exch2010 compliance ngm f inal
DESCRIPTION
A deck covering Exchange 2010 Information Protection and Compliance that runs to about 25 -30 minutesTRANSCRIPT
EXCHANGE 2010 PROTECTION AND
COMPLIANCE
Nathan Winters – Exchange MVP
Exchange 2010 IPC
Introduction to Information Protection and Compliance (IPC)
The arsenal of Technical Tools!ArchivingMulti-Mailbox SearchLegal HoldIRMModerationEnhanced Transport Rule CapabilitiesMailTips
Why is IPC important?Large UK Retailer Leaks Payment Information via Email
Nearly 40% of workers have received confidential information that was not meant for them!
The Information Commissioner’s Office will be able to issue fines of up to £500,000 for serious data security breaches.
Appeal Win Lets FSA Grab Evidence for SEC
Some of the legal factors Public Sector - Freedom of Information All - Data protection act Finance – Financial Services Authority, SEC,
BASEL2 RIPA - Regulation of Investigatory Powers Act
2000 Human Rights - Lawful business protection Electronic Communications Act – Adding
Disclaimers US – SOX, HIPAA etc
What does IPC mean to you? It’s a policy build around the relevant laws for
your industry.Based on a bunch of technical tools which we try to
automateMonitor email – content, recipients where is it going
○ Know what is happening based on email attributesRetain and Provide
○ Archiving, Retention and DiscoveryControl and Protection – allow or prevent
○ Granular policies○ Soft to Hard control
Retain and Provide
mail where required
with Archiving, Retention
and Discovery
Protection & Control: Soft to Hard Ensure that you target the correct data with the correct policy to maximise usability
Alert
• Allow delivery but add a warning
Classify
• Allow delivery but apply classification
Modify
• Allow delivery but modify message
Append
• Allow delivery but add a disclaimer
Protect
• Allow delivery but prevent forwarding
Review
• Block delivery until moderated
Redirect
• Block delivery and redirect
Block
• Do not deliver!
Exchange 2010 Archiving, Retention & DiscoveryBetter mailbox management
• Secondary mailbox node• PST /Primary Mailbox Management
Personal Archive
• Folder/Item Level • Archive/Delete policies
Retention Policies
• Role-based GUI Multi-Mailbox Search
• Edited and Deleted Items • Searchable with MM Search Legal Hold
Why Archive? A Vicious Cycle of Volume vs. Control
Growing E-mail Volume
Performance & Storage
Issues
Mailbox Quota PSTs
Discovery and
Compliance Issues
Increasing storage and back-up costs
Users forced to manage quota
Quota management often results in growing PSTs
(Outlook auto-archive)
•PSTs difficult to discovery centrally
•Regulatory retention
schedules contribute to
further volume/ storage issues
Breaking the CycleWith large mailbox architecture and archiving
Growing e-mail volume
Performance & Storage
Issues
Mailbox Quota PSTs
Compliance/Discovery
Issues
Large Mailbox Architecture• maintains performance • provides option for DAS-SATA storage to reduce costs
Archivingenables simple
migration of PSTS back to server
Archivingsimplifies
discovery, retention and
legal hold
Personal Archive Overview – What is it and where does
it live? User goals and assumptions
Simple to use – OWA & Outlook IT Pro goals and assumptions
Get rid of PSTs!Easy to enable.
Personal ArchiveUser experience
User can view, read, navigate, flag and reply to archived mail same as live mail
User gets conversation view scoped to Archive (same as PSTs)
Reply to message in archive puts message in live mail sent items (same as PSTs)
Folder hierarchy from primary mailbox maintained
Personal Archive Search
Option to search archive only or both live and archived mail
Advanced search options work across live and archived mail
Message Retention Move Policy: automatically moves messages to the
archiveOptions: 6 months, 1 year, 2 years (default),
5 years, NeverUser Impact: Helps keep mailbox under quotaWorks like Outlook Auto-Archive – without PSTs!
Delete Policy: automatically deletes messagesUser Impact: removes unwanted itemsHelps keep mailbox under quotaDelete policies are Global (they travel to the Archive)Per-item policies take priority over per-item policies
Retention PolicesAt the folder or item level
Expiration date stamped directly
on e-mail
Delete policies
Policies can be applied to
all email within a folder
Policies can be applied directly within an email
Archive policies
Legal Hold Hold Policy captures all edits/deletes irrespective of user
or admin access. User workflow is unchanged, items captured in hidden
folders in Dumpster 2.0. Multi-mailbox search can retrieve items indexed in
Dumpster 2.0. ISSUE – Consider that the whole mailbox is put on
hold, not just the granular info that you need on hold!
