exchange 2010: compliance and protection
DESCRIPTION
30.03.2010. Exchange 2010: Compliance and Protection. Vladimir Alexandrov, Chorus Ltd. [email protected]. Agenda. E-mail Archiving and Retention Key technologies Demo Protecting Email Communication Protection mechanisms and options Demo. E-mail Archiving and Retention. - PowerPoint PPT PresentationTRANSCRIPT
Agenda• E-mail Archiving and Retention• Key technologies• Demo
• Protecting Email Communication• Protection mechanisms and options• Demo
2
3
E-mail Archiving and Retention
• Why Archive E-mail?• What’s Stopping Customers?• Integrated Archiving Solution:• Personal Archive• Retention Policies• Single Item Recovery / Hold Policy• Multi-mailbox Search
Why Archive E-mail?Volume •As data volume grows, Outlook performance can be impacted•Mailbox quotas control volume but also encourage PST files•PST files add to further performance/management issues
Retention •Compliance adds to volume challenges •Regulations mandate specific retention periods for relevant e-mail (SOX = 5 years, SEC rules = 6 years, HIPAA = 5-6 years)
Discovery • Strict timelines on discovery of e-mail • Cover all e-mail from all sources, including PSTs • Retrieval costs can be HUGE (backup tapes, PSTs)
Volume Storage Management
4
SharePoint
Outlook PSTs
Webmail
Third Party Archive
Backups
Exchange Server
World Today: Where is your e-mail?
5
What’s Stopping Customers?Poor User Experience • Unfamiliar environment • Inability to search and/or access archived content • Clunky experience with Outlook/Outlook Web Access add-on
Complex Administrative Experience •Outlook add-on install/performance issues •Separate search/management of primary and archive mailboxes•Concerns over reliability of hosted archive vendors
High Costs • Separate archive infrastructure investment• Additional archive management costs
6
Personal Archive
•Archive in Outlook/OWA•Integrated with mailbox
Move and Delete Policy
•Move and Delete Policies in OLK/OWA•Folder/Item Level Policy
Hold Policy
•Edited/Deleted items preserved•Single Item Restore
Multi-Mailbox Search
•Simplified search console •Role-Based Access Control
Preserve Discover
Exchange Server 2010 introduces integrated e-mail archiving capabilities offering customers out-of-the-box
tools to preserve and discover e-mail data, without changing the user or IT Pro experience
Integrated E-Mail Archiving Solution
7
• A secondary mailbox that is configured by the administrator
• Appears alongside a user’s primary mailbox in Outlook or Outlook Web App.
• PST files can be dragged and dropped to the Personal Archive
• E-mail in primary mailbox can be moved automatically using Retention Policies
• Archive quota can be set separately from primary mailbox
Overview of the Personal Archive
Pers
on
al A
rch
ivePri
mary
Mailb
ox
8
User can view, read, navigate, flag and reply to archived e-mail same as live e-mail
User gets conversation view scoped to archive (same as PSTs)
Replies to archived messages saved in live e-mail sent items folder (same as PSTs)
Folder hierarchy from primary mailbox maintained
A Seamless User Experience
9
Option to search archive only or both live and archived e-mail
Advanced search options work across live and archived e-mail
One User Search Experience
10
Policy automatically deletes e-mail after x days
Expiration date label
Policies automatically move e-mail to archive after x days
Policies applied to all e-mail within a folder
Retention Policies for Everyone
11
12
Single Item Recovery (Dumpster 2.0)Set-Mailbox <identity> -SingleItemRecoveryEnabled $true -RetainDeletedItemsFor <Days>
13
Demo:
• Personal Archive• Retention Policies• Legal Hold• Multi-Mailbox Search (Legal Discovery)
14
Protecting E-mail Communication
• Defining the Problem• Leakage and Reputation Damage• Exchange 2010 Solutions• Message Classificatons• Mailtips• Delivery Reports• Moderation• Information Rights Management
• Demo
Defining the ProblemRisks to Reputation, Productivity, and Operational Expense
• “My users send things to the wrong audience by accident”
• “Help desk calls around failed or lost messages are expensive”
• “Information leakage damages our reputation and results in financial loss”
• “I need to control communications to be in compliance with regulations”
15
Leakage and Reputation Damage Accidents Happen
“80% of all data leaks occur because of accidents
— that is users, being unaware of data policies,
as opposed to having malicious intent.”
