Automation is key to e-mail compliance

Companies may stand or fall based on their policies to manage e-mails and the problems they can bring with them. Success starts with the right software tools


Companies may stand or fall based on their policies to manage e-mails and the problems they can bring with them. Success starts with the right software tools

Organisations are drowning in a torrent of e-mails, which brings with it spam, viruses and other security threats. At the same time, many organisations are being asked to retrieve archived e-mails on an almost daily basis, to comply with litigation issues or regulatory requirements. Yet, surprisingly few organisations have even the most basic form of e-mail management in place to cope with these demands.

It cannot be presumed that employees realise the implications of deleting e-mails, or even which e-mails need to be retained, and this task must not be left in their hands.

"The alternative to e-mail management tools is to leave it to individuals to decide, which is of questionable value," said Chris Harris-Jones, principal analyst at Ovum. "Some people will think that all e-mails they receive are important, while others will delete everything."

He recommended that organisations operate a written e-mail policy stating which e-mails should be kept and for how long. However, he warned that managing e-mails manually was fraught with difficulties.

E-mail management tools are becoming vital in protecting organisations against the threats posed by the misuse and mismanagement of e-mails.

Such products not only ease the pressure on e-mail servers and storage media, they can provide valuable information on the content of the e-mails being sent out of the organisation, and flag it up to an administrator if it breaches company policy.

"When choosing an e-mail management tool, the first thing it should have is a mechanism for capturing e-mails. Then it needs a mechanism for analysing the value or context of an e-mail - with 50% of all e-mails being spam, it is unlikely that organisations will want to keep them all," said Harris-Jones.

There is a multitude of e-mail management products, from standalone offerings that provide any aspect of security, archiving, auditing, searching, storage, policy management or lifecycle management, to those that offer several of these functions in a variety of combinations.

One way to distinguish them is by supplier background. Harris-Jones split them into suppliers with a background in archiving, such as EMC and AXS-One, and those coming from a content management perspective, such as IBM, Hummingbird, OpenText, Interwoven and FileNet. However, he acknowledged that this distinction is disappearing as products and company mergers  blur the lines.

Organisations that already use content management software probably have the easiest option when choosing a product. "If a client asks us about e-mail management, we first find out if they do content management already, as they can then just buy a software module, which is usually a lot cheaper and easier to maintain, as it is a single piece of software," said Harris-Jones.

For those who do not have existing software, product choice will depend on why and how often an organisation needs to access e-mail archives.

"When choosing an archiving or management product, organisations need to understand how much access to the archive they need. For example, maybe it is only for compliance reasons rather than wanting to search and access a large volume of e-mails on a daily basis," said Harris-Jones.

Sue Clarke, senior research analyst at Butler Group, separated e-mail management products into three categories: security, policy management and lifecycle management, which includes archiving.

Security is key, she said, and should be the first point of reference. "Security products, such as anti-virus and spam filtering tools, are an absolute necessity for any organisation that uses e-mail."

Many security products, from suppliers such as Symantec (which merged with Veritas in July), Computer Associates, IronPort, Clearswift and CipherTrust, also offer limited policy management capabilities, which may be sufficient for the needs of many users. They can ensure that information leaving the organisation is compliant or is not contentious, and that unsavoury information does not enter the organisation.

"For many organisations, security products with limited policy management would be sufficient, but not if you are a financial institution in the US, for example, which needs to review a certain percentage of all e-mails on a daily basis for compliance reasons," said Clarke.

For larger institutions that may be subject to industry regulations, and therefore likely to have a requirement to regularly check random samples of e-mails, a full-blown policy management system is more suitable.

Policy management systems, such as those from Aungate, AXS-One, Orchestria, StorageTek and Veritas, meet the requirements of regulations by providing sampling capabilities in addition to blocking or amending non-compliant material.

They can be set on an ad hoc basis to search e-mails entering and leaving the firewall by keyword, date and so on. Many also have the ability to set retention periods, automatically deleting e-mails once the specified period has elapsed.

E-mail lifecycle management includes e-mail archiving products and records management systems that support the archiving of e-mails, enabling organisations to find e-mails in response to litigation or requests from regulators.

Clarke identified the three main products in the e-mail lifecycle management category as Enterprise Vault (Symantec/Veritas), Emailxtender (EMC), and the Livelink set of products (OpenText/Ixos).

