There's a lot of buzz in the industry about storage management especially as it pertains to compliance in Microsoft Exchange (and other) environments. Typically compliance discussions lead down the road towards archival solutions, and we have archival vendors to thank for many of the publications related to e-mail and compliance available today. That said, let's take a step back and look at what I consider the four key areas that a company needs to address as they’re considering compliance and retention practices relating to Microsoft Exchange.
1. Online Exchange Storage - first of all, companies need to manage what's stored in their production Exchange Infrastructure. From a compliance perspective, this means understanding content in message bodies and attachments stored throughout (a) mailboxes, (b) public folders, and (c) web storage system across the entire environment. E-mail is the fastest growing consumer of storage in the typical enterprise today, and in many organizations the majority of corporate intellectual property is being stored within the Exchange databases. Some of the things you can do to manage your online Exchange storage are:
- Perform periodic audits (using manual or automated procedures) of the nature, quantity and volume of messages and attachments being stored on your Exchange servers.
- Set quota limits and enforce them to ensure per user storage usage is kept in check.
- Send routine requests to end users to ask for mailbox cleanup and to remind them of corporate email policies.
Failure to manage the content in your stores can lead to possible breaches of corporate or regulatory policies, leaks of sensitive information and an overall increase in risk to a given company.
2. Exchange Archives - many companies have or are deploying an archival solution for Exchange in an effort to comply with industry or corporate e-mail policies and in an effort to offload the storage strain on production Exchanges servers. Archival can be as simple as implementing message journaling or envelope journaling within Microsoft Exchange, then periodically moving messages from a journaling mailbox to an offline archive. Alternatively, numerous sophisticated archival solutions for Exchange are available on the market. If your company is considering an archival solution, you’ll need to implement and manage your archives in a way that provides clear visibility across all message content and attachments in the archive. Assuming compliance is the driver, you’ll need to ensure that retention policies are established and implemented across the archive. Do you know which regulations apply to e-mail in your company? Do you have formal retention policies defined, and are these being enforced across your archive? Are you backing up your archive? Are you purging any content once the retention period has elapsed?
Failure to address industry regulations pertaining to your particular company through use of a well-controlled archive could result in costly legal proceedings and penalties, regulatory fines, public embarrassment and – if your company is publicly traded – even jail time for your corporate executives and directors.
3. Exchange Data in the File System - companies need to address data that's in offline locations, notably in (a) PST files, (b) OST files, (c) mobile devices (i.e. blackberries, phones) and (d) other locations. While companies would typically like to turn a blind eye to these data storage locations, ignoring them implies substantial risk. From a compliance perspective, you absolutely need to think of PSTs as part of your overall messaging system. Do you know where all your PSTs are? Do you know what percentage of your overall corporate e-mail data storage exists within PSTs? Do you know who is storing e-mail within PSTs on a regular basis? Do you have a way of controlling PST usage?
Once again, failure to address the content that could be lurking in the file system across your company means that any of the messages being stored in PSTs or elsewhere could come back to haunt you in legal proceedings, HR-related inquiries or otherwise.
4. Backups - companies need to address and inlcude backup media as part of their compliance solution. If companies must retain certain e-mail content, and if backups are their only means of retaining e-mails, then they need to ensure that they're not overwriting backup tapes as part of a regular tape rotation. That said, companies need to know that backups are no replacement for an archive solution. Since backups are typically only made at regular intervals, they don’t contain all messages sent and received in a given Exchange environment. For example, if I send a message to firstname.lastname@example.org at 10 a.m. and then delete the message completely from my Sent Items, Deleted Items and Dumpster, then this message will not make it into a backup anywhere. Companies also need to think through retention policies as they apply to backup rotations, and ensure content that has exceeded retention time periods is properly destroyed. In addition, companies need to ensure that they are cycling tapes offsite in order to ensure business continuity and that they can recover compliance-related data if required and in the event of a major disaster. Next, companies need to ensure they can actually access data on their backup media, meaning that regular 'fire drills' to test restorability of backups is essential to avoid recovery failures.
Finally, companies need an agile and fast solution for searching for e-mail or attachment content across multiple backup media so that they are ready to respond to compliance-related investigations and can do so without substantial effort and cost.
In summary, companies that take a comprehensive approach to storage management in their Exchange environment will rest assured that they have the breadth of visibility into e-mails and attachments stored across their infrastructure to enforce appropriate retention and destruction policies and to respond to inquiries as they arise.