Archiving101.com

Yes indeed it is.  I really understand that eDiscovery is an important part of this industry and many organizations (for instance insurance has legal eDiscovery be part of their business model), but in sense eDiscovery happens because something went wrong somewhere however in my opinion it is better to prevent then to cure.

Data Leak Prevention is basically one of the next stages in the lifecycle or grow up of archiving products within the enterprise.  Organizations actually face a daunting challenge: Protecting the organization’s most valuable asset, its information, amidst widespread investment in new, more efficient communication technologies. As organizations invest in new business systems and processes to exchange critical information to, from and about customers, partners, and employees in real time, more opportunity exists for information leaks. Data breaches are rapidly becoming the forerunner of IT security concerns, in part because of the increase in both the frequency and severity of such breaches. For security professionals, the pressure to provide data security is influenced by three factors: 1) regulatory compliance, 2) protecting confidential data, and 3) mitigating the risk and associated cost of a breach.

Government and industry regulations are arguably the biggest influencers to organizational directives to provide data security. Federal regulations include Sarbanes-Oxley for publicly traded organizations, the Gramm-Leach-Bliley Act (GLBA) for the financial sector, and the Health Insurance Portability and Accountability Act (HIPAA) for health care organizations, mandate the security of private or confidential information. More than 25 states have passed data privacy and/or breach notification laws that require organizations to notify consumers when their information may have been exposed. The most high profile of these state laws is California’s SB1386, which set the precedent for breach notification regulations. In addition to the federal and state regulations, specific industries such as the credit card industry have enacted data protection regulations such as the PCI (Payment Card Industry) Data Security Standards.

Information leaks are not solely relegated to organizations with customer data or regulatory requirements; many non-regulated companies share a need to secure sensitive data. Intellectual Property (IP), M&A plans, and other critical assets are strategic to many organizations’ success and competitive advantage. These organizations are as concerned about leaks (both external and internal) as regulated companies because of the strategic nature of the information they manage and the frequency with which they fall victim to leaks.

Over the years, organizations have spent a tremendous amount of resources in hopes of protecting their information. However, their efforts have been focused on preventing outsiders from hacking into the organization, educating employees, and securing data at rest. According to analyst firms, the majority of all leaks are the result of unintentional information loss from employees and partners, both external and internal leaks. The average information leak costs organizations approximately $182 per record (according to the Ponemon Institute), averaging roughly $4,800,000 per breach in total. The high cost of a breach can have a profound effect on organizations P&L, market presence, and competitive advantage as a result of damage to brand and reputation, and loss of customers and IP. As organizations invest millions in business systems increasing the availability of information to build or maintain a competitive edge, there remain a slew of security-related considerations, including:

• Where is the organization’s confidential & sensitive data?
• How, where, and when is the data transmitted and by whom?
• How can the data be controlled and protected?
• What is my organization’s financial risk (from a leak)?

Vendors like Vontu, Proofpoint, Orchestria and McAfee all offer products that could help with this problem while also Microsoft introduced some basic functionality with their transport rules in Exchange 2007.

Its nearly 12 months after the release of Office 2007 and the Office 2007 iFilters are still not available for download individually from Microsoft. A thread about this can be found on MSDN. These files have been announced for quite some time, but an exact ETA is still not available.  Oddly enough you can get the ‘iFilter’ by installing MOSS 2007 or Office 2007 on the server you wish to search these filetypes on if you use search technology that relies on iFilter technology, but obviously this could raise some major objections in certain situations.

Returning from my vacation I ran into the following article:

http://www.vnunet.com/itweek/analysis/2199429/box-clever-avoid-overload-3487120

The quote at the end is what I’ve been saying for quite some time:

“Ideally, the answer is for companies to be more tidy with their housekeeping, but deleting files is time consuming and, with storage getting cheaper, it is usually cheaper to just buy more capacity”

I still am convinced that it makes sense to archive ’smart’ … i.e. you really don’t need SPAM emails in your archive and best is to preserve information that is valuable or what you need to preserve to remain compliant with the rules that are in effect to your business .  However storage savings on the backend are getting less and less important with the increased storage capacity of harddisks out there. 

Occasionally I do read the full laws and regulations that are applicable to this industry and I can highly recommend doing so if you are involved as well as there seems to be quite a few misunderstandings about them.  One of the biggest ones is with SEC17a-4 which is applicable to the financial industry.  I don’t know how people are getting this one wrong, but I’ve heard many organizations, software vendors and their technical specialists missing the boat on this. 

In short … SEC17a-4 requires people to store electronic records on non-erasable storage (i.e. WORM).  Almost all software products in the market uses ‘hashing’ for identifying if an item is unique and then uses these hashes to verify if an item has changed or not since it was stored.  Pretty basic stuff all I have to say.  Now .. I’ve seen people saying that this ‘hashing’ is sufficient to be compliant with this regulation; however this is a big mistake.  The SEC isn’t hiding their rules and in fact they have quite a few ‘clarifications’ online and this one particularly talks about the ‘hashing’: 

(source) http://www.sec.gov/rules/interp/34-47806.htm 

The Commission’s interpretation does not include storage systems that only mitigate the risk a record will be overwritten or erased. Such systems - which may use software applications to protect electronic records, such as authentication and approval policies, passwords or other extrinsic security controls - do not maintain the records in a manner that is non-rewriteable and non-erasable. The external measures used by these other systems do not prevent a record from being changed or deleted. For example, they might limit access to records through the use of passwords. Additionally, they might create a “finger print” of the record based on its content. If the record is changed, the fingerprint will indicate that it was altered (but the original record would not be preserved). The ability to overwrite or erase records stored on these systems makes them non-compliant with Rule 17a-4(f). 