Hold Policy
URL links to additional info
IW is told how to comply (no action needed for e-mail)
Multi-Mailbox Search Simple, role based GUI
Filtering includes: sender, receiver, expiry policy, message size, sent/receive date, cc/bcc, regular expressions, IRM protected items
Delegate access to search to HR, compliance, legal manager
Search all mail items (email, IM, contacts, calendar) across primary mailbox, archives
Multi-Mailbox SearchAdditional e-discovery features
Export search results to a mailbox or SMTP address
Request email alert when search is complete
Search specific mailboxes or DLS
Search results organized per original
hierarchy
API enables 3rd tool integration with query
results for processing
Exchange 2010 Protection and Control
• IRM in OWA• IRM Transport rules & Search
Information Rights
Management
• Automated alerts for Users• OWA and Outlook 2010MailTips
• Route mail to moderator for reviewModeration
• Dynamic Signatures• Granular Conditions
Enhanced Transport Rules
Information LeakageCan be costly on multiple fronts Legal, Regulatory and Financial impacts
Non-compliance with regulations or loss of data can lead to significant legal fees, fines, and more
Damage to public image and credibility with customersFinancial impact on company
Loss of Competitive AdvantageDisclosure of strategic plansLoss of research, analytical data, and other
intellectual capital
Enforcement tools are required—content protection should be automated.
Message Confidentiality?
Automatic Content-Based Privacy
Automatic Content-based Privacy:•Transport Rule action to apply RMS template to e-mail message• Transport Rules support Regex scanning of attachments in Exchange 2010 (including content)• Internet Confidential and Do Not Forward Policies available out of box
Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages.
22
What is Rights Management Services? Windows Platform Information Protection Technology Better safeguard sensitive information
Protect against unauthorized viewing, editing, copying, printing, or forwarding of information
Limit file access to only authorized users Audit trail tracks usage of protected files
Persistent protection Protects your sensitive information no matter where it goes Uses technology to enforce organizational policies Authors define how recipients can use their information
Protection via Transport Rules
New Transport rule action to “RMS protect” Transport Rules support regular expression
scanning of attachments in Exchange Server 2010 “Do Not Forward” policy available out of the box Office 2003, Office 2007, Office 2010, and XPS
documents are supported for attachment protection Ability to route email for Moderation
Protection via Transport Rules
Rights Management Services Integration in Outlook Web Access
RMS Protection is applied both to the message itself and to the attachments.
Saved attachments retain the relevant protection (e.g. rights to view, print or copy content).
Protected Content in Outlook
Rights Management Services Integration in Unified Messaging
Unified Messaging administrators can allow incoming voice mail messages to be marked as “private”
Private voice mail can be protected using “Do Not Forward”, preventing forwarding or copying content
Private voice mail is supported in Outlook 2010 and Outlook Web Application (OWA)
Rights Management Services Integration in Unified Messaging
Business to Business RMSSecurely Communicate with Partners
Today customers can communicate using RMS between organizations by deploying ADFS and setting up trusts ADFS requires a separate trust between each partner ADFS isn’t supported by Exchange
In Exchange Server 2010, customers can federate with the Microsoft Federation Gateway instead of each partner A single federation point replaces individual trusts Allows Exchange to act on-behalf-of users for decryption
Senders can control how their data is accessed by 3rd parties By using federation, RMS can allow organizations and applications to access
data on-behalf-of individuals Specifically they can specify whether recipient organizations can archive e-mails
in the clear RMS administrator can control which 3rd parties can access data using
federated authentication (allow/block list)
Outlook Protection Rules Allows an Exchange administrator to define client-
side rules that will protect sensitive content in Outlook automaticallyRules can be mandatory or optional depending on
requirements Rules look at the following predicates:
Sender’s department (HR, R&D, etc.)Recipient’s identity (specific user or distribution list)Recipient’s scope (all within the organization, outside, etc.)
Rules are automatically retrieved from Exchange using Autodiscover and Exchange Web Services
Step 1: User creates a new message in Outlook 2010.
Step 2: User adds a distribution list to the To line.
Step 3: Outlook detects a sensitive distribution list (DL) and automatically protects as MS Confidential.
Company Confidential - This content is confidential and proprietary information intended for company employees only and provides the following user rights: View, Reply, Reply All, Save, Edit, Print and Forward. Permission granted by: [email protected]
Outlook Protection Rules
Manage Inbox Overload
33
Help Reduce Unnecessary and Undeliverable E-Mail Through New Sender MailTips
Reduce Non-Delivery Reports
Limit Accidental E-Mail
Remove Extra Steps and E-Mail
Key takeaways Personal Archive gives seamless user
experience and removes need for PSTs Deep support for IRM Automation enables ease of use and
administration Wide range of granular controls from Soft to
Hard