Symantec tools peer deep into your users' e-mail

Deploying an enterprise-class e-mail-archiving product, such as Enterprise Vault, may pose some technical challenges, but having such a system in place also could result in far costly organizational, political and legal challenges.

Although enterprise e-mail managers have always had the ability to snoop on other people’s messages, a tool such as Symantec’s Enterprise Vault (EV) take this capability to a whole new level. EV offers the capability to search deep into messages across every user in the enterprise.

In the past, the capability to read other people’s e-mail required special expertise facilitated by special access via an administrative password. With such tools as EV, the whole reason to go to the time, expense and effort is that you fully intend to read other people’s mail.

A general problem with these tools facilitated by the compliance and auditing measures built into them is the obvious ability of the enterprise IT personnel to violate the privacy of employees. The U.S. legal framework generally conveys permission to an employer to monitor outbound e-mail and, in fact, may make monitoring compulsory in certain environments. The combination of normal expectations of courtesy and privacy and an all-seeing tool that looks at every e-mail message, sets up a tension in the workplace, even in organizations with a very pro-employee privacy policy, which must be carefully managed.

EV gets the joke

One issue with any archiving and compliance system is that it's difficult to separate out the lunch dates from the confidential information. EV's Automatic Classification Engine (ACE) was designed to address this issue.

Each message entered into EV can be run past a set of classification rules such as looking for particular message characteristics (an MP3 attachment) or content (including looking for jokes). As a message matches different rules, tags can be attached that can be used within EV as part of a search.

ACE caught nine out of 10 jokes in our test, missing out only on a parody about cottage cheese. With that high catch rate, ACE could assist in both compliance and discovery tasks.

Good tools, and we do consider Enterprise Vault one of them (see main test), have a carefully constructed permissions model that helps to partition access not just to the message database itself, but to roles within the application (such as differentiating between someone who can define a compliance policy and search for messages, and someone who can read those messages).

Such technology is an important piece of the big picture, but far more critical is the process of setting up appropriate policies for who has access to the treasure trove of private information contained within the core of EV. These policies should be backed up as tightly as possible by controls built into the compliance products themselves.

For example, if specific individuals are named in a legal complaint, then you might want to narrow the access of the investigator to specific e-mail time frames and mailboxes. Likewise, the use of products should be audited to ensure that no one, especially IT staff, is abusing or misusing these archives.

In a recently settled incident, IT executive Arthur Riel, who was previously in charge of Morgan Stanley’s e-mail retention and compliance system, was fired for using — abusing, in Morgan Stanley’s opinion — the system he had been hired to run.

In 2006, Wal-Mart disclosed that one of its IT staff, Bruce Gabbard, had monitored communications ranging from text messages to phone calls with outsiders, including reporters from The New York Times. In both cases, the fired staffers claimed ambiguous or nonexistent policies regarding monitoring were at the root of the incidents.

Incidents such as these highlight the need to accompany any installation of a tool like EV with an equally well-thought-out set of policies on how that tool will — and will not — be used.

< Return to main test