The Background Buzz

Security and compliance needs extend well beyond anti-spam and antivirus to outbound and internal message monitoring and control.

E-mail systems haven’t really changed all that much in the last 10 years. Sure, spam became a real problem, and the threat of virus attacks is virtually as old as e-mail itself. But today, the e-mail landscape is experiencing a dramatic shift as virtually every aspect of how we use, manage and protect e-mail is undergoing rapid transformation.

As little as 18 months ago, phishing was something done on weekends with your kids, and if someone mentioned SOX you checked your feet to make sure the colors matched. Today we’re not only concerned with Sarbanes-Oxley, but with HIPAA, GLBA, Sec Rule 17a-4, inbound content control, information leakage, acceptable use policies, compliance-based archiving, corporate risk management and liability mitigation. E-mail management is now a vastly different and very confusing task.

E-mail: The Second Wave

The first wave of the e-mail evolution addressed what we now call "inbound content control." This provides protection against external threats like viruses, spam, and other e-mail-borne malware designed to exploit mail server or network security vulnerabilities. The plethora of anti-spam and anti-virus programs with which we’ve all become familiar represents this first wave.

The second wave in the e-mail evolution is where we are now. It is focused on providing outbound content control and is driven by:

· Recognition of the threats that come not from external sources, but typically from inside the organization;

· The realization that serious damage can be inflicted upon the enterprise not just by malicious attacks in the traditional sense, but by actions or omissions that result in significant corporate exposure, risk and liability;

· An onslaught of increasingly stringent regulatory compliance obligations and a good dose of fear instilled by several high profile examples of the cost of non-compliance, such as the $8.25 million fine levied against five brokerage firms for e-mail non-compliance.

Compliance has quickly become the new corporate mantra. Information leakage detection and prevention, e-mail archiving, and regulatory compliance management, have become the new requirements of the second wave.

The Current Turmoil

The issues driving the second wave are all very real concerns, but there has been a knee-jerk response by both customers and vendors alike. Many incumbent inbound scanning vendors encountered serious delays and technical obstacles in rolling this outbound functionality into their legacy products. Seeing a major void in a rapidly growing, highly hyped market, an onslaught of new vendors rushed in to fill the gap. Unfortunately, in the rush to market, future needs were overlooked and many products focused exclusively on outbound content control requirements. The result is a whole new generation of products engineered as "point solutions" without regard to past, present or future investment protection.

Simultaneously, many enterprises faced with regulatory deadlines could not afford to wait and rushed headlong into new product decisions and ended up implementing relatively unknown products. With the Board breathing down their necks to "get compliant" the rulebook was simply tossed.

The downside of this push for compliance is that network and e-mail administration, support and maintenance, training and ongoing operational costs are all escalating. Complexity and duplication from having a legacy anti-spam product, another anti-virus product, a product for email archiving and yet another product for outbound content control is surfacing as the single biggest obstacle to a unified solution and attaining solid ROI.

The Next Wave: Internal Content Control

While organizations are still working to meet outbound content control requirements, the next wave is already taking shape. Analyst firms, like IDC, have noted that the issue of internal content control is an emerging and growing concern for corporations. And there are two reasons why:

First, as enterprises pressed ahead with outbound compliance initiatives they have discovered that many of these imposed rules are applicable to the internal distribution and sharing of regulated information between employees.

Second, external compliance obligations, and several high profile examples of the cost of non-compliance, have caused many enterprises to revisit their internal corporate compliance guidelines to improve corporate governance and mitigate corporate risk and liability.

Implications of the Third Wave

The rapid succession of the second and third waves has resulted in a fragmented approach to the overall issue of e-mail compliance and content control. As a result we can expect another category of single-purpose products to emerge for internal content control. An e-mail compliance environment consisting of non-integrated, multi-vendor offerings will become increasingly complex and costly. And ROI from your current technology/product investments will be limited as enterprises are forced to retool current systems before they generate any significant return.

