Exchange 2010: Compliance and Protection

Vladimir Alexandrov, Chorus Ltd.vladimir@chorus.bg

30.03.2010

Agenda• E-mail Archiving and Retention• Key technologies• Demo

• Protecting Email Communication• Protection mechanisms and options• Demo

2

3

E-mail Archiving and Retention

• Why Archive E-mail?• What’s Stopping Customers?• Integrated Archiving Solution:• Personal Archive• Retention Policies• Single Item Recovery / Hold Policy• Multi-mailbox Search

Why Archive E-mail?Volume •As data volume grows, Outlook performance can be impacted•Mailbox quotas control volume but also encourage PST files•PST files add to further performance/management issues

Retention •Compliance adds to volume challenges •Regulations mandate specific retention periods for relevant e-mail (SOX = 5 years, SEC rules = 6 years, HIPAA = 5-6 years)

Discovery • Strict timelines on discovery of e-mail • Cover all e-mail from all sources, including PSTs • Retrieval costs can be HUGE (backup tapes, PSTs)

Volume Storage Management

4

SharePoint

Outlook PSTs

Webmail

Third Party Archive

Backups

Exchange Server

World Today: Where is your e-mail?

5

What’s Stopping Customers?Poor User Experience • Unfamiliar environment • Inability to search and/or access archived content • Clunky experience with Outlook/Outlook Web Access add-on

Complex Administrative Experience •Outlook add-on install/performance issues •Separate search/management of primary and archive mailboxes•Concerns over reliability of hosted archive vendors

High Costs • Separate archive infrastructure investment• Additional archive management costs

6

Personal Archive

•Archive in Outlook/OWA•Integrated with mailbox

Move and Delete Policy

•Move and Delete Policies in OLK/OWA•Folder/Item Level Policy

Hold Policy

•Edited/Deleted items preserved•Single Item Restore

Multi-Mailbox Search

•Simplified search console •Role-Based Access Control

Preserve Discover

Exchange Server 2010 introduces integrated e-mail archiving capabilities offering customers out-of-the-box

tools to preserve and discover e-mail data, without changing the user or IT Pro experience

Integrated E-Mail Archiving Solution

7

• A secondary mailbox that is configured by the administrator

• Appears alongside a user’s primary mailbox in Outlook or Outlook Web App.

• PST files can be dragged and dropped to the Personal Archive

• E-mail in primary mailbox can be moved automatically using Retention Policies

• Archive quota can be set separately from primary mailbox

Overview of the Personal Archive

Pers

on

al A

rch

ivePri

mary

Mailb

ox

8

User can view, read, navigate, flag and reply to archived e-mail same as live e-mail

User gets conversation view scoped to archive (same as PSTs)

Replies to archived messages saved in live e-mail sent items folder (same as PSTs)

Folder hierarchy from primary mailbox maintained

A Seamless User Experience

9

Option to search archive only or both live and archived e-mail

Advanced search options work across live and archived e-mail

One User Search Experience

10

Policy automatically deletes e-mail after x days

Expiration date label

Policies automatically move e-mail to archive after x days

Policies applied to all e-mail within a folder

Retention Policies for Everyone

11

12

Single Item Recovery (Dumpster 2.0)Set-Mailbox <identity> -SingleItemRecoveryEnabled $true -RetainDeletedItemsFor <Days>

13

Demo:

• Personal Archive• Retention Policies• Legal Hold• Multi-Mailbox Search (Legal Discovery)

14

Protecting E-mail Communication

• Defining the Problem• Leakage and Reputation Damage• Exchange 2010 Solutions• Message Classificatons• Mailtips• Delivery Reports• Moderation• Information Rights Management

• Demo

Defining the ProblemRisks to Reputation, Productivity, and Operational Expense

• “My users send things to the wrong audience by accident”

• “Help desk calls around failed or lost messages are expensive”

• “Information leakage damages our reputation and results in financial loss”

• “I need to control communications to be in compliance with regulations”

15

Leakage and Reputation Damage Accidents Happen

“80% of all data leaks occur because of accidents

— that is users, being unaware of data policies,

as opposed to having malicious intent.”

- Forrester, 2008

Top 10 threats to Enterprise Security - IDC

16

Information Protection in Exchange 2010

Dynamic Signatures/Disclaim

ers

MailTips

IRM Protection

Block/Redirect

SOFT CONTROLS HARD

CONTROLS

Moderation

Less restrictive More restrictive

17

Exchange 2010 Solutions

• Message Classifications• Each outbound message should be pre-classified by user under

some regulations• MailTips

• Leads you to send the right thing to the right people and avoid blunders and surprises

• Delivery Reports• Provides you with visibility into what happened to your message,

no costly help desk calls• Moderation

• Review messages for suitability or policy violation before they get delivered

• Transport Rules• Automated policy enforcement on all messages

• Information Rights Management and Exchange 2010• Granular protection that travels with the data

