EXCHANGE 2010 PROTECTION AND

COMPLIANCE

Nathan Winters – Exchange MVP

Exchange 2010 IPC

Introduction to Information Protection and Compliance (IPC)

The arsenal of Technical Tools!ArchivingMulti-Mailbox SearchLegal HoldIRMModerationEnhanced Transport Rule CapabilitiesMailTips

Why is IPC important?Large UK Retailer Leaks Payment Information via Email

Nearly 40% of workers have received confidential information that was not meant for them!

The Information Commissioner’s Office will be able to issue fines of up to £500,000 for serious data security breaches.

Appeal Win Lets FSA Grab Evidence for SEC

Some of the legal factors Public Sector - Freedom of Information All - Data protection act Finance – Financial Services Authority, SEC,

BASEL2 RIPA - Regulation of Investigatory Powers Act

2000 Human Rights - Lawful business protection Electronic Communications Act – Adding

Disclaimers US – SOX, HIPAA etc

What does IPC mean to you? It’s a policy build around the relevant laws for

your industry.Based on a bunch of technical tools which we try to

automateMonitor email – content, recipients where is it going

○ Know what is happening based on email attributesRetain and Provide

○ Archiving, Retention and DiscoveryControl and Protection – allow or prevent

○ Granular policies○ Soft to Hard control

Retain and Provide

mail where required

with Archiving, Retention

and Discovery

Protection & Control: Soft to Hard Ensure that you target the correct data with the correct policy to maximise usability

Alert

• Allow delivery but add a warning

Classify

• Allow delivery but apply classification

Modify

• Allow delivery but modify message

Append

• Allow delivery but add a disclaimer

Protect

• Allow delivery but prevent forwarding

Review

• Block delivery until moderated

Redirect

• Block delivery and redirect

Block

• Do not deliver!

Exchange 2010 Archiving, Retention & DiscoveryBetter mailbox management

• Secondary mailbox node• PST /Primary Mailbox Management

Personal Archive

• Folder/Item Level • Archive/Delete policies

Retention Policies

• Role-based GUI Multi-Mailbox Search

• Edited and Deleted Items • Searchable with MM Search Legal Hold

Why Archive? A Vicious Cycle of Volume vs. Control

Growing E-mail Volume

Performance & Storage

Issues

Mailbox Quota PSTs

Discovery and

Compliance Issues

Increasing storage and back-up costs

Users forced to manage quota

Quota management often results in growing PSTs

(Outlook auto-archive)

•PSTs difficult to discovery centrally

•Regulatory retention

schedules contribute to

further volume/ storage issues

Breaking the CycleWith large mailbox architecture and archiving

Growing e-mail volume

Performance & Storage

Issues

Mailbox Quota PSTs

Compliance/Discovery

Issues

Large Mailbox Architecture• maintains performance • provides option for DAS-SATA storage to reduce costs

Archivingenables simple

migration of PSTS back to server

Archivingsimplifies

discovery, retention and

legal hold

Personal Archive Overview – What is it and where does

it live? User goals and assumptions

Simple to use – OWA & Outlook IT Pro goals and assumptions

Get rid of PSTs!Easy to enable.

Personal ArchiveUser experience

User can view, read, navigate, flag and reply to archived mail same as live mail

User gets conversation view scoped to Archive (same as PSTs)

Reply to message in archive puts message in live mail sent items (same as PSTs)

Folder hierarchy from primary mailbox maintained

Personal Archive Search

Option to search archive only or both live and archived mail

Advanced search options work across live and archived mail

Message Retention Move Policy: automatically moves messages to the

archiveOptions: 6 months, 1 year, 2 years (default),

5 years, NeverUser Impact: Helps keep mailbox under quotaWorks like Outlook Auto-Archive – without PSTs!

Delete Policy: automatically deletes messagesUser Impact: removes unwanted itemsHelps keep mailbox under quotaDelete policies are Global (they travel to the Archive)Per-item policies take priority over per-item policies

Retention PolicesAt the folder or item level

Expiration date stamped directly

on e-mail

Delete policies

Policies can be applied to

all email within a folder

Policies can be applied directly within an email

Archive policies

Legal Hold Hold Policy captures all edits/deletes irrespective of user

or admin access. User workflow is unchanged, items captured in hidden

folders in Dumpster 2.0. Multi-mailbox search can retrieve items indexed in

Dumpster 2.0. ISSUE – Consider that the whole mailbox is put on

hold, not just the granular info that you need on hold!

