Compliance, Legal Hold, and eDiscovery concepts
Compliance, eDiscovery, Legal Hold, and records management are very important topics for many organizations in the public and private sectors because of the legal and financial implications for not properly preserving or disposing of communication content in a timely fashion. Emails usually make up a significant, if not majority, of the content managed by an organization. Almost all legal cases allow or require the introduction of email content and transactions as evidence. As such, Exchange Online 2010 has these compliance capabilities natively built into the service, which is further enhanced in Exchange Online 2013.
The overall compliance strategy for Exchange involves the following key capabilities:
Preserving content is the capability to allow for the indefinite storage of content in a centralized location. A centralized storage location can serve as an authoritative data source that will ease management and eDiscovery efforts. Furthermore, if the centralized storage location is big enough, users will feel less compelled to delete content just to free up space, thereby reducing the risk of accidental deletions.
This capability is provided by the introduction of the personal archive, which we will discuss in detail shortly.
To properly control the deletion of emails and to counter-balance the ability to indefinitely store them, Exchange introduces a concept called messaging records management (MRM). MRM consists of retention tags and policies, which help to automatically archive or delete email based on the age of the email timestamp. We will look at MRM in detail soon.
Enforced retention is the capability to preserve email content to make it discoverable and yet permit the normal mailbox functions, including deletions and modifications. Enforced retention is accomplished by Exchange Online 2010 Legal Hold. In Exchange Online 2013, this is known as In-Place Hold. We will look at holds in detail shortly.
Putting it all together
As you can see, the three capabilities are designed to work together to form a comprehensive corporate compliance strategy. There is a centralized email storage location that makes search easier and an automated email archiving and deletion mechanism to help manage content without user intervention, thereby reducing human error or oversight. Finally, there is a mechanism to enforce preservation of content that overrides any other action to modify or destroy that content. Let us now look in detail at the actual technologies that provide these three capabilities.
We think of the personal archive as the foundational technology that supports compliance. The personal archive is sometimes referred to as the online archive or Exchange Online Archiving (EOA) if it is implemented as a stand-alone Exchange Online workload.
Before the introduction of the personal archive, users had limited mailbox sizes because of the need to manage the performance of Exchange. That is why Personal Storage Tables (PSTs) became popular. Users either delete emails to free up space in their mailbox or move them to .pst files. Both of these actions are major causes of concern when it comes to compliance.
Exchange Online Plan 1 provides a 25 GB storage that is shared between the primary mailbox and the archive mailbox. Exchange Online Plan 2 provides unlimited archive space that is separate from a 25 GB primary mailbox.
Therefore, the first step to compliance remediation is to assign users a personal archive. You can choose to do this for every user or only for certain users. Provisioning a personal archive can be done through the EAC, ECP, EMC, or Windows PowerShell.
Messaging Records Management
After you have provided users with a generous personal archive, you might still need to implement MRM to automatically archive or dispose of email content. MRM is accomplished through retention tags and retention policies.
Retention tags are discrete actions that can be applied to email messages and folders. Retention tags are designed to be very granular. Here are a few examples of retention tags:
Move items that are 180 days old from the Inbox to the Personal Archive.
Permanently delete items in the Personal Archive that are older than 1,825 days (five years).
Delete, but enable recovery of items that are older than 5 days in the Junk Mail folder.
Retention policies comprise multiple retention tags. It is a way to apply different retention tags to different items under a single policy and to facilitate workflows that carry out sequential actions on items, such as moving items from the primary mailbox to the archive mailbox if they are two years old, and then deleting them after five years. Using the three retention tag examples, you can combine all of them into a single organization retention policy and apply the retention policy to all mailboxes. If you do that, your organization’s email compliance statement will look something like this:
Adatum Inc. Email Retention Policy
All emails that are 180 days old are automatically moved from your primary mailbox to your personal archive, where they will reside for 4.5 years, at which time they will be permanently deleted. Emails that are determined by the system to be junk mail are stored in the junk mail folder for 5 days, after which they will be deleted. However, if you believe that an email was accidentally identified as junk and you did not get to it within 5 days, you can recover it from your recycle bin within 14 days after it was automatically deleted.