- Forrester, 2008
Top 10 threats to Enterprise Security - IDC
16
Information Protection in Exchange 2010
Dynamic Signatures/Disclaim
ers
MailTips
IRM Protection
Block/Redirect
SOFT CONTROLS HARD
CONTROLS
Moderation
Less restrictive More restrictive
17
Exchange 2010 Solutions
• Message Classifications• Each outbound message should be pre-classified by user under
some regulations• MailTips
• Leads you to send the right thing to the right people and avoid blunders and surprises
• Delivery Reports• Provides you with visibility into what happened to your message,
no costly help desk calls• Moderation
• Review messages for suitability or policy violation before they get delivered
• Transport Rules• Automated policy enforcement on all messages
• Information Rights Management and Exchange 2010• Granular protection that travels with the data
18
19
Message Classifications
• Describes the intended use or audience of the message
• Transport Rules may act on the message, based on the classification
• Supported by Outlook 2010 and Outlook Web App, can be exported to OLK 2007
MailTips• Information about the message and
recipients shown before send• For end users:• Reduce delivery surprises• Emails are addressed correctly the first
time• Help prevent embarrassing email mistakes
• For the organization:• Reduce help desk calls• Reduce NDRs• Reduce unnecessary pipeline traffic
21
Exchange 2010 MailtipsMailTip Displays:
Large Audience The number of people you are sending to, if larger than X
Automatic Replies The first 250 symbols of the automatic reply (e.g. OOF)
External RecipientsIf the addressed recipient is not within the organization, or there is
a DL addressed, which contains external recipients
Invalid Internal Recipients If the recipient looks internal but does not exist in AD
Moderated Recipient If the recipient is moderated
Oversize Message If the message is oversized
Restricted Recipient If the recipient is restricted
Mailbox Full When the recipient mailbox is full
Reply-All on BCCThat you were BCC’d on the original message when you select
Reply-All, if applicable
Too Many Recipients The number of people you are sending to, and the maximum
Custom MailTip The recipient’s custom MailTip, if configured
Action Cmdlet (shown with default)
Turn Mailtips On Set-OrganizationConfig –MailTipsAllEnabled $true
Turn Mailbox-based MailTips On
Set-OrganizationConfig –MailTipsMailboxSourcedTipsEnabled $true
Display Group Information
Set-OrganizationConfig –MailTipsGroupMetricsEnabled $true
Display External Recipients
Set-OrganizationConfig –MailTipsExternalRecipientsTipsEnabled $false
Change Large Audience Threshold
Set-OrganizationConfig –MailTipsLargeAudienceThreshold 25
• Per user– In OWA, when you collapse MailTips, they stay hidden– Outlook users can disable individual MailTips
MailTips Configuration
• Launch points OWA and Outlook 2010• Delivery Reports Search in Exchange Control Panel• Exchange Management Console
Delivery Reports
Moderation• Group-based moderation
• All messages to group must be approved by a moderator
• Multiple moderators allowed• Bypass lists
• Rule-based moderation• Available as an action on a Transport Rule• Conditions are customizable• Message is diverted to moderator(s) for approval
• Group join approval
• Moderation for recipients other than groups
Moderation Components• Initiation message:
• Special message containing the original message• Addressed to the arbitration mailbox• Stores the state of moderation on that message
• Arbitration mailbox: • Destination of initiation message• Store the initiation messages waiting to be
approved
• Other messages• Approval request (to moderators)• Approval decision (from moderators back to
arbitration mailbox)• Decision updates (to moderators)• Rejection notices (to original senders)
Arbitration Mailbox
Life as a moderator• Moderator’s mailbox stays up-to-date• Only actionable approval requests stay in the
inbox• Conflicting decisions:• First reply to the arbitration mailbox wins• Loser’s mailbox is updated: “your decision does
not apply”• Decisions can be made in OLK and OWA 14• Voting buttons in legacy OLK work, too
• Sender notified if all moderators are unavailable• All OOF, all mailbox full, etc.
Transport Rules
• A set of centrally managed messaging policies, enforced on every Hub server
• Allows consistent and reliable evaluation of messages throughout your organization
• Enables control scenarios:• Block, moderate, encrypt, or modify
messages• Based on inspection of content,
properties, sender, or recipient
Transport Rules Structure
• Structured just like inbox rulesIf the message...Is from a member of the group ‘Marketing Team' And is sent to recipients that are 'Outside the organization'
Do the following...Append the message with the disclaimer 'Exchange 2010 is coming! Can you handle the excitement?'
Except if the message...Is received from ‘Alfred E Newman'
Action types:BlockEncryptModify (recipients, content, properties)Review/Moderate
Condition types: User – detect mail between people, DGsContent – inspect message subject & body contentMessage Properties – inspect message headers and properties or typeRouting – detect external/internal, email domains
Conditions
Exceptions
Actions
Regular Expressions in Transport Rules Exchange 2010 supports the following regular expressions:Pattern string
Description
\S The \S pattern string matches any single character that is not a space.\s The \s pattern string matches any single white-space character.\D The \D pattern string matches any non-numeric digit.\d The \d pattern string matches any single numeric digit.
\w The \w pattern string matches any single Unicode character categorized as a letter or decimal digit.
| The pipe ( | ) character performs an OR function.
* The wildcard ( * ) character matches zero or more instances of the previous character. For example, ab*c matches the following strings: ac, abc, abbbbc.
