Solved

Exchange compliance and security features

Posted on 2014-03-05
1
481 Views
Last Modified: 2014-03-11
Hi

Looking for an engaging way to describe the notion of and difference between eDiscovery, inline hold, Journaling and retention policies within exchange 2013, to a non-technical audience with a real life example that may cover all four elements?
0
Comment
Question by:fahim
1 Comment
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39908230
best is to have a before and after example, very much storytelling - probably a miscreant and insider threat scenario may help to intrigue the investigative mind of the audience and yet bring about the practical capabilities. The retrospective and investigative tactic to sieve through the trolls of data to eventually find evidence of data or IP theft (mystery) and bringing justice (finally truth) may add some "color" to the techie storytelling  

For a start is to understand the need for the below - compare a normal vs using the "enhanced" means in the 4 area named

1) eDiscovery - to detect in a big pool of data of the suspect activities such as email sending outwards to his web email, corresponding with external parties on specific organisation intellectual product yet to release, press comms etc. Keywords search.

Norm-use the Windows Search or manual approach, no script or great UI to automate search Vs Discovery Managers use the new In-Place eDiscovery & Hold wizard to perform eDiscovery searches.

E.g. Keyword statistics After you create an In-Place eDiscovery search, you can get detailed keyword statistics showing you the number of items matched for each keyword. You can use this information to determine if the query has returned the number of messages you estimated. Depending on whether a query is too broad or too narrow, the search may return too many or too few messages. Use this information to fine-tune your query.

E.g. eDiscovery Search Preview After you’ve created an eDiscovery search, you can quickly preview search results. Messages returned from each source mailbox are displayed in search preview. Being able to quickly preview messages allows you to ensure your query returns the content you’re searching and further fine-tune your query.

See the above extract from walkthrough of the  http://blogs.technet.com/b/exchange/archive/2012/09/26/in-place-e-discovery-and-in-place-hold-in-the-new-exchange.aspx

2)  In-Place Hold - There are various "hold" use case, the emphasis here is In-Place Hold allows you to specify a duration of time for which to hold items. So in the storyboarding of the insider, the culprit is attempting to delete away those email correspondence or mail content containing those "sensitive" keyword...never does he know there is such capability to retent information for a duration ..

You can try to talk about the need to configure the Deleted Item Recovery period to the minimum period you want an item to be retained for. But it can be slightly tricky here as it may bring some "confusion".. the period for Deleted Item Retention is calculated from the date of deletion. So deletion date can inadvertently lengthen the retention period..

Here, you start to talk how can we be more surgical on the exact time..such that when we create a time-based In-Place Hold, it is more "accurate" because the hold period is calculated from the item received/creation date, you can guarantee the item won’t be held beyond that period as compared to Deleted Item Recovery period.

Actually, the inline hold indirectly brings about the retention policy. E.g. May be good to run through the normal delete where once a user uses Shift-Delete to delete a message, it is moved to the Recoverable Items\Deletes folder. Any messages from the Deletes folder are purged when the Deleted Items Retention period configured for the mailbox database or the user expires. However, if the mailbox is placed on an In-Place Hold, the item is moved to the Recoverable Items\DiscoveryHolds folder

The juncture now may be good to bring on "immutability" which simply means messages placed on hold must be preserved without alteration. In-Place Hold also helps you preserve content from intentional tampering or modification. This is achieved by performing a copy-on-write (COW) – when the user or any process attempts to modify a message, before the modified message is saved a copy of the original message is made and saved in the Recoverable Items\Versions folder. Items captured in the Versions folder are also indexed and returned in an In-Place eDiscovery search.

The link above bring on good run through...for inline hold and eDiscovery...

3) Journaling - This probably has to highlight it as an enabler for the sleuth as it is a tool in your email retention or archival strategy. So for the scenario, the "investigation" can also include the insider or employee  is held liable for the claims made to their customers. To verify that the claims are accurate, the email system is set up where review can be performed regularly on employee-to-client communications. In a way serves to verify the suspect compliance (at least findings bit and pieces of his misdoings if any). The focus can be journel rule scope on External messages only.

A journel report is next to show which can be generated when a journel rule is triggered. E.g. The original message that matches the journal rule is included unaltered as an attachment to the journal report. The body of a journal report contains information from the original message such as the sender email address, message subject, message-ID, and recipient email addresses.

The link helps with more details
http://technet.microsoft.com/en-us/library/aa998649(v=exchg.150).aspx
http://www.zensoftware.co.uk/kb/KnowledgebaseArticle10423.aspx

4) Retention policies - this actually relate closely to (1) and (2), so probably you may not want to repeat to much as the emphasis should already be known by the time you reach the conclusion or gather enough evidence to affirm the suspect or insider wrong doing. Probably the point is just to bring in "Retention Policy Tag" that can be further grouped under a retention policy ... meaning having it group all tagged folders for delete purpose

But also the main objective for this policy is actually to do "housekeeping" and not increase mail size since we know the cost can increase with storage size ...kind of enforcement to limit user mail size and tagged for deletion based on organisation policy -

Ultimately, to streamline investigation and housekeeping and at the same time comply with ease. Another link for the configuration
http://ibenna.wordpress.com/2013/02/04/exchange-2010-retention-policy-to-clear-deleted-items/
http://technet.microsoft.com/en-us/library/dd297955(v=exchg.150).aspx
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now