Caton can be reached at [email protected].