On Sun, Feb 9, 2014 at 10:46 AM, Nico Kadel-Garcia <nka...@gmail.com> wrote: > On Sun, Feb 9, 2014 at 8:58 AM, Paul Robert Marino <prmari...@gmail.com> > wrote: >> You know what you also can't do with Gmail create a SOX compliant export for >> regulators if you get audited. > > You mean like the regulations the Google Apps Vault was designed to > support?
Google Vault is not SOX compliant because users can decide to make a conversation off the record. its in their FAQ. I can see the risks if you've convinced that "legal" tapping > may be committed, to your detriment. It's a risk of any SAAS > businesses, and for a company with military or high value > international traffic, certainly. Consider the NSA or even foreign > intelligence to already have access to all the traffic. But in many > environments, *they have it anyway*, without a warrant. The > "Carnivore" email monitoring system is still in place, or a renamed > version of it, to monitor email at the backbones of the Internet. Yes I'm aware of that for any one who isn't familiar with Carnivore well the FBI has their own version of the NSA's Phone collection bigdata softwaer for email on internet backbones and its a lot older http://www.linuxjournal.com/article/5062 > In-house email repositories are vulnerable to external abuse of > backdoors in firewalls and routers to grab your internal credentials > and go poking around your systems, or rootkitted laptops may have > already penetrated your systems. > > Securing against that kind of intrusion is a *lot* of work, and it > doesn't usually pay the bills or get glowing project reports on your > annual reviews. Using something like Scientific Linux and RHEL for > internal services is a good place to start. Handing it off to someone > who can afford a very sophisticated group to do precisely that kind of > protecton or, as needed, access i often a wise investment. It can be and it also depends on what industry you are in you may need it any way even if you outsource your email system. > >> So if there is reason to believe that your companies emails contains data >> pertinent to the financial transactions of your company and your company >> gets audited you are in deep trouble. It is also the legal responsibility of >> the person or people in charge of maintaining the email system to ensure the >> compliant backups are taken and made available upon request. >> That's why most large and or financial companies in the united states won't >> use it. > > They're learning. Setting up in-house mail systems is fraught with > adventures: ensuring high availability, supportability, archival > access, and infosec have all grown and evolved. This is where "build > your own" with even a good environment like Scientific Linux gets > adventuresome. Setting up reliable backups, firewall control to the > servers, good failover, spam Small companies you are somewhat right but not completely many of them hire a consulting company or managed network security company to do it for them on their own hardware, larger companies still tend to hire in house staff but I've seen some which used managed infosec firms as well. I actually work for a managed financial network security firm some years back it was a lucrative business all around, it saved our clients a fortune in staff and they paid us a lot better than most in house department for one company would get, although it was a whole lot of work. and going through all of those weekly Nessus scan reports and keeping all those custom snort rules up to date was a chore. and dnot even get me started on the fun of trying to get several different companies with limited in house staff to install critical patches in a timely manner. > >> And some times the regulators are the ones who are actually asking for the >> tap via a compliance officer on some ones emails without managerial approval >> and its really bad if they can't do that. >> You can thank Enron for that. > > That gets tricky, and it's not just Enron. Archival of mail beyond the > required period is considered, by some, to be a legal liability: > whether or not they've been engaged in wrongdoing, it preserves > evidence that might be used against them in court. Heck, you should Well thats why you should always delete backups containing obsolete data like old emails as soon as you are no longer legally required to keep them. > have seen the *outgoing* email filter I was involved in setting up > once, to filter all email against a secured database of "sensitive" > content that should not be in email. Creating filters based on data > you are not allowed to see is.... an artform. No doubt. > > It also ties directly to backup. Backup is often ignored, or relegated > to an afterthought for critical email systems. I severely doubt you have never sat across a table from a S.E.C. auditor, they usually are very much interested in your backups. As a matter of fact they tend to trust tape backups more than the live data in the systems because thats usually how they catch people altering data after the fact. It's easy to edit the data in your running servers, but its far more difficult to edit data on a tape with a well documented chain of custody in a timely manner and as a result its what usually gets overlooked if any one tries to cover any thing up. Also SEC auditors will make a public example of you, if your backup are not in order because that makes them suspect you are assisting someone with covering something up.