Retention policies are sometimes misunderstood because of their name. It is easy to forget that retention tags and policies are responsible only for moving or deleting content to ensure the content does not exceed its retention schedule. Retention tags and policies do not actually preserve content. This means if a user decides to delete an email on the first day it arrives, the retention policy you just put in place does not prevent the user from doing so.
To enforce the preservation of email content, Exchange uses the concept of a Legal Hold (Exchange Online 2010) or an In-Place Hold (Exchange Online 2013). Another interesting concept about enforced preservation is that the user is not prevented from carrying out actions that modify or delete email content. This is by design because mailbox operations should continue to function normally. This is a very significant Microsoft strategy because it balances your organization’s compliance requirements and at the same time does not affect the productivity of your users. When email content is on hold, it is discoverable.
A Legal Hold in Exchange Online 2010 is applied at the mailbox level and implemented through the EMC, ECP, or Windows PowerShell. While the concept of immutability can be accomplished through Legal Hold, the ability to apply it only at the mailbox level might not be granular enough because too much content might be placed on hold. Nonetheless, what is important is that content is immutably preserved and, with a large personal archive, the space consumption as a result of content preservation under Legal Hold is not an issue.
In Exchange Online 2013, Legal Hold is renamed In-Place Hold, and it now addresses the ability for you to be more granular in selecting the content to preserve by introducing two types of In-Place Holds:
Time-based hold, including indefinite hold
Time-based holds, sometimes referred to as rolling holds, work like an MRM retention tag in that the hold is applied based on the timestamp of an email. As long as the timestamp of the email falls within the limits of the time-based hold, the email content will be preserved and is discoverable through a multi-mailbox eDiscovery search. After the timestamp of the email falls outside the time-based holds, the content of the email will no longer be preserved and will be subject to the modification or deletion actions of the user or MRM.
Criteria-based hold relies on keywords and Boolean logic to preserve content. Aside from a keyword criteria match, you can also specify source and recipients, date ranges, and message types (email, calendar items, and so on).
You can create and apply multiple holds to the entire organization (all mailboxes), to specific individuals, or to distribution groups. If an email is subject to multiple holds, as long as any of the hold remains applicable to the email, then its contents will be preserved and is discoverable.
You can create time-based holds and criteria-based holds on the compliance management page of the EAC, as shown in Figure 12-47.
Figure 12-47 Creating In-Place Holds through the EAC.
When prompted for the holding period, you can choose to hold indefinitely or to hold for a certain number of days, as shown in Figure 12-48.
Figure 12-48 Define hold settings.
As an example of a corporate-enforced, In-Place Hold policy, an organization could choose to create an organization-wide, time-based hold by following these steps:
In the EAC, select compliance management, and then select in-place eDiscovery & hold.
Click the + icon to create a new in-place hold.
Provide a name for the hold, and then click next.
Select Specify mailboxes to search, and then click the + icon.
In the Global Address List (GAL) dialog box, select a distribution group, such as Everyone. Click add, and then click ok to close the GAL. Alternatively, you can simply select the Search all mailboxes option in Step 4. Click next.
On the Search query page, select Include all user mailbox content. This enforces the preservation of all email, regardless of content. Click next.
On the In-Place Hold settings page, select Place content matching the search query in selected mailboxes on hold. Select the Specify number of days to hold items relative to their received date option. Type 180 in the text box, and then click finish.
You have now implemented an organization-wide, time-based hold. In the event that you need to create a new hold based on criteria rather than time, you will perform the same preceding steps to create a new hold with one difference: instead of selecting Include all user mailbox content in Step 6, select Filter based on criteria and use keywords, Boolean logic, KQL, and the other settings to define your criteria-based search.
Multi-mailbox search (eDiscovery)
Multi-mailbox search enables you to search mailboxes for items that meet your criteria. The results of a multi-mailbox search are stored in a special type of mailbox called the Discovery mailbox. Each tenant is provisioned with a single Discovery mailbox, but you can create additional Discovery mailboxes. Furthermore, each Discovery mailbox is limited to 50 GB.
Results of multi-mailbox searches are located on the same page as In-Place Holds. As you can see in Figure 12-49, by clicking on an existing time-based or criteria-based hold, the information including estimates of the search results are shown in the informational pane to the right.
Figure 12-49 Estimate of search results.
By clicking the magnifying glass icon, as shown in Figure 12-50, you can re-run the estimate for search results, preview the search results, or copy the search results.
Figure 12-50 Search results options.