IT security professionals must devote some of their time to addressing the issue of e-mail back-ups and archiving. If they don't, they run the risk of not being able to produce messages that have been sent and are subsequently required as evidence in industrial tribunals or criminal trials. We outline a route to successful retrieval.
With each passing day, we hear more and more examples of where an e-mail has been a critical part of an evidence trail. As manager of the company's IT security, have you stopped to think about what the implications would be for your organisation should you be required to produce an e-mail as evidence?

Your first reaction will probably be: "It's in the back-up". You may be in for a shock. In most companies, the primary role of the e-mail back-up is to enable an operational recovery in the event of a system failure. The critical word here is 'operational'. The IT Department will be protecting the operational integrity of the e-mail infrastructure. Its operatives will be making regular back-ups so that, if necessary, they can recover an operational system to a specific point in time.

The recovery of an e-mail
The recovery of an 'e-mail trail' across a period of time is a completely different problem. Consider two scenarios. First, does the e-mail exist in your system? A person in your organisation sends a defamatory e-mail to a competitor and then immediately deletes the copy of the e-mail from the sent box and the deleted items folder. One month later you receive a notice of libel from your competitor citing this e-mail as evidence. You need to see what was actually sent.

Second, can you find the e-mails? Your purchasing department has been negotiating a vital contract and, to speed things up, much of the negotiation takes place via e-mail. The negotiation is concluded over a period of one month. Two years later the contract is in dispute, and a Court of Law asks for all evidence supporting your claims about the contract. E-mail is a critical part of your case, and you need to find all relevant e-mails.

Message in the system?
In each of the above scenarios you fully expect the system back-up to be your lifeline. However, there's a problem... Does the e-mail exist in your system? The answer is: "Probably not". The person concerned wished to cover their tracks. They took diligent steps to delete the e-mail record and, as it no longer existed in the e-mail system at the time of the next back-up, it wasn't backed up at all.

To find that e-mail will be very difficult in the extreme. It may well exist in a deleted items cache (on a back-up), but given the elapsed time this will probably have been purged.

In addition, can you find the e-mails? The answer is: "It depends". Your IT Department may well have a policy that states they recycle the back-up media. They might keep the last three months' weekly back-ups, and indeed the past year's quarterly back-ups. Beyond that the back-up media is recycled (ie overwritten) to save space and reduce costs.

Maybe you're fortunate and the IT security policy is to keep all tapes. Now the problem turns into something akin to finding multiple needles in multiple haystacks – and you have to rebuild each haystack first!

Both of the above scenarios demonstrate that, while a critical part of the IT infrastructure, operational back-ups of e-mail fall short in the support of business processes. For the solution to those issues mentioned we should look more closely at how terminology often becomes confused.

Your IT Department may well have a policy that states they recycle the back-up media. They might keep the last three months’ weekly back-ups, and indeed the past year’s quarterly back-ups. Beyond that the back-up media is recycled (ie overwritten) to save

Definitions to bear in mind
In Information Technology terms, the words 'back-up' and 'archive' are often used interchangeably, and often with significant consequences. For example, the UNIX command most closely associated with back-up is 'tar', a shortened form for 'tape archive'.

Let's look at some definitions for a moment... 'Back-up' is a spare copy of a file, file system or other resource for use in the event of failure or loss of the original. 'Archive' is a place or collection containing records, documents or other materials of historical interest.

In both of the scenarios listed here, the way out of the problem for the practising security professional is to access a collection of (e-mail) records of historical interest (ie an archive).

To be blunt, it's time we all more clearly understood that 'back-up' and 'archive' are not the same thing at all. In this way, we might then reduce corporate risk and, as a by-product, decrease the costs and overheads associated with protecting operational systems.

Historical versus the new
Think about all those daily, weekly and monthly system back-ups. In truth, how much of the information remains unchanged between back-ups? In the case of e-mail, we have historical e-mail (which doesn't change) and new e-mail. The historical e-mail belongs in an archive where it might be preserved for historical access. The new e-mail is part of the operational e-mail system and should be preserved by operational back-ups.

By making this distinction, the overheads associated with operational back-ups may be drastically reduced, while the ability to support business processes regarding corporate records is greatly enhanced.

Source

SMT

Postscript

Andrew Barnes is global marketing director at KVS