( ) Parentheses act as grouping delimiters. For example, a(bc)* matches the following strings: a, abc, abcbc, abcbcbc, and so on.
\\ Two backslashes indicate that the character that follows the backslashes should be escaped. For example, if you want to match a string that contains \d, you would type \\d.
^
The caret ( ^ ) character indicates that the pattern string that follows the caret must exist at the start of the text string that is being matched. For example, ^fred@contoso matches [email protected] and [email protected] but not [email protected] character can also be used with the dollar ( $ ) character to specify an exact string to match. For example, ^[email protected]$ matches only [email protected] and does not match anything else, such as [email protected].
$
The dollar ( $ ) character indicates that the preceding pattern string must exist at the end of the text string that is being matched. For example, contoso.com$ matches [email protected] and [email protected], but does not match [email protected] character can also be used with the caret ( ^ ) character to specify an exact string to match. For example, ^[email protected]$ matches only [email protected] and does not match anything else, such as [email protected].
New Exchange 2010 Transport Rules More control, supervision
IMPROVED! E2007 E2010
Disclaimers/Signatures
Text with limited formatting
Add AD attributes + HTML
Attachments Size, Name + Content (Office documents)
Classifications Acts on classification
Can also act on No Classifications
NEW! E2010
Apply RMS Applies RMS encryption
Moderation Enable manager to review
Message Types RMS-encrypted, Auto-replies, calendaring, voicemail, approval request
Supervision Lists Allows/Blocks based on list of recipients
Management Properties
Automatically identifies manager and applies policy
User Properties Create granular policy sets per user attributes (e.g. department, country)
Protection and Compliance ScenariosScenarios Example Transport Rules,
Moderation, MailTips Ethical Wall Block brokers, analysts from
communicating • Block mail between specific people
in a DG• Block mail between people with
specific AD attributes
Moderation Manager required to sign-off on mail to sensitive partner
• Send to Manager for approval• MailTips for moderated recipients
Employee Supervision
Inappropriate Content Harassment
• Filter using keywords; regular expressions; type of content (OOF, voice mail, NDR, etc.)
Information Leakage Protection
HIPAA – personal health data GLBA – personal financial data EUPD (Europe) PIPEDA (Canada) SB 1386 (California) PCI
• MailTips for external recipient• Apply RMS encryption • Filter using keywords or regular
expressions • Reject outbound mail with
Message Classifications (e.g. attorney-client privilege)
Signatures EUPD 2003/58/EC - European Union Data Protection Directive
• Append signatures that include name, title, department, etc.
32
Information Rights Management• Exchange and RMS Deployment• Transport Protection Rules• IRM Search, Transport Decryption,
Journal Report Decryption• Outlook Protection Rules
Exchange and RMS DeploymentAdministrator Steps1. Deploy either RMS* or Exchange, order doesn’t matter.
Ensure your SCP is published within the forest.
2. RMS: On the _wmcs/certification/ServerCertification.asmx file, add all Exchange servers with read and execute permissions.
3. RMS: Create a DL that contains the FederatedEmail account (disabled user). Enable super-users and set the DL you created as super user.**
4. Exchange: Run set-IRMConfiguration –InternalLicensingEnabled $true
* Exchange features require RMS on WS2008 SP2 or R2.** Super user is required for OWA, Search, Transport/Journal Decryption.
Transport Protection Rules Take the decision away from end-users
Apply RMS policies automatically using Transport Rules
Apply “Do Not Forward” or custom RMS templates
RMS protection is also applied to Office 2003, 2007, and 2010 attachments
RMS protection can be triggered based on sender, recipient, or content
Protect. Productively.Search, scan, filter, and journal protected e-mail
• IRM Search • Conduct full-text search on IRM-protected messages in OWA
and Outlook. Enables eDiscovery or protected messages in the Exchange Store.
• Transport Decryption • Enables access to IRM-protected messages by Transport
Agents to perform operations such as transport rules, content filtering, and anti-spam/anti-virus.
• Journal Report Decryption • Journal Report Decryption Agent attaches clear-text copies
of IRM-protected messages and attachments to journal mailbox
Anywhere Access • Native OWA support provides:
• Eliminates the need for IE Rights Management Add-on• Cross-Browser support enables Firefox and Safari users
to create/consume RMS protected messages• Mac users can create/consume RMS protected
messages
• IRM Search• Conduct full-text search on RMS protected messages in
Outlook Web Access
• Windows Mobile 6.x • Built in ability to create /consume RMS protected
messages
Outlook Protection Rules Apply IRM protection automatically at the client
IRM protection automatically triggered based on sender/receiver attributes
Supported attachments are also protected
Windows Desktop Search will index headers and subject
Authorized users can turn off protection
Can be used to prevent e-mail service provider from accessing your e-mail
38
Demo: Email Protection
• Mailtips• Transport Rules• Moderation• IRM
Exchange 2010: Compliance and ProtectionVladimir Alexandrov, Chorus [email protected]
30.03.2010
Q & A?