Software

E-mail archiving presents its own security concerns

E-mail archiving is now a legal requirement in the financial and healthcare industries, but implementing it continues to pose logistical and security challenges. Outsourcing may be the best solution for some companies, as this article explains.

This article was originally published in TechRepublic's Internet Security Focus e-newsletter.


I recently spoke with a friend who works for a healthcare company about e-mail archiving. Government regulations require healthcare companies to save all e-mail messages to and from their employees. Similar laws apply to the financial services industry.

E-mail archiving is a standard feature in many commercial e-mail server systems, including Lotus Notes and Microsoft Exchange. How these systems actually implement message archives isn't as important as the fact that this feature is available "out of the box," so to speak. If your company uses Microsoft Exchange Server and needs to archive e-mail, it's a simple process to enable the feature.

Examine the issues
The technical and security issues surrounding e-mail archiving—even on a small scale—intrigue me. Archival storage of e-mail messages poses some interesting challenges that grow larger based on the number of e-mail accounts used by the company.

Of course, there's the obvious issue of determining what to archive. Do you archive all e-mail traffic? What about junk e-mail and nonbusiness-related interoffice e-mail? Consider the tremendous storage requirements for large companies even when excluding these categories. And don't discount the security implications of having a large, detailed e-mail archive for an entire organization in the first place.

Outsourced e-mail archival may be the answer for many organizations. Technically, it would involve redirecting SMTP traffic to another company, which would then keep a copy of the e-mail and forward it to the final destination server. Several providers offer e-mail archival services in this manner, and there are several benefits to such an approach, not only because it's simple to implement and provides off-site archival.

For small to midsize organizations, outsourced e-mail archival is a cost-effective solution. But again, organizations must address the security concerns of the e-mail archive itself—both from within the organization using the e-mail archive and the outsourced company providing it.

Another important issue is whether an organization even knows it's supposed to be archiving e-mail. For example, consider city governments, many of which are already under the dark cloud of poor Internet security in addition to outright bankruptcy. There's a tremendous need for education in these organizations, especially in government, regarding their legal requirements to archive e-mail. Even small medical practices should be archiving e-mail messages, but few are aware of this requirement, and even fewer have their own e-mail servers.

In my opinion, it's also important for organizations that implement e-mail archiving to make employees aware that the practice exists. The content of nonbusiness-related e-mail often changes quickly once people know the organization is archiving their e-mail.

Bottom line
Archiving e-mail is a tricky undertaking. There's obviously a need for it, particularly to comply with legal requirements. But how companies can implement it effectively and securely is a complex matter. Companies that are required to implement e-mail archiving often discover, as the healthcare company my friend works for did, that e-mail archival poses its own cost and security problems.

For these reasons, e-mail outsourcing, specifically for the purposes of archiving, could become the next leading Internet subindustry. Until e-mail archival becomes a more mainstream Internet security topic, we're sure to see continued confusion on this issue.

Editor's Picks