E-mail archivers keep companies legit - Storage Technology Magazine - Page 1

E-mail archivers keep companies legit

E-mail archiving applications

    Requires Free Membership to View

    Login

    When you register for SearchStorage.com, you’ll also receive targeted emails from my team of award-winning editorial writers. Our goal is to keep you informed on the hottest topics, the latest news and the biggest challenges you face as a storage professional today.

    Rich Castagna, Editorial Director

    By submitting your registration information to SearchStorage.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchStorage.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Click here for a comparison table about e-mail archiving applications (PDF).
With stricter government regulations and rapidly escalating e-mail stores, storage managers are caught between a rock and a hard place. E-mail archiving tools are designed to automate the process of what to save and what to toss. But to keep costs down, these tools must do more than just move messages from one type of media to another--they must be able to examine, classify and manage the content of the messages so they can satisfy internal business policies and government auditors.

There are more than 30 software tools on the market that enable organizations to manage archived e-mail messages. Finding a product is less of an issue than choosing the right one for your company. High on any e-mail features checklist should be ease of use, comprehensiveness, TCO, scalability, and indexing and search functions.

What regulators look for
Michael Casey, vice president of data policy and ILM services at consulting firm Contoural, offers these tips to organizations that need to create e-mail archiving policies that comply with industry regulations.
Save messages for a defined period. All regulations specify a minimum retention period, usually three years. In the event an investigation occurs, messages will need to be retained longer, so verify that an archiving tool can suppress the deletion of messages if necessary.
Keep records safe and accessible. Regulators expect users to keep records safe from loss, damage or misuse.
Ensure data integrity. Storage administrators must protect records from alteration, damage or deletion while in the archive. Write once, read many (WORM) media or the archiving software's encryption and auditing features may be used.
Maintain confidentiality. An individual's information must be kept secure with administrative safeguards in place.
Availability. Courts and regulators continue to raise the bar in terms of accessing data. Auditors now expect the information in minutes or hours, not days or weeks, as in the past.
Source: "How to evaluate and choose an email archiving solution," an Osterman/Contoural Research Report.
Before evaluating e-mail archiving products, Contoural Inc., a Los Altos, CA-based storage consulting company, recommends users first establish corporate policies on who needs to handle e-mail archiving. In many organizations, the management of archived e-mail messages remains a grey area; the responsibility may lie with groups ranging from the e-mail team, document management team, storage team or systems admin to a team cobbled together from all of the separate IT silos.

The next step is to identify the product features your company needs. Key product features include the ability to:

  • Set policies and rules to manage the archival and retrieval of e-mail messages.
  • Search and classify the content of e-mail messages, including attachments.
  • Minimize the e-mail archiving tool's impact on the e-mail server's performance.
  • Manage disparate e-mail archive stores, such as on PCs or laptops.
  • Produce reports that track capacity growth and satisfy auditors' requests.

Policies that comply
Critical to any e-mail archiving package is its ability to set policies and procedures that meet business and government requirements. Products such as Veritas Software Corp.'s Enterprise Vault (acquired from KVS Inc.) and iLumin Software Services' Assentor Enterprise Suite have wizards to get them up and running quickly.

Mary Kay Roberto, senior vice president and general manager, North America KVS, a business unit of Veritas, notes that Enterprise Vault doesn't offer its users the option to choose a wizard that, if selected, would allow the organization to declare itself compliant with a specific regulation. Rather, users are urged to interpret how specific regulations apply to them and then set policies accordingly. She suggests organizations set up an internal compliance committee to determine what policies should be put into place. She further recommends companies work with an outside counsel specifically trained to set up e-mail rules for their industry. Navigating the regulatory shoals is complicated and expensive because courts interpret and apply existing laws and rules differently. Users may also need to use a specialized appliance to satisfy their e-mail archiving requirements (see E-mail archiving accessories).

For more mature regulations, it's easier to apply specific retention policies to archived e-mail messages. For example, HIPAA regulations are reasonably well defined, but other regulations are not so clear-cut. One e-mail archiving company spokesman has even called Sarbanes-Oxley "a slippery devil" (see "What regulators look for", this page).

It may be tempting to set a policy to delete all e-mail messages after 60 or 90 days, believing the problem solved. Michael Casey, vice president of data policy and ILM services at Contoural, advises clients not to bet on that option. Casey says courts care little about the difficulty and cost of discovery. And if the company policy is to delete all e-mails after a certain time, users will stash the e-mails they want to keep on CDs, local disk drives, USB flash drives, floppy diskettes and even print copies tucked away in file drawers.

The legal murkiness surrounding what to archive, coupled with the potentially unpleasant consequences of deleting everything, push many storage admins toward keeping it all. That's the approach John Hegner, vice president of technology services at Liberty Medical Supply, Port St. Lucie, FL, took. While the firm has content filters to block e-mails, Liberty's Exchange server with its 1,000 mailboxes still processes approximately 50,000 e-mails a day that must be archived.

Michael Sherwood, CIO for the City of Oceanside, CA, archives every e-mail message in a central location, but had a different problem. Oceanside, like many state, city and county government agencies, falls under the Freedom of Information Act. A component of this law allows citizens to request a copy of any sent or received e-mail for the past two years, so all e-mails must be available to be searched and retrieved.

Keeping all of these e-mails creates its own set of problems. While Sherwood has filters to catch spam containing pornography or vulgar language, he finds spammers getting more innovative in their e-mail text and subject lines. As a result, more objectionable spam bypasses his filters and ends up getting archived.

This was first published in February 2005