By Peter Pawlak [bio]
Posted: Jan. 22, 2007

• Illustration: Exchange 2007 Transport Rule Wizard
• Illustration: Classifying a Message in Outlook 2007

The following is the full text of an article published by Directions on Microsoft, an independent research firm focused exclusively on Microsoft strategy & technology. More samples of our content, as well as a list of upcoming articles and reports are also available.

Exchange 2007 is the first version of Microsoft's e-mail server software that makes it more practical for organizations to conform to regulatory requirements governing information retention and privacy. It can also reduce litigation risks caused by undeleted e-mails and attachments. These new features will appeal most to corporate executives and could provide a strong incentive to upgrade Exchange. However, the compliance features could cause resentment among end users who feel a loss of privacy or freedom.

A Regulatory and Legal Minefield

In the years since Exchange 2003 shipped, the legal landscape for storing and handling e-mail and other electronic documents has changed dramatically. This change has been driven by two main factors:

Government regulations. Many new regulations governing records retention and the handling of sensitive and confidential data have been imposed on companies worldwide. These regulations apply to electronic records in addition to paper records. For example, a U.S. Securities and Exchange Commission rule requires brokers, dealers, and exchange members to retain original copies of all communications for a period of no less than three years, with communications less than two years old kept in an easily accessible location. The U.S. Health Insurance Portability and Accountability Act (HIPAA) mandates that companies and health care organizations safeguard the security and privacy of employee and patient medical records. The European Union Data Protection Directive of 2002 sets legal standards for processing personal data and protection of privacy, imposes stringent restrictions on which personal information can be collected and stored, and dictates rules for passing personal data to non-EU countries. Noncompliance with these regulations can carry a high cost, ranging from fines to even prison terms for egregious neglect by corporate officers.

Subpoena of electronic records during litigation. Well-known legal cases (including Microsoft's own run-ins with the U.S. Department of Justice and the European Commission over antitrust issues) have highlighted the dangers that e-mail and other electronic records can pose to organizations, especially when the organizations are not even aware that certain records exist because they are stored in users' mailboxes or have been copied to private locations. E-mail records can be subpoenaed or required to be disclosed under the rules of discovery (the compulsory disclosure of information that relates to litigation). According to Microsoft, one in five employers in the United States has had e-mail subpoenaed, and the frequency of such requests will probably rise: in Dec. 2006, the U. S. Federal Rules of Civil Procedure strengthened rules concerning search of digitally stored information (including e-mail) during discovery such that it is now harder for a defendant to claim that excessive cost or business disruption prevents them from producing the required records. Furthermore, sometimes organizations can even be held liable for objectionable or inappropriate e-mail content sent by employees.

The laws governing recordkeeping and disclosure don't end with e-mail: these same requirements apply to electronic file storage and to other types of data communications, including faxes, instant messages, voice mails, Web documents, and in some cases even voice conversations.

Three Types of Compliance Requirements

Although regulations and statutes vary widely among countries and jurisdictions within countries, Microsoft sees three basic categories of requirements that apply to all: message retention, controlled access, and information and process integrity.

Message retention. Not only does a company need to retain e-mail messages for a period dictated by the regulations governing it, but in the event these records are subpoenaed or required in a legal action, the company also should be able to search and retrieve relevant information contained in those records without incurring high costs.

Controlled access. Organizations can be held liable for failure to protect the privacy of sensitive information they store and must sometimes follow specific practices. Furthermore, companies may even be responsible for protecting the privacy of messages transmitted over the Internet. The widely used Simple Mail Transfer Protocol (SMTP) for Internet e-mail transmits text unencrypted, and messages could be revealed if an eavesdropper can listen in on a network over which the messages travel. Unfortunately, protecting the confidentiality of individual messages with encryption is complex and has not been widely adopted.