There you have it.  Now, as a important advice, no vendor can claim to be SEC certified as this certification doesn’t exist, and it is really up to the organization to ensure that they are compliant with the regulations and rules they fall under. 

With the increasing importance of ’storage repositories’ like email archives within a corporation the ongoing management of these systems is slowly getting beyond standard system administration.  In the early days it was the email administrator who would be responsible for the archiving system, and generally this is still the case within many organizations, however larger, more complex corporations will see not only dedicated management of these repositories, but an overal responsible role might show up .. potentially called the CDO (Chief Data Officer), who will be responsible for the data that is stored within the infrastructure. 

His responsibilities will not be the physical hardware, but the capture, storage, access and disposition of the information itself.

While being on vacation in Europe this week (hence my posts aren’t as regular), I’ve noticed the sheer amount of WiFi routers that people use there … the more scary is that most people have not secured their routers at all, risking all sorts of things.  Even businesses seem to have installed these routers as well which risks that their information could be available on the street .. quite litterally. 

 I’ve gotten used to having my archive available on my blackberry .. its a simple link to the back end archive where I can search the information on that I might need.  I really reduces the need for hauling a laptop around.  For my organization is gives them the security that the information is stored within the security perimiter without me having to sync an offline client on my laptop (especially when travelling this could be a hassle as you might have to log into VPN for this or just have a slower link available).  

It was also interesting to hear from friends who are working at different financial institutes in Europe on how security has increased on systems, but that it was restricted so much that it was in fact hurting their business productivity.  Its a fine balance indeed that has to be kept.  I’ll be picking up posting more when I return as I have quite a few more interesting subjects to talk about like perimeter classification, bad ways to store data, content protection and more.

I received some good comments and questions on my earlier article on why I think Journaling is ‘past’ its prime and asking what I think other options are.   Journaling was added on to Exchange and other mail platforms before some of the strict regulations came into effect after 2000.  Due to this Journaling was never designed with these regulations and is lacking the capabilities to do a full record capture.  So … what vendors in most scenarios offer is what they call ‘archiving, stubbing, stripping or extending’ of the mailbox content where a MAPI process basically crawls the mailboxes for additional messageclasses and wants to store this information in the archive.

Now what is interesting is that this process is similar to what was used for brick level backup in the past.  This technology process has become obsolete due to that technology has moved on and offers a more efficient way to capture the information.  Brick Level Backup was very inefficient and took a long time to complete next to the fact that it pulled massive amounts of information over the network and took a big hit on the Exchange Servers.  In short .. it didn’t really work and it is surprising that this same technology is now considered accepted for archiving.  Another problem is that this crawling of the mailboxes doesn’t guarantee that the data is captured ‘in time’ … if the process is scheduled to only work once every 24 hours, you have a large chance you might miss the manual created items in end users mailboxes if they deleted them again (in short .. it doesn’t give you the same guarantees as journaling).

I’m of the opinion that message vendors should offer improved ways to capture the information from their systems and replace journaling.  Microsoft has already announced that MAPI is being deemphasized and has offered web services instead.  The challenge is that web services are not offering yet the performance that MAPI gives (roughly 2GB per hour per MAPI session) so it is not a viable option.  Another option would be adopting log shipping which is already in use successfully with Mimosa Systems at several hundreds of customers.   Log shipping of course has already been in use for many years in the database industry.

The following article made me think about the potential risk companies could have when they would leverage a hosted archiving solution. There are a few vendors out there that offer hosted archiving.  I’ve always thought about what the downfall of a databreach on such a storage repository could be.  After all, no IT system is unvunerable (remember that even the Pentagon got hacked fairly recently).   Many organizations entire IP is stored outside of their security boundary. 

Of all places you would expect a proper archiving system to function properly, the Whitehouse, apperantly more then 5 million messages were apperantly not captured and are lost forever due to a faulty defect system.  An at the moment ‘unidentified’ contractor was responsible for auditing the system and failed to detect that it was not functioning properly.

http://blogs.abcnews.com/theblotter/2007/08/bush-e-mail-mys.html

 The worst thing that can happen to an archiving system is data loss and this seems to be the biggest case of this yet.  Makes you also wonder .. which vendor’s product failed at such a high profile customer?

With all the activity around the FRCP ammendments that came into effect last December this is an interesting case that defines a boundary of the FRCP: 

http://www.ediscoverylaw.com/2007/06/articles/case-summaries/2006-ediscovery-amendments-do-not-require-forensic-computer-search-as-a-matter-of-course-court-orders-parties-to-meet-and-confer-on-certain-issues/

In short it defines that while readily accessable information should be produced, a full ‘forensic’ discovery of items that might have been deleted from harddisks is beyond the scope of what is a reasonable request.  Interesting.