18

19

Message Classifications

• Describes the intended use or audience of the message

• Transport Rules may act on the message, based on the classification

• Supported by Outlook 2010 and Outlook Web App, can be exported to OLK 2007

MailTips• Information about the message and

recipients shown before send• For end users:• Reduce delivery surprises• Emails are addressed correctly the first

time• Help prevent embarrassing email mistakes

• For the organization:• Reduce help desk calls• Reduce NDRs• Reduce unnecessary pipeline traffic

21

Exchange 2010 MailtipsMailTip Displays:

Large Audience The number of people you are sending to, if larger than X

Automatic Replies The first 250 symbols of the automatic reply (e.g. OOF)

External RecipientsIf the addressed recipient is not within the organization, or there is

a DL addressed, which contains external recipients

Invalid Internal Recipients If the recipient looks internal but does not exist in AD

Moderated Recipient If the recipient is moderated

Oversize Message If the message is oversized

Restricted Recipient If the recipient is restricted

Mailbox Full When the recipient mailbox is full

Reply-All on BCCThat you were BCC’d on the original message when you select

Reply-All, if applicable

Too Many Recipients The number of people you are sending to, and the maximum

Custom MailTip The recipient’s custom MailTip, if configured

Action Cmdlet (shown with default)

Turn Mailtips On Set-OrganizationConfig –MailTipsAllEnabled $true

Turn Mailbox-based MailTips On

Set-OrganizationConfig –MailTipsMailboxSourcedTipsEnabled $true

Display Group Information

Set-OrganizationConfig –MailTipsGroupMetricsEnabled $true

Display External Recipients

Set-OrganizationConfig –MailTipsExternalRecipientsTipsEnabled $false

Change Large Audience Threshold

Set-OrganizationConfig –MailTipsLargeAudienceThreshold 25

• Per user– In OWA, when you collapse MailTips, they stay hidden– Outlook users can disable individual MailTips

MailTips Configuration

• Launch points OWA and Outlook 2010• Delivery Reports Search in Exchange Control Panel• Exchange Management Console

Delivery Reports

Moderation• Group-based moderation

• All messages to group must be approved by a moderator

• Multiple moderators allowed• Bypass lists

• Rule-based moderation• Available as an action on a Transport Rule• Conditions are customizable• Message is diverted to moderator(s) for approval

• Group join approval

• Moderation for recipients other than groups

Moderation Components• Initiation message:

• Special message containing the original message• Addressed to the arbitration mailbox• Stores the state of moderation on that message

• Arbitration mailbox: • Destination of initiation message• Store the initiation messages waiting to be

approved

• Other messages• Approval request (to moderators)• Approval decision (from moderators back to

arbitration mailbox)• Decision updates (to moderators)• Rejection notices (to original senders)

Arbitration Mailbox

Life as a moderator• Moderator’s mailbox stays up-to-date• Only actionable approval requests stay in the

inbox• Conflicting decisions:• First reply to the arbitration mailbox wins• Loser’s mailbox is updated: “your decision does

not apply”• Decisions can be made in OLK and OWA 14• Voting buttons in legacy OLK work, too

• Sender notified if all moderators are unavailable• All OOF, all mailbox full, etc.

Transport Rules

• A set of centrally managed messaging policies, enforced on every Hub server

• Allows consistent and reliable evaluation of messages throughout your organization

• Enables control scenarios:• Block, moderate, encrypt, or modify

messages• Based on inspection of content,

properties, sender, or recipient

Transport Rules Structure

• Structured just like inbox rulesIf the message...Is from a member of the group ‘Marketing Team' And is sent to recipients that are 'Outside the organization'

Do the following...Append the message with the disclaimer 'Exchange 2010 is coming! Can you handle the excitement?'

Except if the message...Is received from ‘Alfred E Newman'

Action types:BlockEncryptModify (recipients, content, properties)Review/Moderate

Condition types: User – detect mail between people, DGsContent – inspect message subject & body contentMessage Properties – inspect message headers and properties or typeRouting – detect external/internal, email domains

Conditions

Exceptions

Actions

Regular Expressions in Transport Rules Exchange 2010 supports the following regular expressions:Pattern string

Description

\S The \S pattern string matches any single character that is not a space.\s The \s pattern string matches any single white-space character.\D The \D pattern string matches any non-numeric digit.\d The \d pattern string matches any single numeric digit.

\w The \w pattern string matches any single Unicode character categorized as a letter or decimal digit.

| The pipe ( | ) character performs an OR function.

* The wildcard ( * ) character matches zero or more instances of the previous character. For example, ab*c matches the following strings: ac, abc, abbbbc.

( ) Parentheses act as grouping delimiters. For example, a(bc)* matches the following strings: a, abc, abcbc, abcbcbc, and so on.

\\ Two backslashes indicate that the character that follows the backslashes should be escaped. For example, if you want to match a string that contains \d, you would type \\d.

