CHICAGO -- If you want a messaging system that is both secure and able to withstand the repercussions of a "disaster,"...
then you need to have plans in place that are flexible and address potential risks.
That was some of the advice given by Howard Marks and Jon Callas, two speakers at TechTarget's Enterprising Messaging Decisions 2004 conference. Marks spoke on "Disaster Prevention and Recovery for Exchange and Domino," while Callas tackled issues around "Enterprise E-mail: It's not what it used to be."
Marks, founder and chief scientist of Networks Are Our Lives Inc., has designed and implemented networks, management systems and Internet strategies at companies, including American Express Co., J.P. Morgan & Co. Inc. and Borden Foods Corp.
Marks offered suggestions on how to avoid a messaging disaster, including implementing high availability systems, quality backup processes, and other elements such as "patch management, virus protection and decent security."
"When you have a disaster, that's not the time to figure it out," said Marks. "You have to have a plan before it happens." He advised IT managers to have a strategy that is flexible enough so that it is understandable by anyone who only has basic training on Exchange or Domino.
This advice had an impact on Carlyle W. Pettey, systems administrator for international communications equipment provider Harris Corp. in Melbourne, Fla.
"We have a disaster recovery plan in place," said Pettey, "but [Marks] really opened my eyes to go back and think, 'What if I wasn't around when a disaster struck? Who would be able to handle it?'" Pettey added that he intends to revise some of the plan taking this into account.
Marks also offered specific advice tailored for Exchange and Domino managers. Exchange administrators, he said, can help avoid disaster by:
Domino administrators should use transaction logging, and pay attention to database ID changes.
Both Domino and Exchange administrators should consider clusters, he said.
Define, identify, test
Another important aspect of any plan is defining objectives and identifying solutions. For example, Marks said that you should define what your recovery time objective (RTO) and data loss objectives (DLO) will be.
"You have an Exchange or Domino infrastructure. You need to build a matrix of solutions that could meet your various RTO, DLO and cost requirements," Marks said. "There are two kinds of costs: pre-disaster costs and post-disaster costs," he added.
Some possible solutions could include sending tapes off site, performing data vaulting and replicating data, including synchronous and asynchronous replication, although he noted that synchronous replication costs about four times as much as asynchronous replication. Exchange and Domino can be replicated asynchronously, Marks pointed out.
The next step is testing the solutions in-house to not only make sure they work, but also that your staff can handle them.
E-mail risk management
Callas, chief technology officer and co-founder of PGP Corp., a Palo Alto, Calif.-based secure messaging and storage company, offered advice on how to make e-mail systems more secure. He focused on e-mail risks and risk management.
"You need different systems to thwart malice and to thwart stupidity," Callas said.
Callas recommended creating policy solutions, such as an "acceptable use policy" and a "data classification policy." These can help avoid damage due to ignorance, such as an e-mail sent to someone outside the company that contains confidential information. If employees aren't informed, or if there is no policy, they don't know they are doing anything wrong.
Callas also stressed that e-mails are legal documents that can be subpoenaed, and depending on the industry, it may have to be retained. Government and financial firms, for instance, generally have policies on retaining e-mails.
His advice: "Never put anything in an e-mail that you don't want to see stapled to your resume." Many companies now consider e-mail a "postcard," and are protecting their data by encrypting it, he said.
The consequences of what someone writes in an e-mail can be severe and, in some cases, even mean jail time. Callas mentioned Frank Quattrone, a star investment banker, who this week was convicted of obstructing justice. Quattrone sent an e-mail that encouraged his co-workers to destroy files while a criminal probe was under way at Credit Suisse First Boston.
Christopher G. Totsky, PC/LAN specialist for Alterra Healthcare Corp., a Milwaukee-based company that operates assisted living facilities, said he is looking into using encryption technology now that his company needs to comply with HIPPA requirements. "We have to be sure that the e-mail we're getting is from the company we think it is from," Totsky said.
While there is no perfect methodology for securing a secure e-mail system, Callas said, companies should consider how to best secure their message systems, stay with standards and look for a published source. He sees a move toward pervasive encryption in the future, and said that instant messaging is the "e-mail of the future."
FOR MORE INFORMATION: