E-mail Management: Controlling Content Chaos

With more and more business taking place via e-mail, users need to manage content on three fronts.

At Cedars-Sinai Medical Center in Los Angeles, e-mail is an integral part of both hospital operations and patient care. The hospital relies on e-mail to transmit patient test results to doctors, coordinate the schedules of residents and staff, and send intensive-care unit alerts to the pagers of nurses and physicians. Physicians, residents and others use e-mail to collaborate.

"E-mail is a mission-critical application here," says Jim Brady, e-mail administrator at Cedars-Sinai.

While it's not news that e-mail has become a crucial part of business, what has changed is the sheer quantity of valuable business information that is being shared and stored exclusively as electronic mail.

E-mail Management: Controlling Content Chaos

Image Credit: Hal Mayforth"E-mail has taken over as the dominant way that employees and organizations exchange information. In the past, e-mail was how information about a meeting or the company picnic was distributed. But today, e-mail is the way all employees transact real business," says Randolph Kahn, founder of Kahn Consulting Inc. in Highland Park, Ill.

But mixed with all of that critical data are volumes of junk mail and worse: spam, viruses, personal notes and potentially offensive content. Along with cuts in productivity, there are the risks of corruption, deletion or theft of corporate e-mails containing valuable business data, as well as the accidental leakage of embarrassing or legally damaging content. E-mail can also put a company in jeopardy of lawsuits or fines for not complying with government and industry regulations.

According to IT managers and industry experts, there are three key technologies that few organizations can be without: antispam and antivirus defenses for screening incoming mail; outbound filtering and encryption to evaluate and protect outbound content; and archival software to ensure that e-mail containing intellectual property or addressing topics covered by government or industry regulations are retained in case of future need.

1 Inbound Defenses

Organizations need inbound e-mail filtering software to catch spam, viruses and other junk mail before they clog or damage servers and desktops. Spam and virus protection usually starts at the network perimeter, either provided by an outsourced service provider or installed at the organization's Internet gateway. It's also a good idea to have antivirus software on e-mail servers and desktops, to guard against bugs on floppy disks, CDs and USB drives.

The 12,500 e-mail users at Cedars-Sinai are protected by IronPort Systems Inc.'s e-mail security appliance installed on the hospital's e-mail gateway. The IronPort device has its own virus and spam filters, as well as Sophos PLC's Anti-Virus and Symantec Corp.'s Brightmail AntiSpam software.

Because spammers have learned to evade traditional content-based spam filters, products like Brightmail combine multiple technologies, including heuristic analysis of the content, filters to detect URL masking, and reputation-based filtering of mail from suspect servers. IronPort also uses a reputation service to catch spam and viruses.

"If a piece of spam comes in from an IP address with a known bad reputation, it gives it a bad score," explains Brady.

In the past, Brady's team employed a spam filter that deleted mail tagged as spam. But staffers complained that legitimate e-mail was being lost. With the current approach, spam is quarantined on the appliance and users get a list of suspected spam e-mails that they can opt to save, delete or ignore.

To block viruses at the gateway, the hospital uses Sophos antivirus software on the IronPort appliances, as well as IronPort's SenderBase Network service. SenderBase collects data about Internet e-mail traffic in an effort to find new virus outbreaks.

For added protection, Sybari Software Inc.'s Antigen product is deployed on the Exchange servers themselves. "It's another layer of protection in case something makes it through the gateway," Brady explains.

2 Monitoring Outbound Mail

Controlling e-mail that goes out of the hospital is also a concern at Cedars-Sinai, mainly because of regulatory requirements.

The Health Insurance Portability and Accountability Act (HIPAA) requires that patient data be kept secure and confidential, explains Brady, who is rolling out Zix Corp.'s Virtual Private Messenger. Zix VPM scans outgoing mail for patient-related keywords and encrypts them. The recipient gets an e-mail with a link to the encrypted message on the Zix server.

Filtering outbound e-mail prevents employees from exporting corporate intellectual property or content that may expose personal information about customers or patients, say experts. Harassing or inflammatory language is also a concern.