Hold Policy

URL links to additional info

IW is told how to comply (no action needed for e-mail)

Multi-Mailbox Search Simple, role based GUI

Filtering includes: sender, receiver, expiry policy, message size, sent/receive date, cc/bcc, regular expressions, IRM protected items

Delegate access to search to HR, compliance, legal manager

Search all mail items (email, IM, contacts, calendar) across primary mailbox, archives

Multi-Mailbox SearchAdditional e-discovery features

Export search results to a mailbox or SMTP address

Request email alert when search is complete

Search specific mailboxes or DLS

Search results organized per original

hierarchy

API enables 3rd tool integration with query

results for processing

Exchange 2010 Protection and Control

• IRM in OWA• IRM Transport rules & Search

Information Rights

Management

• Automated alerts for Users• OWA and Outlook 2010MailTips

• Route mail to moderator for reviewModeration

• Dynamic Signatures• Granular Conditions

Enhanced Transport Rules

Information LeakageCan be costly on multiple fronts Legal, Regulatory and Financial impacts

Non-compliance with regulations or loss of data can lead to significant legal fees, fines, and more

Damage to public image and credibility with customersFinancial impact on company

Loss of Competitive AdvantageDisclosure of strategic plansLoss of research, analytical data, and other

intellectual capital

Enforcement tools are required—content protection should be automated.

Message Confidentiality?

Automatic Content-Based Privacy

Automatic Content-based Privacy:•Transport Rule action to apply RMS template to e-mail message• Transport Rules support Regex scanning of attachments in Exchange 2010 (including content)• Internet Confidential and Do Not Forward Policies available out of box

Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages.

22

What is Rights Management Services? Windows Platform Information Protection Technology Better safeguard sensitive information

Protect against unauthorized viewing, editing, copying, printing, or forwarding of information

Limit file access to only authorized users Audit trail tracks usage of protected files

Persistent protection Protects your sensitive information no matter where it goes Uses technology to enforce organizational policies Authors define how recipients can use their information

Protection via Transport Rules

New Transport rule action to “RMS protect” Transport Rules support regular expression

scanning of attachments in Exchange Server 2010 “Do Not Forward” policy available out of the box Office 2003, Office 2007, Office 2010, and XPS

documents are supported for attachment protection Ability to route email for Moderation

Protection via Transport Rules

Rights Management Services Integration in Outlook Web Access

RMS Protection is applied both to the message itself and to the attachments.

Saved attachments retain the relevant protection (e.g. rights to view, print or copy content).

Protected Content in Outlook

Rights Management Services Integration in Unified Messaging

Unified Messaging administrators can allow incoming voice mail messages to be marked as “private”

Private voice mail can be protected using “Do Not Forward”, preventing forwarding or copying content

Private voice mail is supported in Outlook 2010 and Outlook Web Application (OWA)

Rights Management Services Integration in Unified Messaging

Business to Business RMSSecurely Communicate with Partners

Today customers can communicate using RMS between organizations by deploying ADFS and setting up trusts ADFS requires a separate trust between each partner ADFS isn’t supported by Exchange

In Exchange Server 2010, customers can federate with the Microsoft Federation Gateway instead of each partner A single federation point replaces individual trusts Allows Exchange to act on-behalf-of users for decryption

Senders can control how their data is accessed by 3rd parties By using federation, RMS can allow organizations and applications to access

data on-behalf-of individuals Specifically they can specify whether recipient organizations can archive e-mails

in the clear RMS administrator can control which 3rd parties can access data using

federated authentication (allow/block list)

Outlook Protection Rules Allows an Exchange administrator to define client-

side rules that will protect sensitive content in Outlook automaticallyRules can be mandatory or optional depending on

requirements Rules look at the following predicates:

Sender’s department (HR, R&D, etc.)Recipient’s identity (specific user or distribution list)Recipient’s scope (all within the organization, outside, etc.)

Rules are automatically retrieved from Exchange using Autodiscover and Exchange Web Services

Step 1: User creates a new message in Outlook 2010.

Step 2: User adds a distribution list to the To line.

Step 3: Outlook detects a sensitive distribution list (DL) and automatically protects as MS Confidential.

Company Confidential - This content is confidential and proprietary information intended for company employees only and provides the following user rights: View, Reply, Reply All, Save, Edit, Print and Forward. Permission granted by: nwinters@gaots.co.uk

Outlook Protection Rules

Manage Inbox Overload

33

Help Reduce Unnecessary and Undeliverable E-Mail Through New Sender MailTips

Reduce Non-Delivery Reports

Limit Accidental E-Mail

Remove Extra Steps and E-Mail

Key takeaways Personal Archive gives seamless user

experience and removes need for PSTs Deep support for IRM Automation enables ease of use and

administration Wide range of granular controls from Soft to

Hard