Better security is changing iPhone's image in IT departments.

While the iPhone’s “cool factor” has made it a hit among status conscious corporate executives, the mopho has been greeted with skepticism from the rank and file in the IT trenches. From their point of view, competing products like Research in Motion’s Blackberry and smartphones built on Microsoft’s Windows Mobile platform offer better security for their organizations. With the introduction of the latest version of the iPhone’s operating system, version 3.0, and iPhone Configuration Utility, version 2.0, IT resistance to letting Apple’s handset into the corporate tent seems to be weakening.

What has bugged IT folks in the past about the iPhone? For one thing, user profiles can’t be managed over-the-air as they can with a Blackberry and Blackberry Enterprise server or Motorola Good for enterprise servers. Another irritant is there’s no way to ensure that corporate policies on email, encryption, etc. have been installed or updated on the phones. What’s more, it’s difficult to preconfigure the units with settings for email, VPN access and such.

Apple’s update of the iPhone’s configuration utility, which gives network administrators a rich set of policy controls, has addressed some of those concerns and may be why IT doubters are relenting on their staunch opposition to the hardware.

For example, password entry into a phone can be required. The composition of the password, when passwords should be changed, rules on reuse of passwords and the number of failed password attempts before a phone automatically wipes out all the data on it can all be controlled by an IT department.

Specific content can be blocked on the phones, although that’s not true for specific applications. A workaround for that situation is to install all necessary apps when the phone is issued, then turn off the ability to install any more programs. The problem with that approach, however, is a user won’t be able to upgrade the existing apps on the phone.

Continue reading Security skeptics less skeptic about iPhone

So you’re thinking of acquiring a new email archiving tool and need to craft an acquisition and implementation strategy. Here are some things you may want to consider.

Regulations, rules, requirements and product warranties can make buying archiving tools a minefield. By consulting with your corporate legal and compliance people, as well as your company’s business managers, you can get an idea about where those mines are buried. Moreover, you can use your efforts to educate yourself about what requirements must be met by your new tools to build support and acceptance among your legal and compliance people.

When garnering information from legal and business colleagues, it’s important not to lose sight of your role as a technology advocate. While it’s critical to know what your new archiving tools must do to meet compliance and warranty demands, it’s also crucial that those unschooled in the intricacies of storage management understand basic concepts, such as the distinction between backups and archiving and the hard and soft costs attached to storage.

Keep in mind that your new archiving tools need to do more that meet compliance requirements if they’re going to be accepted by your users. After all, you don’t want to trade one headache–jumping through compliance hoops–for another–a disgruntled user base that sees your new technology as an impediment to its doing its job.

Continue reading Tips when making email archiving choices

Clark: "We hire attorneys for their IP and not their IT."

Electronic discovery has increased demands on storage systems, and that’s likely to continue.

According to Michael A. Clark, a managing director at EDDix LLC, an electronic discovery consulting firm, corporations with revenues greater than $1 billion is carrying around a caseload 150 active matters, 35 to 40 percent of which involve electronic discovery. With the new rules of Federal Civil Procedure adopted last December, he observed, “we’re going to see an ink blotting downward of electronic discovery to ever smaller matters.” He projects that within the next three years that 35 to 40 percent will move to 75 percent.

Finding information within the enterprise has always been a challenging task for legal ferrets, but those challenges have ballooned in recent times, according to Clark. “There are now not only more things to find, but more places to look for them than there had been before,” he said in a video interview posted at SearchStorage.com.

Finding information is a big challenge to operators of an enterprise network, but so too is deciding what should be stored and how long to store it, Clark noted.

“A number of corporations are devoting considerable resources to creating retention policies and then trying to enforce those policies,” he observed.

Continue reading E-discovery demands to double in three years

U.S. Appeals Court for Ninth Circuit.

Workers who use company email for disloyal activities may be targeted for administrative sanctions, but they’re not necessarily criminals under U.S. law, according to a recent decision by a federal court. The ruling by the Court of Appeals for the Ninth Circuit, which includes California, found that an employee for a residential treatment center for addicted persons in Nevada could not be prosecuted under the federal Computer Fraud and Abuse Act (CFAA) for emailing himself client files for use in a competing business after his employment was terminated from the center.

The case, LVRC Holdings v. Brekka, involves Christopher Brekka, who was hired by LVRC and worked at its Fountain Ridge facility in Nevada. Brekka’s duties included conducting Internet marketing programs and interacting with Web metrics company, LOAD, which LVRC employed to provide email, Web site, and related services for the treatment center. At the time of his hiring, Brekka owned and operated EBSN and EBSF, two consulting businesses that obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities through the use of Internet sites and advertisements. According to the court, LVRC was aware of Brekka’s involvement with EBSN and EBSF when it brought him on board.

Continue reading Disloyal use of email isn’t a crime

Let’s be clear about this before we go any further – yes you could use these techniques to spy on your staff, and yes at face value it may seem as though these techniques serve no purpose other than to spy on staff.  But the reality is that what I’m about to describe can be used quite legitimately within a business for purposes other than outright spying.

There are two features of Exchange Server 2007 that can be used for this – Journaling and Transport Rules.

