Solved

Exchange compliance and security features

Posted on 2014-03-05
1
498 Views
Last Modified: 2014-03-11
Hi

Looking for an engaging way to describe the notion of and difference between eDiscovery, inline hold, Journaling and retention policies within exchange 2013, to a non-technical audience with a real life example that may cover all four elements?
0
Comment
Question by:fahim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39908230
best is to have a before and after example, very much storytelling - probably a miscreant and insider threat scenario may help to intrigue the investigative mind of the audience and yet bring about the practical capabilities. The retrospective and investigative tactic to sieve through the trolls of data to eventually find evidence of data or IP theft (mystery) and bringing justice (finally truth) may add some "color" to the techie storytelling  

For a start is to understand the need for the below - compare a normal vs using the "enhanced" means in the 4 area named

1) eDiscovery - to detect in a big pool of data of the suspect activities such as email sending outwards to his web email, corresponding with external parties on specific organisation intellectual product yet to release, press comms etc. Keywords search.

Norm-use the Windows Search or manual approach, no script or great UI to automate search Vs Discovery Managers use the new In-Place eDiscovery & Hold wizard to perform eDiscovery searches.

E.g. Keyword statistics After you create an In-Place eDiscovery search, you can get detailed keyword statistics showing you the number of items matched for each keyword. You can use this information to determine if the query has returned the number of messages you estimated. Depending on whether a query is too broad or too narrow, the search may return too many or too few messages. Use this information to fine-tune your query.

E.g. eDiscovery Search Preview After you’ve created an eDiscovery search, you can quickly preview search results. Messages returned from each source mailbox are displayed in search preview. Being able to quickly preview messages allows you to ensure your query returns the content you’re searching and further fine-tune your query.

See the above extract from walkthrough of the  http://blogs.technet.com/b/exchange/archive/2012/09/26/in-place-e-discovery-and-in-place-hold-in-the-new-exchange.aspx

2)  In-Place Hold - There are various "hold" use case, the emphasis here is In-Place Hold allows you to specify a duration of time for which to hold items. So in the storyboarding of the insider, the culprit is attempting to delete away those email correspondence or mail content containing those "sensitive" keyword...never does he know there is such capability to retent information for a duration ..

You can try to talk about the need to configure the Deleted Item Recovery period to the minimum period you want an item to be retained for. But it can be slightly tricky here as it may bring some "confusion".. the period for Deleted Item Retention is calculated from the date of deletion. So deletion date can inadvertently lengthen the retention period..

Here, you start to talk how can we be more surgical on the exact time..such that when we create a time-based In-Place Hold, it is more "accurate" because the hold period is calculated from the item received/creation date, you can guarantee the item won’t be held beyond that period as compared to Deleted Item Recovery period.

Actually, the inline hold indirectly brings about the retention policy. E.g. May be good to run through the normal delete where once a user uses Shift-Delete to delete a message, it is moved to the Recoverable Items\Deletes folder. Any messages from the Deletes folder are purged when the Deleted Items Retention period configured for the mailbox database or the user expires. However, if the mailbox is placed on an In-Place Hold, the item is moved to the Recoverable Items\DiscoveryHolds folder

The juncture now may be good to bring on "immutability" which simply means messages placed on hold must be preserved without alteration. In-Place Hold also helps you preserve content from intentional tampering or modification. This is achieved by performing a copy-on-write (COW) – when the user or any process attempts to modify a message, before the modified message is saved a copy of the original message is made and saved in the Recoverable Items\Versions folder. Items captured in the Versions folder are also indexed and returned in an In-Place eDiscovery search.

The link above bring on good run through...for inline hold and eDiscovery...

3) Journaling - This probably has to highlight it as an enabler for the sleuth as it is a tool in your email retention or archival strategy. So for the scenario, the "investigation" can also include the insider or employee  is held liable for the claims made to their customers. To verify that the claims are accurate, the email system is set up where review can be performed regularly on employee-to-client communications. In a way serves to verify the suspect compliance (at least findings bit and pieces of his misdoings if any). The focus can be journel rule scope on External messages only.

A journel report is next to show which can be generated when a journel rule is triggered. E.g. The original message that matches the journal rule is included unaltered as an attachment to the journal report. The body of a journal report contains information from the original message such as the sender email address, message subject, message-ID, and recipient email addresses.

The link helps with more details
http://technet.microsoft.com/en-us/library/aa998649(v=exchg.150).aspx
http://www.zensoftware.co.uk/kb/KnowledgebaseArticle10423.aspx

4) Retention policies - this actually relate closely to (1) and (2), so probably you may not want to repeat to much as the emphasis should already be known by the time you reach the conclusion or gather enough evidence to affirm the suspect or insider wrong doing. Probably the point is just to bring in "Retention Policy Tag" that can be further grouped under a retention policy ... meaning having it group all tagged folders for delete purpose

But also the main objective for this policy is actually to do "housekeeping" and not increase mail size since we know the cost can increase with storage size ...kind of enforcement to limit user mail size and tagged for deletion based on organisation policy -

Ultimately, to streamline investigation and housekeeping and at the same time comply with ease. Another link for the configuration
http://ibenna.wordpress.com/2013/02/04/exchange-2010-retention-policy-to-clear-deleted-items/
http://technet.microsoft.com/en-us/library/dd297955(v=exchg.150).aspx
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question