Information and process integrity. Many laws and regulations stipulate various policies, controls, and procedures for electronic communications. For example, some laws require that the confidentiality of various types of messages, such as attorney-client privilege, be explicitly marked on each message. Others even stipulate that organizations keep internal groups with a structural conflict of interest (such as investment bankers and stock analysts) from e-mailing each other.

Exchange 2003 Not Much Help

Exchange 2003 contains only one message retention feature to help organizations cope with message retention: an administrator can configure each Exchange storage group (an Exchange database unit for storing mailboxes or public folder data) to forward to a designated Exchange mailbox copies of all items sent from and received by the mailboxes or public folders in the storage group. Although Exchange 2003 has strong access controls to protect users' mailboxes and can be configured to encrypt Internet-bound SMTP exchanges with designated partners using Transport Layer Security (TLS), it does not come with any features that help customers enforce information and process integrity.

Until Exchange 2007, Microsoft could only steer customers toward its Exchange Hosted Services (EHS), an external service obtained through its acquisition of FrontBridge Technologies. Among EHS's offerings are two services, Exchange Hosted Filtering and Exchange Hosted Archive, that help customers meet various e-mail compliance requirements. However, these services are priced per user on a subscription basis, and many Exchange customers would rather manage their messaging compliance in-house.

New Compliance Features in Exchange 2007

Exchange 2007 was designed to aid corporate compliance, and the product comes with many new features that address all three requirement categories.

Transport Rules

Architectural changes in Exchange 2007 cause all message transfers to be routed through Exchange servers configured to perform the new hub transport role, and Internet mail can go through a server configured in the new edge transport role. Both of these Exchange 2007 server roles support a new feature called transport rules that can inspect every message (including attachments) sent or received to see whether it meets certain conditions and if so, take prescribed actions. The conditions can include specific user names, group memberships, internal vs. external addresses, the presence of certain words or text patterns, or the type of content (e-mail, voice message, or fax). The actions include blocking messages, redirecting or copying messages, appending text (such as a disclaimer), or merely logging the event. Transport rules can be set for individual hub transport or edge transport servers, or they can be applied globally to every hub transport server in the Exchange system.

Transport rules allow an organization to enforce many aspects of e-mail policy. For example, they can detect and block any e-mail from leaving the organization if it contains a number whose pattern matches that of a U.S. Social Security number.

(For an illustration of the Exchange 2007 Transport Rule Wizard, see "Exchange 2007 Transport Rule Wizard".)

Message Classifications

Exchange 2007 comes with four preconfigured message classifications—Attorney/Client Privilege, Company Confidential, Company Internal, and Attachment Removed—and other custom classifications can be added. When an Outlook 2007 or Exchange 2007 Outlook Web Access (OWA) user marks a message as classified, the classification stays with the message permanently (unless the message is sent outside the organization) and is displayed when recipients open the message on an Outlook 2007 or OWA 2007 client.

In addition to informing recipients of the sensitivity or appropriate use of the content of the message, classifications can be used as a condition to trigger transport rules to take various actions. For example, a classification could prevent any message classified "Company Internal" from being forwarded to recipients outside the company, and also notify a compliance officer of the attempt.

(For an illustration, see "Classifying a Message in Outlook 2007".)

Message Journaling

In the context of e-mail compliance, journaling means sending a copy of a message to a secondary location, typically called an archive. Once in the archive, messages cannot be deleted by users. Exchange 2007's journaling capabilities are much more granular than Exchange 2003's: administrators can configure journaling to be triggered per message store, per distribution list, or per user, and journaling can also be triggered by transport rules (although this requires users to have the extra-cost Exchange Enterprise Client Access License). Unlike Exchange 2003, which could archive only to an Exchange mailbox, Exchange 2007 messages can be journaled to a SharePoint site or to an SMTP address.

Exchange 2007 creates and archives a special message, called a journal report, for each triggered item. This report contains not only the original message and any attachments but also other information not contained in the original message's header, such as the Exchange Message ID (which can be used to correlate the message with Exchange's message tracking logs) and whether a recipient was addressed directly or through membership in a distribution list.

