E-mail archiving and e-mail encryption are two very different technologies, with disparate methods and objectives. While some types of legislation may call for both, it is not usually in the enterprise’s best interests to deploy an all-in-one software package or appliance. Deploy e-mail archiving and encryption as separate, best-of-breed solutions.

E-Mail and the Law

E-mail encryption is the art of securing transmitted messages, end-to-end, to ensure that only intended recipients can read messages. E-mail archiving is the practice of storing messages in their original form for quick retrieval at a later date. Most IT-oriented legislation calls for one or both of these messaging technologies, as summarized below:

Market View

Some vendors attempt to cater to both encryption and archiving requirements within a single product in order to push offerings under the “compliance” umbrella. The end result is a solution for which neither function is a core competency. For example:

• Pervasive Solutions ExchangeARMOR is a hosted solution that not only provides Microsoft Outlook as a service, but also anti-virus, archiving, and encryption (much like the offerings from Postini). A wholesale outsourcing of the e-mail function is not advisable, particularly when compliance requirements for messaging are present. Business continuity of any outsourcer is a major area of risk. If archiving and/or encryption are mandated by law, the e-mail function should be kept in-house. The exception to this rule would be for a very small organization, with limited IT resources, but is subject to numerous laws.
• Intradyn ComplianceVault has a built-in Sony AIT tape unit that can be written to with native 256-bit AES encryption, but anything stored in “regular” storage does not get encrypted. While this solution is fine for secure, off-site backup tapes, ComplianceVault does not necessarily meet the secure archiving needed for disk-based storage. An encrypted e-mail archive is not the same as encryption for secure transmission of messages, which is what legislation is concerned with.
• Symantec Enterprise Vault supports PGP encryption, but the archive itself doesn’t store messages in an encrypted format. Instead, Enterprise Vault automatically decrypts messages as they enter the archive so that they can be reviewed at a later date. Interestingly enough, a recent article written by the VP of Symantec Enterprise Messaging Management implies that the Enterprise Vault archive can be encrypted, though the Symantec site itself says nothing to that effect.

Recommendations

1. Consider a combined product only where compliance is a minor concern. A two-in-one vendor is best suited for low-risk enterprises with only minimal requirements for archiving and encryption, or those companies that simply have an internal requirement for heightened e-mail security. For example:
   • Even though a supplier of medical equipment has to comply with HIPAA’s trading partner agreement in order to do business with HIPAA-covered entities (i.e. hospitals), the supplier itself does not handle sensitive personal health information. So, even though the HIPAA e-mail requirements still apply to the supplier, a second-tier combined offering should satisfy compliance needs.
2. Where compliance is king, go with best-of-breed. If the enterprise has a direct dotted-line compliance requirement, go with best-of-breed vendors for encryption and archiving. The following table provides a list of market-leading products for separate encryption and archiving vendors:

3. Manage e-mail policy holistically. Acquisition of archiving and encryption solutions must be driven by risk management and governance. Reassess the enterprise’s policies and procedures before acquiring either technology. For example, is there an “ E-Mail Archiving and Retention Policy” in place? What about an “ Encryption Policy?” Once finalized, these policies should stipulate what e-mails must be kept, the manner in which they should be archived, and for how long, as well as which encryption standards and solutions are acceptable. The finished policies should also outline who has the authority to archive/encrypt e-mails in compliance with the law, as well as the procedures for doing so. Also be sure to communicate and enforce these policies: make adherence to them a condition of continued employment.

Bottom Line

Niche vendors that roll e-mail archiving and encryption into a single product are suitable mainly for enterprises for which compliance is a peripheral concern. Enterprises with a strong compliance mandate should choose separate products that specialize in each technology.