Interesting video about data governance. This is the second video in our series, “5 Questions about Information Governance in 5 Minutes.” In this video IG experts answer the tricky question, “Who Should Own Information Governance?”
One of the more interesting benefits of last year’s launch of DatAdvantage for Exchange was the opportunities it presented to talk with different sets of people in our customers’ organizations. Where traditionally we’d worked mostly with security, storage, Windows or Active Directory teams, DatAdvantage for Exchange spurred meetings with messaging, e-Discovery and legal folks as well.
E-mail is a business-critical system, period. From an IT perspective, it may be the most critical system—most companies would rather lose their phones for a day than their e-mail. What that has meant for the Messaging folks in charge of Exchange is that simply keeping the lights on—making sure that emails are being delivered promptly and that the repository of stored data is available—has been far and away more important than access control. However, the consequence of focusing on availability rather than confidentiality or integrity has meant that a lot of the controls and auditing that should be in place are sorely lacking.
Data Governance and Exchange
Exchange is an interesting repository from a data governance perspective. The last time I wrote about using Varonis, I talked about how we can combine data classification with permissions exposure to identify the data that’s most at-risk on a file system or SharePoint site. Unlike a file share, the hierarchy is flat—everyone’s got their own mailbox, and it’s very easy to share out access rights to it. You can, for instance, give someone access to your inbox or calendar. With IT’s help, you can give them the ability to send email on your behalf, or even “as” you. Exchange is exactly like file shares in that mailbox access is reviewed periodically, mailboxes stay shared and users have send-as or send-on-behalf-of privileges for a long, long time.
What’s at Risk?
One of the first things we do when we spin up DatAdvantage for Exchange for a customer is to run a report that shows them everywhere someone in the organization has access to a mailbox that isn’t their own.
Everyone has access to their own mailbox by default. It takes some sort of permissions change, though, either on the client (Outlook) side, or by the admin on the Exchange server, to grant someone access to another mailbox. One of things we’re seeing when we do this, by the way, it that the mailboxes that are without question most likely to have been shared are those that are probably considered the most valuable—those of the CEO and other high-level management. While native tools might let you manually (and somewhat painfully) check permissions on a mailbox-by-mailbox basis, Varonis gives you the ability to see where anyone has access to an object that’s not part of their own mailbox.
We take that risk assessment a step further, too, with another report that will show you where people are actually accessing data in mailboxes that don’t belong to them. For good or ill, these are probably the permissions you want to take a look at first from a governance perspective.
Philip Favro of Symantec, in an article called Defensible Deletion: The Cornerstone of Intelligent Information Governance on the eDiscovery 2.0 blog, defines defensible deletion as “a comprehensive approach that companies implement to reduce the storage costs and legal risks associated with the retention of electronically stored information (ESI)”.
That is the point, of course, of the word “defensible” in this context. It matters most in the US, where everyone goes in fear of the sanctions bogeyman, apparently without regard to the terms of Rule 37(e) of the Federal Rules of Civil Procedure which reads as follows:
(e) Failure to Provide Electronically Stored Information. Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.
Most other jurisdictions can manage without this “safe harbor” because they do not have the same (alleged) reason to fear sanctions. I say “alleged” because if US companies paid more attention to Rule 37(e), they too could set about the deletion of material which is not presently the subject of a legal hold and which is not required for statutory or business purposes. It would help, too, if they read some of the sanctions Opinions which cause such dread to see how many of them were the consequence of the “routine, good-faith operation of an electronic information system”.
If you are short of ROI information to justify the work involved in a defensible deletion programme, try and calculate how much money was spent last year processing and reprocessing useless data for eDiscovery purposes, rejecting it time after time, at considerable expense. There’s a big chunk of ROI there.
Thanks to http://chrisdale.wordpress.com/