Because of Exchange 2007's new support for unified messaging, which transports and stores voice mail and inbound faxes the same way as e-mail messages, the journaling feature also gives organizations a convenient and cost-effective way to archive those items.

Multi-Mailbox Search

In addition to being able to search a message archive, Exchange 2007 administrators can perform searches across multiple user mailboxes using a single query and route the results to a SharePoint site or mailbox accessible by a compliance officer.

Because Exchange 2007 message indexing has been improved and is enabled by default, this search can be performed very quickly.

Managed Folders

Managed folders are undeletable mailbox folders that appear in users' mailbox views on Outlook 2003, Outlook 2007, and Exchange 2007 Outlook Web Access clients. All Exchange 2007 default mailbox folders, including Inbox, Calendar, Contacts, and Sent Items, are now managed folders, and administrators can also create custom managed folders that automatically appear in user mailboxes.

Other than being unable to delete them, users use managed folders just like ordinary folders, and they can even create subfolders in them. However, managed folders are not static containers; administrators can set Exchange 2007's new Mailbox Assistant service to scan managed folders periodically and take certain actions, such as automatically deleting items older than a specified period, moving them to another managed folder, or journaling them. Managed folders can be used to enforce retention policy in various ways. For example, they can be used to forcibly delete e-mail records that are past the maximum retention date applicable to their business. This can help organizations limit the scope of subpoenas and avoid unpleasant legal surprises.

Integration with Rights Management Services

Windows Rights Management Services (RMS) can be a valuable tool in a company's compliance arsenal because it can prevent forwarding of sensitive e-mails and attachments. Introduced as part of Windows Server 2003, RMS allows users to define how material that they create, such as documents and e-mails, can be used. For example, a user can protect an Outlook message so that her boss may read, write, print, and forward it, but other employees may only read it and cannot even copy text from it to the clipboard.

Although Outlook 2003 users could create and send RMS-protected messages, in practice recipients of RMS-protected messages experienced annoying and frequent prompts for their credentials whenever they opened those messages while offline, when using a Windows Mobile device, or if they were members of another Active Directory forest.

Microsoft Exchange Server 2007 solves this problem with an optional component, the RMS Prelicensing agent, that runs on hub transport servers. This agent acquires an RMS license for each e-mail before it is delivered to a user's desktop or mobile device, thereby eliminating the repeated credential prompts.

Is Big Brother Watching?

Prior versions of Exchange have generally delivered new features that end users welcomed, but Exchange 2007 will depart from that pattern.

As appealing as the new compliance features may be to corporate officers who could be held accountable in legal actions, customers who implement Exchange 2007's compliance features could encounter resentment from end users because of a real or imagined loss of privacy and a loss of freedom over who they can send mail to. If restrictions are not carefully explained or seem capricious, users may redouble their efforts to bypass them—for example, by sending "forbidden" messages over public e-mail or instant messaging networks.

Although companies have the legal right to manage employee e-mail in nearly all governmental jurisdictions, they still must tread carefully and should have clear, well-publicized e-mail policies that educate users on why such compliance mechanisms are important and mandated by law. Fortunately, Exchange 2007 and Outlook 2007 deliver many features that will please end users, which could help offset possible resentment.

Resources

New features in Exchange 2007 and Outlook 2007 pertaining to end users are detailed in "Outlook 12 Adds Internet Hooks" on page 24 of the Jan. 2006 Update and "More Than Unified Messaging Coming to Exchange 2007 Users" on page 3 of the Dec. 2006 Update.

New Exchange 2007 features aimed at IT professionals are covered in "Exchange 2007 a Boon to IT".

More information and Exchange 2007 evaluation software can be found at www.microsoft.com/exchange.

Exchange Hosted Services was described in "FrontBridge Becomes Exchange Hosted Services" on page 7 of the May 2006 Update.

Rights Management Services is described in the Oct. 2005 Directions on Microsoft Research Report, "Microsoft's Rights Management Strategy."