On Sun, Feb 9, 2014 at 8:58 AM, Paul Robert Marino <prmari...@gmail.com> wrote: > You know what you also can't do with Gmail create a SOX compliant export for > regulators if you get audited.
You mean like the regulations the Google Apps Vault was designed to support? I can see the risks if you've convinced that "legal" tapping may be committed, to your detriment. It's a risk of any SAAS businesses, and for a company with military or high value international traffic, certainly. Consider the NSA or even foreign intelligence to already have access to all the traffic. But in many environments, *they have it anyway*, without a warrant. The "Carnivore" email monitoring system is still in place, or a renamed version of it, to monitor email at the backbones of the Internet. In-house email repositories are vulnerable to external abuse of backdoors in firewalls and routers to grab your internal credentials and go poking around your systems, or rootkitted laptops may have already penetrated your systems. Securing against that kind of intrusion is a *lot* of work, and it doesn't usually pay the bills or get glowing project reports on your annual reviews. Using something like Scientific Linux and RHEL for internal services is a good place to start. Handing it off to someone who can afford a very sophisticated group to do precisely that kind of protecton or, as needed, access i often a wise investment. > So if there is reason to believe that your companies emails contains data > pertinent to the financial transactions of your company and your company > gets audited you are in deep trouble. It is also the legal responsibility of > the person or people in charge of maintaining the email system to ensure the > compliant backups are taken and made available upon request. > That's why most large and or financial companies in the united states won't > use it. They're learning. Setting up in-house mail systems is fraught with adventures: ensuring high availability, supportability, archival access, and infosec have all grown and evolved. This is where "build your own" with even a good environment like Scientific Linux gets adventuresome. Setting up reliable backups, firewall control to the servers, good failover, spam > And some times the regulators are the ones who are actually asking for the > tap via a compliance officer on some ones emails without managerial approval > and its really bad if they can't do that. > You can thank Enron for that. That gets tricky, and it's not just Enron. Archival of mail beyond the required period is considered, by some, to be a legal liability: whether or not they've been engaged in wrongdoing, it preserves evidence that might be used against them in court. Heck, you should have seen the *outgoing* email filter I was involved in setting up once, to filter all email against a secured database of "sensitive" content that should not be in email. Creating filters based on data you are not allowed to see is.... an artform. It also ties directly to backup. Backup is often ignored, or relegated to an afterthought for critical email systems.