SecurExchange - Exchange 2007 Statement of Direction
The purpose of this overview is to provide some insight into the planned integration of SecurExchange with Microsoft’s Exchange 2007.
Exchange 2007
There are internal differences between Exchange 2007 and previous Exchange versions (i.e. 2000/2003). Some of the re-architecting will affect the manner in which SecurExchange integrates and interacts with various Exchange facilities.
The inclusion of a few new features in Exchange 2007 while slightly overlapping some of SecurExchange’s more basic functionality does not affect the way SecurExchange will integrate with 2007. However, a few of the other architectural changes do mean certain changes are required in SecurExchange to integrate and function the way the product is intended to.
The three main Exchange 2007 changes that affect SecurExchange are briefly summarized here. First, Exchange, in version 2000 & 2003, sits on top of the Windows SMTP stack. However, Exchange 2007 has essentially created its own internal SMTP stack and no longer uses the standard Windows stack. The implication being that SecurExchange (and all products for that matter) that interacted with the standard Windows SMTP stack will require some modification to connect to the new Exchange 2007 SMTP stack.
Second, a new interface layer is used in Exchange 2007. Again, products using earlier Exchange version API’s etc. will have to be modified to conform with the 2007 interface.
Third, the administrators GUI in Exchange 2007 has been changed. Since SecurExchange is integrated with Exchange and is administered through the Exchange System Manager interface we will have to make some modifications to accommodate the new user interface.
SecurExchange
Fortunately, the architecture of SecurExchange is designed in such a way that its code for product features and functionality is isolated from its “interface” to Exchange. Unlike many other products this means that we do not have to dig deep into the core product code to implement the changes necessary for compatibility with Exchange 2007. We will have to revise our internal SecurExchange interface, that controls how SecurExchange communicates with Exchange, to comply with the new 2007 interface model and to use the 2007 SMTP stack.
We are evolving our 2007 SecurExchange product migration plans with an assumed availability target for the summer of 2007.
How SecurExchange Adds Value to Exchange 2007
Notwithstanding the new features in Exchange 2007, SecurExchange will continue to add significant value that customers will find compelling.
Rules vs. Real Policies
Exchange 2007
Despite the architectural changes in 2007 Microsoft has failed to alter its fundamental or philosophical approach to email control. Exchange 2007 continues to follow a simple, flat “rules-based” model (in fairness, so too do most other email monitoring solutions). With Exchange 2007, rules embody the criteria, conditions and actions all within the rule. Any different combination of or even slight variation in the criteria or desired action(s) requires a new rule be created. Thus a new or different action to be taken for the same conditions is another individual rule. This is what we mean by a “flat” approach – each rule has to embody all pertinent criteria, conditions and actions and is independent of all other rules. There is no organizational “awareness,” hierarchical model or reusability in this approach. This can lead to quite an extensive list of individual rules when viewed through the Exchange 2007 rules view window and makes maintenance of the rules unwieldy. Rules can be set on individual servers but this still does not provide a strong organizational view for rule (policy) implementation.
Another drawback to this flat “rule” approach is that any change to a rule, for instance changing the recipient for a “copy-to” action, means that every rule that included that copy action must be manually updated! In any organization with even moderate email monitoring requirements this can mean 100’s of rules needing updating every time there’s a change. The difficulties and expense just to manage and administer a rules-based approach can be overwhelming especially for larger organizations and those with multi-segmented Exchange environments.
SecurExchange
With SecurExchange we define “information concepts” – what you are looking for; Smart Action Triggers – what are the conditions that invoke (will trigger) an action; and Actions – what to do with the message if a trigger goes off. Policies are represented by the particular combination of concepts, triggers and actions each of which can be grouped or combined hierarchically and reused. This provides a true hierarchical policy model and separates the management and administration of concepts (content criteria), the triggers (conditions) and the actions.
Because each of policy elements – concepts, triggers and actions – are defined independently of any rule or policy then the cost and effort associated with maintaining and administering email compliance polices is drastically reduced. Using the “copy-to recipient” action example, with SecurExchange if you modified the recipient you would make only one change to the action definition itself. ALL the policies that use that action will automatically inherit the change. Similarly, suppose you discover that the key words and phrases you are using in Exchange 2007 aren’t accurate enough and you need to enhance them to reduce the false positives or negatives, once again you must change every rule that was looking for that content (i.e. used the particular key words). In SecurExchange you would simply enhance the independent “concept” definition (i.e. the criteria that identifies the concept of confidential information for instance) and once again, all policies that use the “confidential” concept will automatically inherit the enhanced definition.