Although no single supplier can provide the full range of functionalities, Clarke believes the spate of mergers and acquisitions in the sector - notably the merger between Symantec and Veritas - brings that possibility one step closer.

"With the Symantec and Veritas merger we are beginning to see the first steps towards a single supplier - the company now offers the security capabilities of Symantec combined with the e-mail archiving capabilities of Veritas' Enterprise Vault product. If Symantec can integrate Enterprise Vault into the fold quickly, it will have a competitive advantage," she said.

Similarly, the combination of records management expertise from OpenText has been strengthened by its acquisition of e-mail archiving supplier Ixos - all products are now sold under OpenText's Livelink brand.

Clarke also pointed to EMC as a strong contender, which in addition to Emailxtender offers Centura, an online storage architecture, and the broader information management capabilities of Documentum.

"E-mailxtender has an advantage over Enterprise Vault in that it offers some records management capability. Enterprise Vault is essentially missing this and has to be integrated with Hummingbird to get this capability, which means two products," she said.

Clarke said suppliers' corporate e-mail systems do not yet offer the e-mail management functionality required by large organisations to support full e-mail lifecycle management. But she said work by some to integrate more e-mail management capabilities into their content management systems could provide a single system in the future.

Businesses need to consider how e-mail is being used throughout the organisation. "Unfortunately, many companies have the blinkers on when it comes to the leakage of sensitive corporate information via e-mail," warned Michale Decker, managing director at Cryoserver, which sells a tool for auditing e-mails.

"For example, as organisations provide e-mail access to mobile workers, any e-mail can be downloaded and printed without any controls."

With such an array of possibilities and different combinations when choosing a product, it is best to simply write down a list of requirements and match them to the functionality of each product.

Clarke advised users to think about what they need to do to not only protect their e-mail systems from a risk perspective, but also to know the value of their e-mails from a strategic viewpoint.

"Properly implemented products will provide everything you need, but the key is to choose the appropriate product for your requirements," she said.

Case study: Uttlesford District Council

Uttlesford District Council required a back-up and retrieval system to meet legislative demands regarding information management and to more cost-effectively and efficiently manage data.

Data growth was outstripping capacity and the council needed to comply with government guidelines to make information available online. In addition, it needed a way to archive and access e-mails on a regular basis in order to comply with the Freedom of Information Act.

"We had two Microsoft Exchange 5.5 servers and we wanted to migrate everything on to Exchange 2003. This was tricky in itself, but on top of that we needed some way to search our e-mail archive," said Aaron Wood, senior support officer at the council.

Wood chose EMC's Emailxtender. "The suppliers all seemed to have similar products that did similar things, but we had experience of working with EMC for back-up, so we were aware that this product would fit with our legacy systems. We could not see any reason not to go with Emailxtender, the pricing was very competitive."

Wood said the set-up had helped the council to respond to every request for information. "We have been able to search our e-mail archive easily, which previously would have taken us days to do manually. We can also set different retention periods for different departments, and it has helped us to solve internal disputes."

Big names in e-mail management

Enterprise Vault from Symantec/Veritas
The merger between Symantec and  Veritas has provided the closest thing to an all-in-one e-mail management product. Veritas' Enterprise Vault (which it gained from its 2004 acquisition of KVS) is designed as a framework to address two major objectives: the safe and secure storage of information and accessibility to it. It allows administrators to set policies that automatically migrate e-mails from different types of storage to reflect the stage of the e-mail's life and its value at each stage.

Emailxtender from EMC
EMC's Emailxtender products provide archiving and supervision of e-mail and instant messages. The range consists of: Emailxtender Archive Edition, which migrates e-mail messages and attachments into a centralised message archive; Emailxtender, which in addition to the Archive Edition, provides regulatory compliance and adherence to corporate retention policies; and, Emailxaminer, which supervises e-mail content.

Livelink from OpenText
OpenText has added e-mail archiving capabilities to its Livelink family of enterprise content management products with its acquisition of e-mail archiving specialist Ixos. E-mail management-focused tools include: Livelink for E-Mail Archiving Livelink for E-mail Management and Livelink for E-mail Monitoring. E-mails entering the organisation are scanned and archived into a central repository according to predefined criteria. For example, all e-mails that area either over a certain size, or according to subject, recipient, or date criteria could be archived.

Read more on Antivirus, firewall and IDS products