Managing Compliance in Microsoft Exchange Server 2010

The need to achieve compliance with legal and regulatory requirements is a fact of corporate life today. Legislation such as the Sarbanes-Oxley Act in the United States has influenced many other countries to introduce similar requirements to keep records that show when something was done and by whom. Microsoft started on the process to build records management capability into Microsoft Exchange Server 2007 with the introduction of managed folders. However, users (and many administrators) didn’t really understand the purpose of managed folders and compliance was weak. To address these issues and to provide a true basis for compliance, Microsoft Exchange Server 2010 introduces its own features, including the following:

• The ability to audit administrator actions

• The provision of archive mailboxes

• The ability to create and apply retention policies to items and folders

• The ability to recover items even if a user has deleted them from the dumpster

• The ability to place mailboxes on retention hold or litigation hold

There is a big difference between retention hold and litigation hold (also referred to as legal hold) that we need to be clear about when we discuss compliance. Retention hold means that any retention policies that are in force on a mailbox are suspended, normally when the mailbox owner is unable to process messages for a period. Litigation hold is a totally different feature that is designed to capture all edit and delete operations for a mailbox inside the dumpster so that a user cannot affect or eliminate data that might be required by a discovery action. If you put a mailbox on litigation hold, you nullify the effect of retention hold because the effect of any retention policies is suspended. Wise administrators take advice and guidance from the company’s legal department before they place a mailbox on retention or litigation hold to ensure that the action complies with any legal requirements that are in force and does not compromise any document retention policies that are in effect. There’s no point in enabling a feature that collects unneeded or unwanted data.

The features just listed are not exhaustive, as other Exchange features can be associated with compliance. For example, transport rules allow a disclaimer to be appended to every outgoing message that can limit liability by complying with rules that say that messages from a company must contain specific contact or other information about the company. The point is that compliance is an area that continues to evolve. There is no doubt that Microsoft will update the Exchange feature set over time to satisfy the broadest possible set of requirements. However, it is unreasonable to expect any software to deliver a complete answer. For example, although you can place mailboxes on litigation hold or establish an extended deleted item retention period to ensure that important information is not deleted, you also need to figure out the administrative procedures to handle situations such as mailbox retention following the death of an employee. Handling situations like this is reasonably straightforward (disable the account, hide the user’s mailbox from the Global Address List [GAL], and keep it and any archives—including PSTs that you recover from the user’s PC—until any legal hold period is passed) as long as you think everything through.

With that cheerful thought in mind, let’s review the new compliance features in Exchange 2010 and explore the updated functionality available for older compliance features such as transport rules and journaling.

The joy of legal discovery

Legal discovery actions have been around for centuries. Over the last two decades, we have seen the focus of discovery or searches for information pertinent to a legal case begin to shift from paper evidence to electronic evidence. This shift reflects the different manner in which organizations store data today. We still have filing cabinets stuffed full of paper, but much of the correspondence that companies conducted by letter, fax, and telex is now sent by email, so the focus for discovery has to accommodate both paper and electronic media.

Discovery actions for email systems first began in the mid-1980s. At that time messages were recovered from backup tapes and printed for lawyers to review. The process was dreadfully expensive and time consuming. The only mitigating factor was that it was much easier to determine who might have sent an incriminating message because relatively few people in a company had email and the overall volume of email was low. Messages were text only and tended to be short. It was therefore possible to satisfy a judge’s order to retrieve all messages for ten specific users over a month without running up an extraordinarily high bill.

Today’s environment is obviously different. Many more users are typically hosted on each server, they send and receive an ever-increasing volume of messages, and those messages contain many different types of attachments, including video and audio files. The result of living in the age of electronic communication is that the cost of legal discovery is higher because there is more information to process. In March 2009, Fortune Magazine reported that the court-appointed trustee of bankrupt Lehman Brothers, Inc. had captured 3.2 billion email and instant messages occupying 1.4 TB. This isn’t an unusual amount, as the FBI investigation of Enron in 2001 reviewed 31 TB of data and ended up using 4 TB as evidence. Email is a critical means of business communication that has replaced telexes, faxes, and written letters in many respects, so legal discovery of email has moved from an out-of-the-ordinary situation to something that is extremely common, whether it is to satisfy a legal or regulatory requirement, respond to a subpoena, or deal with an internal matter concerning employee ethics, harassment, or discipline.

The first generation of Exchange offered no way to keep mail around after it was deleted, which meant that you had to restore a database from a backup if you wanted to recover a message, whether it was needed to satisfy a legal order or because a user had deleted it in error. Gradually Microsoft began to add new features to Exchange to help. The original version of the “dumpster” as implemented in Exchange 2000 through Exchange 2007 provides a two-phase delete process where messages are marked as deleted but kept in the database until their retention period expires, at which time they are removed. The initial operation is a “soft delete,” the latter is a “hard delete.” Note that folder structures are not respected in the dumpster, as messages are “flattened” into a single repository. In other words, if you delete ten folders, each of which holds 2,000 items, and then realize that you should not have deleted one of the folders, you will have to recover the 2,000 items for that folder from the 20,000 items that are put into the dumpster. As we will see in the section “Dumpster 2.0 arrives” later in this chapter, Exchange 2010 includes an enhanced dumpster with some useful new features.

Journaling made its appearance in Exchange 2003 and was upgraded in Exchange 2007. However, the functionality offered by Exchange was basic, and most companies that invested in products to capture and archive messages went for purpose-designed products such as Symantec’s Enterprise Vault, Mimosa Systems’ (a division of Iron Mountain) NearPoint, or the HP Information Archive. Microsoft added managed folders in Exchange 2007 with the idea that administrators could create folders that are distributed to mailboxes for users to store important items. The contents of these folders are managed through policies, and it is possible to create procedures to harvest information from these folders on a regular basis. Not many companies used managed folders, and it is an example of a reasonable idea with a good purpose that collapsed when it was exposed to the acid usability test of real-life deployment outside Microsoft.

The compliance features in Exchange 2007 were a start and provided useful feedback from the companies that deployed managed folders. However, the overall experience was not compelling enough to generate widespread usage of the compliance features, which then led Microsoft to deliver a new set of features in Exchange 2010 and then further enhance the features in SP1. At TechEd and other events, Microsoft presenters acknowledge that many vendors have been actively selling archive solutions for Exchange for nearly a decade and that some offer much more developed functionality than Exchange 2010, especially in areas such as workflow, their ability to archive information taken from other sources, and the experience that companies have with these products in integrating the archival process with regulations. They go on to characterize the target market for Exchange 2010 archiving as the vast majority of the installed base that:

• Does not use archiving today.

• Depends on PSTs as a “relief valve” for restrictive mailbox quotas.

• Relies on tape/disk backups to respond to requests to recover data from users or to respond to discovery actions; this is obviously a very costly and time-intensive method.

Microsoft has to convince customers that having integrated archiving and search incorporated into an email server is a better solution than dedicated archiving and search applications that have been in use and developed over many years. It can be argued that cost is one key Microsoft advantage because archiving is available at the price of an enterprise Client Access License (CAL) that might be already acquired. The cost of an enterprise CAL for each user will often be lower than the cost of dedicated archiving software plus any additional hardware that is required to run the archiving software. This argument works if the functionality available in Exchange 2010 meets your requirements but fails if it doesn’t. Microsoft makes the point that they work closely with third-party software developers to ensure that the widest possible choice is available to customers, and it will be interesting to see how vendors such as Symantec and Mimosa cooperate and compete with Microsoft in this area over the next few years.