Exchange Server 2007 Journaling

The best way to think of Journaling is that it is a way to make a copy of emails that match certain sender or recipient conditions.  Typically this is done for regulatory compliance purposes, such as a legal requirement to retain copies of all email received by a government department for Freedom of Information purposes.

When an email is “journaled” it is simply copied to another mailbox.  Basic Journaling will copy all emails sent to and from recipients on a mailbox database to a specified journal mailbox, whereas Premium Journaling allows some more granular control such as per-recipient journaling rules, but the concept remains essentially the same.

A genuine application of Premium Journaling might be to journal all emails sent to or from a customer service email address so that all such communications are kept on record.

Exchange Server 2007 Transport Rules

Transport Rules can be used to achieve the same outcome as Journaling however they have a lot more features available and offer much more granularity.  For example you can use Transport Rules to add disclaimers to emails in Exchange, or block confidential emails.

You can also use Transport Rules as a kind of internal email filtering for inappropriate content.  This would be useful for policing acceptable usage policies.  By configuring a Transport Rule that detects certain words and blind copies any such email to a HR mailbox for inspection an organization might detect and avoid harassment issues within the organization. Continue reading How to Spy on Your Staff with Exchange Server 2007

The administrator may appropriately be tasked with administering, or at least overseeing, the process of email archiving, if for no other reason than the fact that end-users are not likely to do it themselves. The process of archiving emails, if left to individual end-users, would be chaotic at best. Uniform standards must apply, and archiving needs to be done according to a rule-based procedure; without such a rule-based procedure, the enterprise risks falling out of compliance with one or more legislative mandates.

But there are two pieces to the archiving puzzle: Putting things into it, and taking things out of it. The first part can be largely automated and done according to a set of rules that specify that emails get archived after a certain period of time. But as for the other end—searching the archives—that’s another story entirely.

Continue reading Self-service retrieval

While the rest of us are struggling under threat of penalty to comply with an ever-increasing array of security-related regulations, the federal government itself is failing miserably in practicing what it’s been preaching.

The GAO issued a report this week on how government agencies have been responding to the Federal Information Security Management Act of 2002 (FISMA), which requires government agencies to create agencywide information security programs with supporting security architectures.

The report concluded that out of 24 government agencies, 23 of them had inadequate authorization controls, and 22 said that information security was a “major management challenge.” The agencies also came up short in several other security-related areas, and poor IT security continues to be seen throughout government. According to the report, all 24 agencies have reported multiple security incidents wehre sensitive information has been either lost or stolen. Continue reading Agencies fizzle on FISMA compliance

If you are subject to compliance with a regulation like HIPAA or Sarbanes-Oxley, you need to know your own internal systems are safe and secure and customer data is kept private, and you also need to know that the systems of your partners are equally protected.

That’s the hard part of compliance. You have control over how you implement security and impose email protections inside your own company, but you have less control over companies that are separate from yours but within your sphere of influence.

A study recently showed that 20 percent of security professionals are “cheating” to pass an audit, especially if it is a self-audit. In such audits, which are ran largely on the honor system, you attempt to satisfy your compliance requirements by providing a checklist to your partners that have access to your systems or data. The partner verifies that they have done certain things, or have implemented certain precautions, and sends the list back. All bases are covered, right? Not always–without an external auditor, there is no validation, and there may be a risk of falling out of compliance.

Implementing an email archiving solution can solve a great many problems, but you’ll get a great many questions when you’re in the planning stage–not the least of which is, “Why do we need to do this?”

Here are just a few reasons to start with:

1. Discovery response. Your legal department will love it. Lawyers love paperwork—even electronic paperwork. It’s their lifeblood, their currency. In the process of legal investigations, your legal department will no doubt want to retrieve all email message that are relevant to a particular case or issue. Those email records may be vital as evidence, and so long as they are properly stored with standard security safeguards, they are admissible in court.
2. Compliance. A host of government regulations now govern IT security, privacy, and retention of documents. To comply with these regulations, a proper archiving system is often necessary, as standard backup may not be adequate in terms of security.
3. Disaster Recovery. You may have ready access to backed up data files, but without those important emails—which often contain valuable and important information—you will still be lost. Email is a major asset to the business—and having access to them from an off-site secure redundant server is a critical part of disaster recovery.
   Continue reading Top Ten Reasons to Archive Email

PST (Personal Storage Tables) can be a nuisance and a cause of some difficulties. There are plenty of how-to’s out there on how to manage them, tweak them, and manipulate them, but the best strategy of all is to avoid them altogether.

The PST files can be stored either on the Exchange server or locally. The immediate advantage of local storage of the PST files is that it provides an easy and readily accessible location for old emails. But although a great many email environments are set up for local storage of PST files, it goes without saying that the local storage option is a bad idea that offers very little in the way of protection against disaster, loss, or attack.

However, with more companies falling under the purview of one or more compliance-related legislative mandates, usage of PST files must be revisited. If there is a retention requirement that calls for storing emails for a certain period of time, it’s pretty easy to get around that requirement. Electronic discovery may also be a problem if PST files are used and stored locally, even temporarily.

Continue reading Reduce dependency on PST files