Nevertheless, actual adoption of outbound filtering has been sluggish. In a 2005 survey by The Radicati Group Inc., only 22% of corporate e-mail users said that their organizations filter outbound e-mail. Another 42% said their e-mail was not filtered, while 36% said they had no idea.

Because outbound filtering is similar to inbound filtering, many antispam vendors are getting into the act.

"All the major [antispam vendors] are providing it," says Richi Jennings, an analyst at Ferris Research in San Francisco. "It's basically using the same kind of technology as with spam filtering."

Jerry Hook, a systems manager at University Health System Inc. in Knoxville, Tenn., uses CipherTrust Inc.'s IronMail to scan e-mail sent by the hospital's 4,200 employees. The antispam product's Compliance Profiling engine allows Hook to define outgoing content that's unacceptable or that requires encryption. The software can block or encrypt messages, depending on content and policy.

"Patient health information has to be encrypted before it's sent over the Internet, according to HIPAA," says Hook. "We have a dictionary specific to HIPAA that CipherTrust uses to scan Internet mail."

Encryption has also been slow to take hold. A report from IDC in Framingham, Mass., reveals that companies have not made much use of it, even though many e-mail products include encryption capabilities. But the increase in privacy regulations is fueling interest in encryption technologies.

Of course, IT managers can't block or encrypt messages that don't go through the corporate e-mail system.

To prevent employees from sending e-mail out via their personal accounts, drug research firm Kalypsys Inc. in San Diego blocks certain e-mail protocols and Web sites, including Internet Message Access Protocol, Post Office Protocol, Hotmail and Yahoo Mail. Kalypsys uses Websense Inc.'s Enterprise URL and protocol-blocking software, as well as individual port blocking. The main reason for preventing the use of personal e-mail, says John Graf, associate director of IT at Kalypsys, is to protect the company's intellectual property.

"Our hope is that if any intellectual property is taken and sent, we'll at least have a record of that," explains Graf. "If we ever defend a patent, we can trace how it got out of the company."

3 Archiving Critical Content

The days when the IT department could merely purge the e-mail server of all messages over 60 days old, without regard to their value, are long gone. Retention of records, including electronic ones, is a legal requirement for business and government alike. According to a 2005 study by Enterprise Strategy Group Inc., e-mail has become the most frequently requested type of business record by courts and regulators. The report, "Digital Archiving End-User Survey & Market Forecast 2006-2010," found that 77% of organizations involved in an electronic data discovery request have been asked to produce e-mail messages as part of a legal or regulatory proceeding.

Kalypsys archives all inbound and outbound messages in Quest Software Inc.'s Archive Manager. Graf says archiving is valuable not only in order to defend a patent, but also to stay in compliance with FDA rules, the Sarbanes-Oxley Act and other regulations that require the retention of e-mail.

Companies often have irreplaceable business documents -- contracts, partnership negotiations, possible new product strategies -- stored as e-mail. If those messages and attachments are not archived in a centrally managed location, the odds are high that they'll be deleted or simply lost in the local storage of hundreds of company desktops.

"IT departments that blow away the contents of the e-mail systems create liability and risk and prevent the company from actually running its business," says Kahn, adding that he has seen a surge in companies implementing e-mail retention policies and systems over the past two years.

Even routine e-mail messages can become quite valuable as a repository of the company's working knowledge base.

At Kalypsys, the archive is also used as a knowledge management tool.

"Although we purchased the product originally to meet compliance issues, we have found that it does enable some rather imaginative knowledge management," says Graf. For instance, Archive Manager allows the creation of virtual mailboxes that can then be accessed by a group of authorized employees.

"So our IT department shares access to virtual mailboxes created for all our major vendors. This allows anyone in IT to access all the orders placed by any member of IT with that specific vendor," according to Graf, who adds that e-mails with customer contact information and correspondence are archived so that such information isn't lost if an employee leaves Kalypsys.

"This is particularly helpful," says Graf, "in areas such as business development, where contact information and dialogues are maintained even if someone leaves the company."

Hildreth is a freelance writer in Waltham, Mass. You can reach her at Sue.Hildreth@comcast.net.

Copyright © 2006 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon