Email Avalanche
Email Avalanche
It’s up to professionals within the document and records management areas to ensure that they are aware of retention, privacy, discovery, archiving and fair use policies. So why does email make this difficult? IDM attempts to dig a path through.
One very clear way not to deal with email is to take the route laid down by English business tycoon, John Cauldwell who decided to ban inter-office and customer focussed email at his Phones4U company in September 2003. Cauldwell claimed that this would save his company three person hours per day.
Back to face-to-face and phone calling was John’s cost-saving route – which looks idyllic if your clients also want to travel that road. Most do not. You will also find staff members moving on to places where they can email each other – and of course their mates, relatives and potential mates. So, everybody is now faced with a situation wherein email is inescapable – and the ATO, the lawyers, Customs and Excise, anybody involved in various Free Trade Agreements (FDAs) and, of course, the competition want to know how it is implemented.
According to Tower Software: “A US study by AIIM International and Kahn Consulting of 1,000 respondents from FBI, manufacturing and government sectors showed widespread use of email even for highly confidential exchanges: 93% of those surveyed used email to answer customer enquiries. 71% used email to exchange confidential contracts and 84% for operational/product strategies.”
The Australian National University, supports a more staggering figure: “…every day there are about 31 billion emails flying around the ether”. Frankly, statistics relating the number of emails sent and received globally now include such spectacularly vast numbers that the current requirement for all workflow, document, records and storage management systems that expect to be taken seriously is that they include some email-specific elements. Statistics relating to the number of emails that are actually useful, or contain any valid information see spam as the biggest waste-of-time-and-space culprit. MessageLabs estimates that 1-in-3 emails are spam. Other sources are even more doom-laden: IDC, for example, states: “The volume of spam sent worldwide every day will jump from 7 billion in 2002 to 17 billion in 2004”. With that kind of exponential rate of increase, by the end of this year we may see 1-in-2 emails as totally useless.
These statistics, of course, only refer to useless, or in some cases, pointless, emails that come in from the outside. Now add in the following stats from the US-based Sarbanes-Oxley Journal:” While a majority of employees (73%) who use email at work are aware of corporate email policies, less than half (46%) say they always adhere to the policy. This statistic suggests a lack of understanding among employees of the importance of an email policy.”These figures are derived from a 2005 Harris survey (carried out on behalf of Fortiva Inc) that included 1,2024 adults who were employment. If the first two figures aren’t enough to terrify even the most sanguine of compliance officers, IT administrators and CEOs, the fact that the survey turned up 61% of employees used work email for personal reasons. 48% said that they had either sent or received emails of a less than savoury nature. A massive 22% said they have sent or received a password or log-in information via email.
Another 2005 survey – this time commissioned by secure messaging experts, Mirapoint, and carried out by consulting and market research firm, Radicati Group, claims that 6% of respondents admitted to using email to send confidential company information to third-parties who should not normally have had such access. The figures rise in fear-factor as they rise in number, with 25% of those questioned freely admitting to forwarding confidential information to their personal accounts; and a staggering 62% owning up to sending organisational secrets from their personal accounts.
In short, it is quite possible to control your particular email avalanche, but you have to been in position to organise that control in all of the key areas:
• Storage and Storage Management Requirements
• Security Requirements
• Governance Policies and Procedures.
• End User Training
Stopping The Source So, we are confronted with potentially millions of bytes of email; many of which are business-critical, require long term storage and archiving but many of which require terminating before they come anywhere near your storage. Stopping errant email (spam, personal email with massive – and massively irrelevant – attachments, and virus-infections) before it hits your servers provides two-fold benefits, both of which can be costed:Savings on bandwidth: unless you have a completely unlimited connection to the Internet, sooner of later you will be charged for busting your bandwidth limit. The Number One cause of being slammed with per-megabyte download (and upload in some cases) charges is the email avalanche.
b) Savings on storage: email does have to be saved. Whether you are still using an outdated system that relies on individual staff members storing all their emails in Microsoft’s .pst file format or you are using substantial systems such as Interwoven’s WorkSite Communication Server or Symantec (Veritas) Enterprise Vault, stopping the chaff actually coming into the servers will benefit.
One method to achieve this is letting somebody else do all the work (see our feature on Data Centres on page 20 ). Another solution new to Australia is MessageLabs is a hybrid. Effectively, MessageLabs ‘Protect’, ‘Control’ and ‘Secure’ offerings provide a set of filters using specialised centres in a variety of global locations. These stand in between your email servers and the outside world. Scanning for email anomalies such as viruses and spam is achieved by rerouting your SMTP (Simple Mail Transport Protocol) to its servers. This means that email messages sent to you (which for the vast majority, means SMTP) are stopped first at one of the MessageLabs centres. They are then scanned using a variety of heuristics and also using policies which you have put in place. “Clean” emails are then allowed out to your systems.
You are able to interact with the system using standard email clients and servers; and the MessageLabs services will also maintain quarantines of emails that it has blocked as being problematic in the event that you wish to review them.
This solution has already been tried and tested by four million users worldwide and can certainly - combined with the HTTP control, and the introduction of Instant Messaging control – be seen as happy medium.
Pst… A SecretIf the idea of switching your mail protocols to a third-party either does not appeal, or your organisation has specific policy concerns regarding forms of outsourcing which enforce internal servers and protected bandwidth, then you are going to have to look at other solutions. Depending on the size of your concern, this can range from simple anti-viral and anti-spam protection carried by your Internet Service Provider (ISP) and then supported at the desktop by off-the-shelf solutions such as those available from McAfee, Kaspersky Lab or Grisoft’s AVG to larger solutions.
Symantec is obviously missing from this list – not because it does not already produce world-standard anti-virus and anti-spam products – but because its Veritas Enterprise Storage Vault (ESV) solution stands out as a possible solution to some of the storage issues than will arise. EVS offers what the company calls a “Centralised Archiving Framework”. The product is largely storage agnostic enabling storage via standard disk, SAN and/or NAS) and is also capable of dealing with Content Addressable Storage (CAS) as exemplified by EMC’s Centera platform.
ESV works with the two dominant email server systems in our region, Microsoft’s Exchange Server and IBM’s Lotus Domino/Notes. Centrally to the system, bearing in mind the still widespread practice of storing emails locally on the hard disk in the Small or Medium sized Business (SMB) area, is what Symantec states as “pst eradication”.The pst format file resides on the user’s local hard disk and holds all data relating to Microsoft Outlook from each individual to journal records and even the contact lists built up painstakingly over long periods. The latest versions of Outlook (from 2003) are theoretically capable of scaling up to 32Tb. Theoretically using Outlook’s archiving policies and filtration rules should – in an ideal world – ensure the smooth running and sleek look of a pst file.
Theoretical ideal worlds are always, however, brought crashing down by the real actuality. If a staff member was to ensure that each email rule or filter was up-to-the-minute, the chances are that be spending more time on rules creation than actual work. In short, pst files are great for home use but should indeed be eradicated from the professional use. This is not only due to considerations of storage space.
Archive and DestroyArchiving correctly is another major headache especially when dealing with large-scale projects – projects which, in some cases, my require years to move from initial tender through the implementation and completion (and in some cases ongoing litigation) and involve squads of people.
The pst file – in fact any locally-stored receptacle - becomes a liability in such cases. Stakeholders move roles, even move organisations or just retire to their own home-based email nightmares; workgroups merge, demerge or disappear. The pain of attempting to make each individual email archive, some meticulously maintained, others haphazardly thrown together, searchable is an impossible task. And this impossibility can lead to severe and damaging consequences throughout the courts.
The simple answer is to ensure that your email server maintains its own archive of everything that has been sent and received via it. Yet without organisation, disciplined backup and then archive regimens and an IT department prepared to do the search and retrieval for you, concentrating on the servers alone is not good enough.
Netapp offers a wide range of high-level email tools that incorporate the whole gamut from hardware storage, through software management tools, right up to support, planning and implementation services. It is also now dealing in end-to-end security offerings via its ‘Uncompromised Security Initiative’.
As you’d expect by now, Netapp’s offerings sit with both Exchange and Lotus Domino/Notes but rather than provide another software layer to the existing hardware, Netapp uses IP of FC SAN to provide storage expansion from your hardware. The storage network then links directly to its NearStore storage server which can be rigged to provide policied backup and archiving.
