Welcome to the final installment in our three-part series on hosted Exchange Server. In previous installments, we examined the hosted Exchange Server market, as well as crucial facts to know and questions to ask before moving to a hosted model. As we wrap up the series, we look at two more pieces of the puzzle: compliance and e-discovery.
As a wider variety of organizations -- including medical and financial institutions -- move from on-premises Exchange deployments to hosted Exchange, concerns about maintaining compliance have caused admins to raise a wary eyebrow.
Meeting the Health Insurance Portability and Accountability Act (HIPAA), for example, which regulates the protection of certain health information, means that employers must secure any health information that's sent via email.
Microsoft Exchange Server secures SMTP traffic with Secure Sockets Layer (SSL) for email over the Internet. That said, it's an Exchange administrator's responsibility to prove that email is, in fact, protected. Mobile devices compound the challenge of maintaining compliance. Laptops, smartphones and mobile devices should be encrypted, have policies barring unauthorized access, and require that all traffic to and from said devices is also protected via SSL.
Additionally, if mobile security policies are not properly configured, accessing corporate information via Outlook Web Access (OWA) can potentially leave unencrypted private documents exposed on a public system or kiosk. Although the email session is SSL-encrypted, the document or spreadsheet that you view is actually downloaded to the hard drive in an unencrypted format.
OWA in Exchange 2010 has an option to render the file for viewing inside of the secure browser window. Certain compliance regulations require that organizations prove such data would not be exposed under these circumstances.
Data archiving and e-discovery
E-discovery is another important part of the hosted Exchange Server equation. A company may be legally compelled to retrieve information from computer systems and deliver that data to the courts in the event of a lawsuit. Electronic records including email, calendars and associated documents exist in huge numbers within Exchange, on file servers and in portals within an organization.
If you do not already have an archive for Exchange, get one. Copies of email messages, calendars and the makeup of distribution lists (when the message was sent) are saved to this repository. If you want to audit your policies, need to prove compliance or have to retrieve messages that the courts request, you'll need to pull all of this information from the archive.
The archive is fundamentally different from the data in your active messaging folders. Inboxes and other folders are constantly changing, whereas the archive is an ongoing collection of every item that comes into or goes out of your messaging system.
A backup captures a point in time; items can be restored as they existed when the backup was made, but a message that was created and deleted between backups would not exist. The archive also captures metadata about items. You'll most likely need to expand distribution lists from the moment the message was sent.
The key requirement for compliance and discovery is the ability to search the archive. Basic search functionality may be enough. But what really changes if this repository resides in the cloud in a hosted Exchange Server environment? Not too much, in fact. It's best to allow the service provider that handles antivirus and anti-spam filtering to preserve the data.
Exchange Server 2010 has a capable feature that builds archives directly into a user's mailbox. While the personal archives may not have all the bells and whistles of a full-blown archiving solution from a third-party vendor, it allows organizations of any size to meet data-retention requirements. This primarily satisfies the need to move those pesky .pst files from users' hard drives to a secure server platform where the liability exposure to data leakage/loss can be mitigated.
Over time, you can move the data archive from your on-premises deployment to the hosted Exchange server. For medium and large accounts, you'll have to do this in a controlled fashion; and only once your organization is properly prepared. The key here is to start that archive as soon as possible; you never know when you will need it.
About the author
Lee Benjamin is an expert on Microsoft Exchange with in-depth experience in a number of other messaging systems. Since retiring from Microsoft in 1997, he has been a consultant for enterprise and medium-sized organizations and software firms. He currently specializes in migration and upgrade advice, technical writing and evaluation, product strategy, and training and courseware development. Lee is an analyst at Ferris Research, chairman of the largest Exchange user group in the world, Exchange Server Boston and a director for Boston User Groups.