Moreover, SecurExchange allows policies to be applied based upon “distribution lists.” Distribution lists are defined in Active Directory and SecurExchange accesses this information in place (i.e. it is not copied internally to a SecurExchange proprietary store) which eliminates any synchronization issues and provides instant awareness of any changes. This capability provides SecurExchange the organizational awareness that other products lack and allows you to quickly and easily apply policies to specific organizational groups such as the finance department or sales or executive management.
Key Words vs. Intelligent Content Analysis (Concepts)
Exchange 2007
Exchange 2007 uses key words &/or phrases and looks in the subject and body of the email to identify messages you want to take some action on. Unfortunately, key words and phrases are often very limited in their effectiveness. It is extremely difficult to establish the context of what you are looking for using strictly key words or phrases. As a result, many messages that should have been actionable are simply missed. For example if you use just the key word “idea” you will not detect messages even if they contain thought, scheme, concept or brainchild instead of idea, even though the context of the message is the same.
SecurExchange
SecurExchange uses information concepts rather than pure key words and phrases. Certainly, you can specify individual words and phrases but the intelligent analysis techniques used by SecurExchange offer far superior flexibility and accuracy of content detection. A variety of linguistic analysis and techniques are used by SecurExchange including prefix and suffix stripping, root word expansion, plurals and tense expansion, dictionary and thesaurus lookups, proximity and word location analysis, and term weighting. This is a far more sophisticated analysis of the message or attachment content that enables SecurExchange to recognize its context and more accurately determine if a particular information concept is present.
The aspect of location analysis is best described by example. If an attached Word file (SecurExchange unlike Exchange 2007 does scan attachments) contains a paragraph containing the word “confidential” it’s difficult to tell from whether the document itself is confidential or if it’s simply a reference to the word. If, however, the word confidential is in the footer of the document then it becomes almost certain the document is meant to be considered confidential. SecurExchange is able to make this distinction based on where the term is found.
Using Intelligent Content Analysis (ICA) SecurExchange achieves unparalleled detection rates with fewer false negatives, false positives and missed messages.
Monitoring Message Text vs. Monitoring Message & Attachments
Exchange 2007
Exchange 2007 scans just the message subject and message body text.
SecurExchange
SecurExchange not only scans the message subject, header information and message body, but also, any email attachments (if desired). SecurExchange can apply its content policies to any attached Microsoft Office (Word, Excel, PowerPoint) and Adobe PDF files. Many times the email message accompanying a document may only say something like, “here’s the information you requested” providing no indication that the attached document includes highly sensitive or confidential information that should not be sent outside the company for instance. Only by scanning attached files as well as the message body of an email can an organization be assured of full compliance with corporate or regulatory policies.
Richness of Actions
Exchange 2007
Exchange 2007’s rule-oriented approach imposes limitations in the actions that can be taken on a message. Both the variety of the actions available and the number that can be invoked are restricted to basic, common actions like delete, strip attachments, quarantine, add some text and a handful of others. Using more than a few actions (or criteria for that matter) in a rule adds to the complexity of the rule and makes rule management and administration difficult and expensive.
SecurExchange
The standard list of actions that is available with SecurExchange is more robust than in any product – block, delete, copy, move, store and forward, quarantine, strip attachments, archive, encrypt, digitally sign, insert disclaimer (text &/or graphics), modify subject, send notification, and more. Moreover, up to 17 specified actions can be taken on a triggered message. Furthermore, specific messages generated as a result of an Action (i.e. reply to originator, notify Security Officer, or Non Delivery Report (NDR)) can be customized with variable data about the trigger or violation, recipients information, and originator details.
Summary & Conclusion
- The underlying design and architecture of SecurExchange remains optimal for migration to Exchange 2007. The core functionality and technology of SecurExchange remain superior, even for those feature sets Exchange 2007 has added, and deliver significant added value and benefits that users will find compelling.
- Modifications to the Exchange integration layer of SecurExchange (i.e. the interface level to the core Exchange functions) will be made to accommodate the new structures and mechanisms employed in Exchange 2007.
- SecurExchange will continue to utilize its own internal function sets as they provide more powerful, granular, flexible and robust capabilities than the Exchange 2007 counterparts.
- SecurExchange will provide greater flexibility and “separation” and management of policies by organization for mult-segmented Exchange server environments found in typical hosting services.
- The level of granularity and control achieved in SecurExchange will enable multiple “feature-based” add-on subscription services providing potential for multiple incremental revenue streams for the hosting service (i.e. various policy packs can be developed around either generalized rule sets or industry-specific rules) and optional subscriptions offered).
- SecurExchange’s method of independently administering concepts, triggers and actions, its hierarchical approach and the reusability of these elements and policies means the burden and cost of internal development and administration to offer these value-add optional subscription services is dramatically reduced compared to alternatives.
|