Poor TrainingSo, now you can see the avalanche not only coming down the hill from errant external forces, but also being shoved up it by your own staff members. Finally, and this should be born in mind as part of any purchasing decision: one of the key reasons for this deluge of data is poor training in the use of email itself. Speaking to Chris Lynch, Interwoven’s ANZ Managing Director, with regard to the problems inherent in managing the staggering growth of email, he makes a strong point about managing the issue before it arises: “As I said a number of years ago, and I stick to this point, good email management is an organisational and cultural issue before anything else.”There is no point in having strong policies and procedures in place if the originator of the document – the person writing, storing or replying to the email itself – does not know how to implement them.
For larger (in size or ambition) organisations, rather than hours of training seminars that will cost the earth and result in nothing more than (a) arguments about style or (b) yawns and ‘resting of eyes’, Tower Software’s Trim Context 6 solution could provide the kind of enforced and centralised policy-based emailing that will pay off in the long run.
Using what it calls, succinctly, ‘Communications Management’ tools, Tower’s plan is to force users – via a familiar Windows-like interface – to make use of the meta-tags and metadata inherent in any communication: who it from, who is it going to and what is it about. It also uses a unique ID for each email (separate from the ID that will be stamped by a standard email transport server). Finally, TRIM Context – much like Interwoven’s excellent Worksite system – also indexes many-as-one (e.g. the same email sent to several people is referenced and stored once).
IT Can Be SolvedSo, while email may appear to be smothering all of your resources – bandwidth, time, manpower, storage, security and compliance – there are solutions emerging on an almost weekly basis from major players. They have realised that email management should be a fast, smooth downhill ride to the bar and not a terror-trip as you run from being engulfed. Maintaing good, rigorous policy from the very start, supported by systems that are widely understood and trusted, will ensure that the money you are going to have spend on controlling the avalanche conditions will be well spent – not buried. Or you could take the Cauldwell approach and pretend it’s not even snowing.
The Law As It StandsFormer privacy commissioner, Malcolm Crompton stated in 2004: “Developments in technology may well be the most significant of all the environmental factors impacting on effective regulation of the data protection of personal information.” Where do the personal and the organisational diverge?
According to the Office of the Privacy Commissioner: “There is no general constitutional or common law right to privacy in Australia. However, in December 2000 the Federal Government introduced “light touch” privacy legislation to cover the private sector. This is based on the National Privacy Principles for the Fair Handling of Personal Information. This legislation applies to staff emails that contain personal information other than “employee records” in certain circumstances...The private sector provisions of the Privacy Act apply to organisations (including not-for-profits) with an annual turnover of more than $3million. The provisions also apply to all health service providers regardless of turnover and some small businesses with an annual turnover of $3 million or less.
“The Privacy Act 1988 (Cth) allows organisations and industries to have and to enforce their own privacy codes that continue to uphold the privacy rights of individuals while allowing some flexibility of application for organisations.”
Former Federal Privacy Commissioner, Malcolm Crompton, pointed out in a 2004 in Lawyer’s Weekly: “Enforcement of the new private sector privacy provisions comes basically via a complaint-based system with a power to conciliate or make a determination to resolve the complaint (including compensation but no power to impose fines) that can be enforced by taking the case to court if necessary. Although there may be good reasons for a less prescriptive approach, this kind of legislative regime leaves regulators with substantial uncertainty and ambiguity as they go about implementing and enforcing the law, especially in the early phases. In the case of privacy, where the right to privacy is neither unlimited nor absolute, this ambiguity is further increased.”
In short, there is a line – albeit a nondescript line – between the concept of ‘corporate’ and ‘personal’ when it comes to email. Therefore, even if you are aware of your own organisation’s (or one that you are going to communicate with) you also need to be aware of the following in terms of compliance:• The Privacy Act 1988• Privacy Amendment (Private Sector) Act 2000• National Privacy Principles (Extracted from the Privacy Amendment (Private Sector) Act 2000)• Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Act (No. 2) 2004• The Telecommunications Act 1997• State Records Acts (each State has its own)• Information Privacy Principles in the Privacy Act (Commonwealth and ACT Government Agencies only)
The Things You Must Know to Educate Your End UsersGood email management begins not with the server or the storage. It begins with the policies, procedures and guidelines outlined by the parent organisation. Considering email in the same way as any other correspondence is a good start. Here are 10 crucial policy basics – these are from working experience and should be viewed along with the policy guidelines outlined below and detailed online at the federal government’s privacy site.
