Vioptim - SaaS Security Specialists

Email Archiving

Why archive emails off-site?

The rationale for archiving emails is based on a number of fundamental principles. The reason for doing so off-site is not always so clear. Let's run through a few of the guiding principles here and see if we can convince you that "cloud is good" for this type of application. First of all why archive at all?

More and more business is being transacted via email and other electronic means. Whilst many of the Web 2.0 applications bypass email, it is nearly always the case that an email is sent as confirmation of an action to register or following a transaction.

This helps to ensure that the rightful owner of the transaction is notified of an event thus helping avoid ongoing fraudulent activities. Web 2.0 aside, emails are sent instead of letters, contract Terms and Conditions are sent as attachments to emails, orders are sent as pdf files containing customer signatures. Virtually every transaction that used to be paper based is now electronic. What do we traditionally do with paper based transactions? Store them in a filing cabinet. Why? Because, over many, many years of business transactions it’s always been the case that such material may be required for audit purposes, for checking to see what went wrong, to identify incorrectly specified requirements, to use as evidence in the event of litigation and so on.

What do we do with emails today?

What do we do with emails? Well, er, we leave them sitting in our Inbox until it gets filled up and we need to make room for some more emails so we probably delete them. At best we may print them (not very green friendly) or archive them in our own folders which we assume get backed up by the IT team, don’t they?

Okay, this is worst case scenario stuff but we’d take a few bets that anyone reading the last sentence is smiling (or grimacing) because they recognise the issue. So why do we need to archive emails?

eDiscovery
Compliance with regulations and auditors
Storage Management
Knowledge Management
Disaster Recovery and Business Continuity

eDiscovery is when someone needs to trace information sources for a business or legal reason. There may be a review of an account going on or possibly a court case to provide evidence to. Whatever the reason, and there could be many, we need to get at related information in the form of emails. What we’d rather not do is pull archived emails from tapes.

Compliance is a relatively easy one to understand although not every industry is governed by strict regulatory guidelines such as those that the FSA impose upon organisations in the UK dealing with finances. However, the Freedom of Information Act and the Data Protection Act both create a need to have access to information about people and transactions. For example Taxation affairs and information about Health and Safety need to be kept for several years in case of future incidents. So it’s very difficult to know if you are compliant with all of the regulations out there or not. To be on the safe side email archiving will give a great deal of assurance that you will comply.

All this archiving requires considerable amounts of storage which will, predictably, grow and grow. Most archiving needs to be kept for a minimum of 5 years, more likely 7, 10 or 15 depending which industry you service. Looking after this much data year on year can be quite a struggle. It also needs replicating as you can’t afford to keep it in just one place.

This brings us nicely onto DR and BC. All data needs a copy somewhere, preferably off-site and on-line to make it as easy as possible to recover from simple or catastrophic data loss. Well managed data centres that are secure and available from anywhere, with their own backup and replication systems, take away the major headache of doing all this work in-house.

One last point. If the archive is on-line it also means that we can have user self-service. A bit like when we forget one of the myriad of passwords on a web site that we hardly ever use, we can request an automatically generated email to allow us to choose a new password.

In the same way, email archives are there for the user to recover or find an old or lost email when they need it, so it’s not always the case that it’s because we have a crisis on our hands.

Allowing the user to have read-only access to his or her archived emails saves a huge drag on IT resources that would otherwise have to go find the tapes of the backup, recover them to a disk file, search through and provide the user with what they wanted. It can all be done by the user.

The case for archiving “in-the-cloud”

Most of the above points are why we need to archive, but what is the added attraction of doing so off-site and with a 3rd party? Some of the rationale has already been mentioned such as disaster recovery and business continuity but there are many other good reasons.

A quality service provider will be Security Classified. In other words they will have demonstrated and continue to demonstrate their adherence to some stringent data protection and security standards. How many organisations looking after their own archives will have such high standards? Putting the archive in-the-cloud means far less management from an IT perspective.

There are no servers to secure, to update, to maintain, to backup, to replicate, to renew. It’s all done for you as a service. You don’t have to be sitting inside your network to get at the archive (unless you wish to force this) so for external auditors or travelling executives, it’s easy to get at the information.

The external provider is also unattached to the data therefore does not have a reason for trying to subvert the archive. Not always the case for an in-house solution which is being managed by employees of the company who themselves could have something to hide. Again, worst case scenario but we know it has happened.

Is it cost effective?

There are several papers that deal with the return on investment of this form of archiving and whilst we’re not putting an example here, it’s plain to see that the cost involved of setting up an internal, in-house system, maintaining it, managing it and ensuring its integrity will be considerable. The cost of paying for this service will generally be much cheaper in the mid to long term.