I recently spoke with a friend who works for a US healthcare company about e-mail archiving. Government regulations require healthcare companies to save all e-mail messages to and from their employees. Similar laws are in effect that apply to the financial services industry.
E-mail archiving is a standard feature in many commercial e-mail server systems, including Lotus Notes and Microsoft Exchange. How these systems actually implement message archives isn't as important as the fact that this feature is available "out of the box," so to speak. If your company uses Microsoft Exchange Server and it needs to archive e-mail, it's a simple process to enable the feature.
Both the technical and security issues, even on a small scale, surrounding e-mail archiving intrigue me. Archival storage of e-mail messages poses some interesting challenges for companies, and the challenges grow larger based on the number of e-mail accounts used by the company.
Of course, there's the obvious issue of determining what to archive. Do you archive all e-mail traffic? What about junk e-mail and non-business-related interoffice e-mail? Consider the tremendous storage requirements for large companies even when excluding these categories. And don't discount the security implications of having a large, detailed e-mail archive for an entire organisation in the first place.
Outsourced e-mail archival may be the answer for many organisations. Technically, it would involve redirecting SMTP traffic to another company, which would then keep a copy of the e-mail and forward it to the final destination server.
There are several benefits to such an approach, not only because it's simple to implement and provides off-site archival. Several providers offer e-mail archival services in this manner.
For small to midsize organisations, outsourced e-mail archival is a cost-effective solution. But again, the organisations must address the security concerns of the e-mail archive itself--both from within the organisation using the e-mail archive and the outsourced company providing it.
Another important issue is whether an organisation even knows it's supposed to be archiving e-mail. For example, consider city governments, many of which are already under the dark cloud of poor Internet security in addition to outright bankruptcy.
There's a tremendous need for education of these organisations, especially in government, regarding their legal requirements to archive e-mail. Even small medical practices should be archiving e-mail messages, but few are aware of this requirement, and even fewer have their own e-mail servers.
In my opinion, it's also important for organisations that implement e-mail archiving to make employees aware that the practice exists. The content of non-business-related e-mail often changes quickly once people know the organisation is archiving their e-mail.
Archiving e-mail is a tricky undertaking. There's obviously a need for it, particularly to comply with legal requirements. But how companies can implement it effectively and securely is a complex matter. Companies that are required to implement e-mail archiving often discover, as the healthcare company my friend works for did, that e-mail archival poses its own cost and security problems.
For these reasons, e-mail outsourcing, specifically for the purposes of archiving, could become the next leading Internet subindustry. Until the issue of e-mail archival becomes a more mainstream Internet security topic, we're sure to see continued confusion on this topic.
This article was originally published in TechRepublic's Internet Security Focus e-newsletter.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2004 TechRepublic, Inc.
3%
5%
you're right; most organisations are STILL ignorant of their obligations in retaining and making searchable their records - which these days means electronic traffic such as email and IM. There's only a couple of solutions (IXOS, Cryoserver) that I've seen that can capture and store both of these native (all the others depend on third party applications or use email as the transit for IM, which is not compliant), and more and more of these are appearing on the market.
The real problem is where the compliance trail ends - do companies have to spend so much that in the end they're having to relocate to low-regulatory territories?