^

The caret ( ^ ) character indicates that the pattern string that follows the caret must exist at the start of the text string that is being matched. For example, ^fred@contoso matches fred@contoso.com and fred@contoso.co.uk but not alfred@contoso.com.This character can also be used with the dollar ( $ ) character to specify an exact string to match. For example, ^kim@contoso.com$ matches only kim@contoso.com and does not match anything else, such as kim@contoso.com.au.

$

The dollar ( $ ) character indicates that the preceding pattern string must exist at the end of the text string that is being matched. For example, contoso.com$ matches adam@contoso.com and kim@research.contoso.com, but does not match kim@contoso.com.au.This character can also be used with the caret ( ^ ) character to specify an exact string to match. For example, ^kim@contoso.com$ matches only kim@contoso.com and does not match anything else, such as chris@sales.contoso.com.

New Exchange 2010 Transport Rules More control, supervision

IMPROVED! E2007 E2010

Disclaimers/Signatures

Text with limited formatting

Add AD attributes + HTML

Attachments Size, Name + Content (Office documents)

Classifications Acts on classification

Can also act on No Classifications

NEW! E2010

Apply RMS Applies RMS encryption

Moderation Enable manager to review

Message Types RMS-encrypted, Auto-replies, calendaring, voicemail, approval request

Supervision Lists Allows/Blocks based on list of recipients

Management Properties

Automatically identifies manager and applies policy

User Properties Create granular policy sets per user attributes (e.g. department, country)

Protection and Compliance ScenariosScenarios Example Transport Rules,

Moderation, MailTips Ethical Wall Block brokers, analysts from

communicating • Block mail between specific people

in a DG• Block mail between people with

specific AD attributes

Moderation Manager required to sign-off on mail to sensitive partner

• Send to Manager for approval• MailTips for moderated recipients

Employee Supervision

Inappropriate Content Harassment

• Filter using keywords; regular expressions; type of content (OOF, voice mail, NDR, etc.)

Information Leakage Protection

HIPAA – personal health data GLBA – personal financial data EUPD (Europe) PIPEDA (Canada) SB 1386 (California) PCI

• MailTips for external recipient• Apply RMS encryption • Filter using keywords or regular

expressions • Reject outbound mail with

Message Classifications (e.g. attorney-client privilege)

Signatures EUPD 2003/58/EC - European Union Data Protection Directive

• Append signatures that include name, title, department, etc.

32

Information Rights Management• Exchange and RMS Deployment• Transport Protection Rules• IRM Search, Transport Decryption,

Journal Report Decryption• Outlook Protection Rules

Exchange and RMS DeploymentAdministrator Steps1. Deploy either RMS* or Exchange, order doesn’t matter.

Ensure your SCP is published within the forest.

2. RMS: On the _wmcs/certification/ServerCertification.asmx file, add all Exchange servers with read and execute permissions.

3. RMS: Create a DL that contains the FederatedEmail account (disabled user). Enable super-users and set the DL you created as super user.**

4. Exchange: Run set-IRMConfiguration –InternalLicensingEnabled $true

* Exchange features require RMS on WS2008 SP2 or R2.** Super user is required for OWA, Search, Transport/Journal Decryption.

Transport Protection Rules Take the decision away from end-users

Apply RMS policies automatically using Transport Rules

Apply “Do Not Forward” or custom RMS templates

RMS protection is also applied to Office 2003, 2007, and 2010 attachments

RMS protection can be triggered based on sender, recipient, or content

Protect. Productively.Search, scan, filter, and journal protected e-mail

• IRM Search • Conduct full-text search on IRM-protected messages in OWA

and Outlook. Enables eDiscovery or protected messages in the Exchange Store.

• Transport Decryption • Enables access to IRM-protected messages by Transport

Agents to perform operations such as transport rules, content filtering, and anti-spam/anti-virus.

• Journal Report Decryption • Journal Report Decryption Agent attaches clear-text copies

of IRM-protected messages and attachments to journal mailbox

Anywhere Access • Native OWA support provides:

• Eliminates the need for IE Rights Management Add-on• Cross-Browser support enables Firefox and Safari users

to create/consume RMS protected messages• Mac users can create/consume RMS protected

messages

• IRM Search• Conduct full-text search on RMS protected messages in

Outlook Web Access

• Windows Mobile 6.x • Built in ability to create /consume RMS protected

messages

Outlook Protection Rules Apply IRM protection automatically at the client

IRM protection automatically triggered based on sender/receiver attributes

Supported attachments are also protected

Windows Desktop Search will index headers and subject

Authorized users can turn off protection

Can be used to prevent e-mail service provider from accessing your e-mail

38

Demo: Email Protection

• Mailtips• Transport Rules• Moderation• IRM

Exchange 2010: Compliance and ProtectionVladimir Alexandrov, Chorus Ltd.vladimir@chorus.bg

30.03.2010

Q & A?