Slow to start in most other areas relating to compliance in the digital age, the Australian government has come up with useful starting points in relation to privacy laws in relation to organisational ICT policy - including email. The full text can be found at www.privacy.gov.au/internet/email/index_print.html.
1. The policy should be promulgated to staff and management should ensure that it is known and understood by staff.
2. The policy should be explicit as to what activities are permitted and forbidden.
3. The policy should clearly set out what information is logged and who in the organisation has rights to access the logs and content of staff e-mail and browsing activities.
4. The policy should refer to the organisation’s computer security policy. Improper use of e-mail may pose a threat to system security, the privacy of staff and others and the legal liability of the organisation.
5. The policy should outline, in plain English, how the organisation intends to monitor or audit staff compliance with its rules relating to acceptable usage of email and web browsing.
6. The policy should be reviewed on a regular basis in order to keep up with the accelerating development of the Internet and Information Technology. The policy should be re-issued whenever significant change is made. This would help to reinforce the message to staff.
• Emails take up physical space. Because emails are digital most users consider them to have no physical mass; your storage and mail transport servers, on the other hand, know that they do.
• Attachments take up physical space – use file shares for internal documents with embedded links. Alert stakeholders to its location on a central server via a link in an email.
• Personal email accounts are for personal email. Discouraging this form of document leaking will pay dividends in the records management process later.
• Hotmail, Gmail and other forms of personal web mail accounts are not valid “fallback solutions in the event that the email server goes down. The common assumption is that email is email is email, no matter where it comes from. The organisation should have valid fall-over redundancies in place for email services if these email services are considered to be core to the way the organisation operates.
• Personal web mail accounts are not valid email clients within an organisation. To make your organisation less ogreish, however, a system of “Internet Booths” may be an alternative.
• The subject line is as crucial in the management of an email as it is in any other written communication. No subject lines, old subject lines for a new subject, or jokey (spam-like) subjects will lead to the breakdown of even the sturdiest EDM suite.
• Organisational emails belong to the organisation. Users should be made aware that all emails sent or received via the organisation’s system will be stored and then archived and will be subject to retrieval. A ‘private email’ is an email that originates from the person about whom the information relates and contains information which is deemed to fall under the Privacy Act and its amendments (Tax File Number, Medicare details and address details for example). A private email does not mean an email from one individual to another regarding what time they are going to be in the pub – that’s a personal email.
When setting up a policy for email (whether internal or external) the two key points from the National Privacy Principles (Extracted from the Privacy Amendment (Private Sector) Act 2000) should be born in mind:
1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
Sub clause 1.3 introduces seven caveats to the how where and why of data collection.• Emails do not sort themselves. Despite the many excellent systems available on the market – from email clients’ built-in rules engines via Nelson Email Organiser up to EMC’s EmailXtender and Interwoven’s Worksite Communications Server – any automated system is reliant on rule sets and policies. If the end-users are dragging emails into their own particular foldering system (also known as they “this is how I did it at my last job” rule-set) some important data will fall between the cracks.
• Email retrieval can be trusted to the organisation. Inform your end users to the methodology underlying your email system. If they are not aware that there is a facility in place to search and retrieve important information using tools such as FileNet’s Email Manager or Tower’s Trim Context then none will be implemented.
• Emails are documents of record. A corporate culture must be constantly enforced so the fact that just because they are quick, easy and apparently spell-check themselves, emails are now as important as any other piece of written documentation that can and will be used to add or detract from an organisation.
Beyond EmailWhether we like it or not, Instant Messaging (IM) is part of the business environment. From ICQ via MSN and Yahoo Messenger, the proliferation of IM tools is going to provide headaches in terms of storage and compliance in the years ahead.
Here are a few key areas to ponder:
• What is your policy on IM document retention and retrieval?