We can reliably predict this outcome because the dominant platform for current outbound content control products is the network appliance. In fact, many vendors are migrating to appliances for the second generation of their inbound content control products (anti-spam and virus). But an appliance installed at the edge of the network never sees internal e-mail, making it impossible for these products to provide internal content control.

What Can You Do?

There are actions you can take today that will minimize the risk in the technology and product decisions you must take now. Here are four recommended steps:

1. Revisit your compliance and content control needs. Step back and evaluate your needs in terms of inbound, outbound and internal content control requirements – look at the whole not just the parts, remember prevention is the goal.

2. Resist the urge to attack the problem in a piece meal fashion, with the first product you see that partially addresses the problem.

3. Re-evaluate your current e-mail content control and compliance strategy. Do you really want four different products? Look at total cost of ownership and identify criteria with respect to:

· Product acquisition costs,

· Network and e-mail configuration and maintenance costs,

· Administration costs,

· Training, support and annual maintenance costs,

· Ongoing operational costs,

4. Apply lessons learned from previous security-oriented implementation projects. After initial attempts with numerous products for access control, single sign-on, PKI, digital certificates etc., that seldom - if ever - were interoperable, chief security officers quickly learned the value of an integrated solution. If a single, integrated, centralized management authority makes sense for securing file servers, corporate databases, applications and other business information why wouldn’t a similar approach work for e-mail?

Best Practices: What Should You Look For?

Look at the problem of e-mail content control and compliance, not as individual silos of independent issues, but as a broader comprehensive mandate. Several essential features and capabilities to look for in next generation content control and compliance solutions include:

· The ability to monitor all messages – inbound, outbound and internal. Look for solutions that will start to integrate all three monitoring requirements within a single product.

· Real-time and after-the-fact content scanning. Prevention, not merely detection, is the paramount goal of compliance solutions. Prevention requires real-time monitoring. Enterprises will need to assess the impact of new and modified content rules by applying revised policies to historical communications. Having one real-time monitoring product and a separate discovery product will only mean costly duplication of time and effort.

· Scanning of attachments. While common with traditional inbound, anti-virus solutions, surprisingly few outbound content control products perform this function. To ensure compliance you must be able to detect potential violations in traditional e-mail attachments as well as within the message itself.

· Tight integration with corporate e-mail systems. To deliver any measure of internal e-mail monitoring there must be some degree of integration with the corporate e-mail system. With Microsoft’s Exchange Server, for example, look for products that link with standard Exchange tools and interfaces. This will reduce administration, training and support costs.

· Flexibility in defining the actions you can take upon messages. Anti-virus, and to some extent anti-spam, solutions have traditionally provided users with flexibility and choice of how to handle harmful e-mails (delete, quarantine, strip attachments, redirect, etc). Look for similar functionality in outbound and internal content control solutions. Clearly, you need to block delivery of potentially non-compliant, or offensive, content. But you may also want to instantly notify the compliance officer or your HR manager, or handle the message differently for external versus internal recipients.

· Advanced content analysis. It’s a given that current and future compliance requirements will take some pretty sophisticated content analysis capabilities to satisfy. Products should provide more than simple keyword, phrase, Boolean and Bayesian analysis techniques. The ability to monitor for complete concepts will become increasingly important.

· The ability to quickly and easily define or modify content policies. Look for products that deliver a user tool that enables organizations to efficiently create, modify and manage customized templates to reflect internally defined compliance and AUP rules. Reusability and hierarchical support for defined content policies should be key features.

To successfully prepare for the next wave of e-mail monitoring technologies, organizations need to carefully assess their current and future compliance and security needs to make strategic planning and purchasing decisions over the next year. By taking a proactive approach to content compliance and security using the above best practices your organization will be ready for the next step in the evolution of e-mail compliance and control requirements.

Source: http://www.compliancepipeline.com/showArticle.jhtml?articleId=172901015&pgno=1

Click here to return to the E-zine and/or close this window