Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Getting to know your compliance options in Exchange 2013

Keeping up with the regulations that come with new technology can be tough, but certain Exchange features can help organizations stay compliant.

The tasks an IT organization is charged with constantly change, but the tasks themselves are often influenced by trends -- often just hype -- in the market. As trends come and go, organizations can either act upon them or let them pass by.

One technology trend that has survived the test of time is compliance. The term usually refers to an organization's abiding to legal, financial or other types of regulation. Each regulation imposes its own rules, resulting in technological options to address those rules. The digital age introduced the need for compliance rules, and the compliance options organizations adapt.

The problem isn't that regulations change or that new regulations are created -- it's the technological aftermath.

The problem isn't that regulations change or that new regulations are created -- it's the technological aftermath. Technology is rapidly evolving and offering new features and capabilities at an almost continuous rate. People are embracing these new technologies at a rate IT organizations can hardly keep up with, if they can keep up at all.

New rules come with new technologies. Some countries have strict data-storage location regulations as a result of technological advances. Under the Safe Harbor pact, for example, data can be transferred to a third party (a country outside of the U.S.) only if the service provider can prove it meets the pact's regulations. But under the Patriot Act, companies in the U.S. might be asked to hand over specific customer data without disclosing the request to third parties, directly conflicting with the Safe Harbor pact. As a result, regulations that should regulate data safety fight against each other instead, making it difficult to benefit from the technological advantages that cloud-based services might offer -- at least from a legal point of view. That's why many American companies built data centers in Europe to comply with the European Union data laws, even though the Patriot Act still applies.

So, to what degree should companies adhere to regulations and requirements if these rules prevent them from using new and beneficial technology? Unfortunately, there's no simple answer.

Companies historically have bought, and will continue to buy, software to help them stay compliant, but this won't be enough in the long run. As long as technology continues to evolve at its current pace, companies will have to find a way to work around the issues that come with the changes.

How Exchange 2013 expands compliance options

Problems with compliance not only apply to storing documents in the cloud, but also are valid from a messaging point of view. A company's intellectual property often resides in users' mailboxes, so messages or content exchanged via email might represent data that is subject to regulation as well.

Since Exchange Server 2010, Microsoft has introduced different features to help make your Exchange infrastructure compliant, even though none of these features are compliance options on their own. This is important to keep in mind.

Each of the following features can help your company become compliant, but as standalone features, they might not fulfill all of the requirements. Even so, there are several features in Exchange 2013 that relate to or can otherwise help organizations meet compliance regulations.

Role-Based Access Control (RBAC), for example, helps you restrict administrative permissions in Exchange to prevent unauthorized access to configuration or mailbox data. This is particularly useful in scenarios where companies are required to prove data integrity if they are trying to be compliant with specific regulations, such as the Sarbanes-Oxley Act.

As with RBAC, mailbox and admin audit logging and reporting can be used to prove that mailbox data has been accessed only by those with the proper credentials. It isn't fail-safe, but it is one of the most valid compliance options for enterprises using Exchange 2013. Audit logging can be selectively enabled so that only important mailboxes are monitored.

To keep track of content, you have two Exchange features you can use: In-Place Hold and journaling. The In-Place Hold feature, formerly known as Legal Hold, allows you to keep and track versions of documents or emails in a user's mailbox for a specific or an unlimited amount of time. Even if users delete items, Exchange will keep those items in a special hidden folder for an organization's compliance officer to find.

Journaling allows you to record specific or all inbound and outbound messages by sending a copy of these messages to a journaling mailbox, where they are stored and can be retrieved.

You can also expand your organization's compliance options with Data Loss Prevention (DLP) and Transport Rules. DLP evaluates outgoing traffic against a set of predefined rules to prevent accidental or deliberate data leakage. You can filter out specific content and take action based on those filters, including displaying a warning or preventing the message from being sent. DLP is built on Transport Rules, a feature that was introduced in Exchange 2010.

Another important Exchange feature that can also be used if SharePoint 2013 is deployed is e-discovery, which allows you to search for specific content in Exchange mailboxes. This feature is particularly useful when companies are required to provide specific data with regard to a complaint, lawsuit or other legal inquiry. Using e-discovery in SharePoint 2013 even lets you search multiple data stores, including SharePoint, Exchange and Lync.

In addition to integrating SharePoint, admins can integrate Active Directory Rights Management Services, or AD RMS, with Exchange to use the Information Rights Management (IRM) feature. This feature enables message encryption by letting users choose from a number of templates or by automatically using Transport Rules or DLP. Recipients will be given access to the content only if they are specified in the IRM template and only for the type of access specified. Because of this, you can limit a recipient's ability to alter or forward a message.

As people continue to embrace new trends in technology at rates IT can barely keep up with, it can be difficult to adhere to associated rules or regulations. But it's possible to plan out ways to comply with those rules. Staying on top of compliance regulations and continuing to use existing features in Exchange can help organizations prepare for the future and the compliance regulations that will inevitably come with it.

About the author:
Michael Van Horenbeeck is a technology consultant, Microsoft Certified Trainer and Exchange MVP from Belgium, mainly working with Exchange Server, Office 365, Active Directory and a bit of Lync. He has been active in the industry for 12 years and is a frequent blogger, a member of the Belgian Unified Communications User Group Pro-Exchange and a regular contributor to The UC Architects 

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.