• What are your organisation’s policies and/or procedure on the use of IM client?
• If people in your organisation are using IM tools, who are they and where are they storing their message histories?
• Which IM clients are being used in your organisation?
MessageLabs Asia Pacific VP, James Scollay, has just returned from five years in London, and he brings with him a message. That message is that if you do not take the issue of IM seriously you will run into problems in key business areas: storage and storage management, corporate governance and security compliance. To this extent, MessageLabs is incorporating OmniPod’s IM management offering into its suite.
As we reported on www.idm.net.au on January 5th 2006 Symantec supports this message with the US$209-million purchase of IMLogic and its IM Manager software. MessageLabs pre-empted this purchase with its own buyout of OmniPod Inc.Both acquisitions represent more than future-watching or portfolio padding. Omnipod’s Professional Online Desktop (POD) is an enterprise-level tool that integrates what is termed ‘persistent chat’, global SMS, WebEx online conferencing, Salesforce.com, file sharing and transfer capabilities; in short, it is a collaboration tool and as such requires all three the keys outlined above. According the Symantec: “IMlogic’s IM Manager provides guaranteed IM policy enforcement for regulatory compliance, centralized security controls, and enhanced real-time communications for extending IM across the enterprise -- regardless of an organization’s IM client of choice. It manages, secures, logs, and archives all IM traffic with certified support for public and enterprise IM networks, including AOL, MSN, Yahoo!, ICQ, IBM Lotus Instant Messaging, Microsoft Office Live Communications Server, Jabber, and others.”
This outlines one of the major issues with regard to document retention policies and storage requirements: the sheer number of IM clients available to the end-user. The proliferation of formats such Microsoft’s particular XML and ICQ’s .exp should in themselves not be a huge problem for a well-written indexing tool. The fact that messages are not gated via a server (as is the case with standard business email) and may not even be saved does present a larger issue.
Obviously the initial threat assessment has to be carried out at the security layer – hence the purchases. However, IDM does not view this threat as not being just a security concern.
Outgoing Email Security ScaresEmail security is not a simply a matter of protecting your staff and systems from outside attacks.According to a 2004 Forrester survey on behalf of ProofPoint which canvassed the opinions of 140 decision makers post Enron and Sarbanes Oxley, only 43% of organisations with more than 20,000 staff monitored outgoing emails. Compromising practices such as sending offensive or misleading emails should also be covered – and signed by staffers as part of the induction course.
A stupid or downright malevolent employee is unlikely to live by the letter let alone the spirit of any such guidelines. But having good systems in place can protect you. This was made clear in December of 2005 for EMC and Wal-Mart’s well-planned procedures.
Crime and PunishmentWal-Mart used a respected IT recruitment consultant, MindSphere Technology Group, to hire Steven Hettrich to look some of its EMC-based storage and data transport needs. As is standard procedure, he was asked to sign various standard confidentiality agreements protecting all the parties intellectual property (IP). He signed.
At the end of the contract, Wal-Mart provided Hettrich with two weeks’ notice. This was on Friday December 16th 2005. On December 23rd – with one week remaining of his notice period – the contractor handed in all related equipment including security pass and laptop and left. Despite Hettrich not taking the full two weeks, everything was above board; the three respected companies: MindSphere, EMC and Wal-Mart had made no errors; policy documents had been signed, email procedure had apparently been followed. But something was wrong.
Wal-Mart, alerted by the early exit, implemented an investigation of Hettrich’s email history and discovered that between the 17th and 23rd of December, he had sent 20 emails to various addresses.
The emails contained what consequent legal action claimed was: “information and data file attachments that are proprietary and confidential Wal-Mart information”. The email and attachments also contained scripts and code that were, in fact, EMC’s trade secrets and, as such, were worth several million dollar in IP.
The email addresses were traced. Hettrich had sent the data to his own personal accounts. He was, however, gaoled for at first refusing to handover computer equipment, files and software from his home. Wal-Mart and EMC did not take this breach lightly.
Weak EndpointsThis cautionary tale outlines how simple rules and regulations are not enough to maintain the integrity of an outgoing email system with that most untrustworthy of endpoints: the human being.
Related Article: