This article examines the challenges Exchange presents and provides a tick list so you can confidently answer yes to the questions posed.
As the most widely adopted messaging platform and semi-structured data repository in the world, Microsoft Exchange is the go-to cross-functional collaboration system for many organisations. Administrators are under enormous pressure to ensure that Exchange is secure, responsive, and constantly available. So, how do they do that? This article examines how an automated data governance program can provide the answer, expedite Exchange-related management tasks and improve the controls that protect the critical data contained in mailboxes and public folders.
It’s nothing new?
Email suffers from the same management and protection challenges as every other unstructured and semi-structured data repository:
- Who has access to a mailbox or public folder?
- Who should and should not have access to them?
- Who has been accessing mailboxes or public folders?
- Who do they belong to?
- Which containers are stale?
- How do we remediate excessive access without disrupting workflows?
Vivian Tero, an IDC analyst, succinctly explains, “Exchange data is a tremendous challenge to manage because permissions are not often well maintained, activity is not easily tracked or analysed, and ownership for mailboxes and public folders is unknown.”
In addition, Exchange administrators face daily management and protection challenges with Exchange, beyond making sure email is flowing, available and responsive. Some of these challenges include:
- Shared mailbox and delegation rights identification and cleanup
- Public folder cleanup and ownership assignment
- Message activity auditing/tracking
- Identify spikes in email activity
- Stale public folders and mailbox identification
The light bulb moment
Many organisations have already discovered that to effectively manage and protect folders and SharePoint sites they require metadata and automation to collect, normalise, and analyse that metadata. Exchange isn’t any different. Organisations also need Exchange metadata collection and automation if they’re to manage and protect Exchange mailboxes and public folders.
There are three primary types of Exchange metadata that need to be collected and presented:
- Exchange permissions information
- User and Group information from Active Directory
- A record of each message sent, received, and accessed
With these metadata streams automatically collected, normalised, and analysed, organisations will be able to determine who has access to which mailboxes or public folders and which mailboxes and public folders any user or group has access to, who should and should not have access, who has been accessing these containers, and how to remediate excessive access without disrupting end-user activity.
Shared Mailbox & Delegation Rights Identification & Cleanup
With users making changes to their own mailbox permissions and potentially exposing their own data, cleanup can be challenging because it is difficult to determine which users or processes are making legitimate use of this access. Analysing all mailbox and sharing permissions, capturing all permissions changes and actual access activity, and flagging excessive permissions enables administrators to quickly spot excessive rights, test permissions changes prior to committing them so that changes will not disrupt end-user productivity, and then commit them.
Public Folder Cleanup and Ownership Assignment
Exchange Public folders often suffer from the same challenges common to file shares: many are stale, permissions are not well maintained, activity is not easily tracked or analysed, and ownership is often unknown. Administrators can easily analyse and report on stale public folders, permissions, spot permissions errors and improperly delegated access, and identify data owners through actual activity and other metadata. One data owners are identified they can receive scheduled reports about their data automatically.
Message Activity Auditing/Tracking
Organisations face challenges simply collecting and analysing Exchange activity as an enormous amount of messages are sent and received every day throughout a distributed infrastructure. A detailed audit trail with highly granular filtering and sorting is required so administrators can easily see when email was sent, from and to whom it was sent, and when it was opened. In order to keep the data for any period of time and make use of it, it needs to be normalised, processed, and analysed so that it can be searched and sorted quickly, with actionable information distilled.
Identify Spikes in Email Activity
It is difficult for Exchange administrators to identify changes in user access and transmission activity, whether due to workflow changes, configuration error, malicious activity, or malware. Spikes in activity can degrade system performance as well as signal possible security issues. By analysing the access activity for statistical deviations in normal access patterns, you will be able to spot likely worm and virus activity, and other abnormally high message activity.
Stale Public Folders & Mailbox Identification
Many public folders and mailboxes have a shelf life; after a certain period of time they stop being used. By creating a record of actual access you can determine which mailboxes and public folders are not being accessed, and/or have not been accessed by a non-automated process. These stale mailboxes and public folders may then be archived and locked down to reduce tier 1 storage costs and risk.
Automation versus Manual Collection
Manual management and protection tasks that Exchange administrators perform on a daily basis are cumbersome, prone to errors, take a considerable amount of time, and Exchange administrators don’t often get to all the tasks they’d like to do. When you take into account all the time spent—adding people to distribution groups, figuring out what happened to someone’s missing email or calendar invite, tracking down who a public folder (or mailbox) belongs to and who has access to it—there is a sizable opportunity for operational savings and reducing risk through automation.
“With traditional approaches, it was very difficult to understand access to mailboxes and public folders across all the Exchange servers, effectively audit email access and communication, and find owners for public folders and mailboxes,” said Bernard Besohe, local mail and system administrator for the Publications Office of the European Union. “With Varonis DatAdvantage for Exchange, we have significantly reduced our Exchange access and data management workload for tasks that we do many times every day. We now have a single console with a complete map to our ever-growing Exchange environment that has enabled our staff to identify and proactively manage and protect Exchange data.”
Vivian Tero adds “Email systems contain a rapidly growing set of critical data that is very hard to protect and manage. By bringing the power of their widely used data governance system and Metadata Framework™ to the Exchange platform, Varonis is significantly increasing the control and efficiency that IT administrators have over this extremely important set of semi-structured data.”
In summary
The same operational workflows that organisations have been using for several years to automate management and protection of folders and SharePoint sites now must also be applied to the data containers in Exchange: mailboxes and public folders. Organisations need to be able to analyse permissions, identify excessive access, identify owners for public folders, identify stale containers, and have a complete audit trail of every email sent, received, and accessed, in the same searchable interface that they have been using to find lost files, perform forensics, and spot anomalous activity on the rest of their semi and unstructured data. By doing so they will ensure that Exchange is secure, responsive, and constantly available.
ABOUT DAVID GIBSON
Director of Strategic Accounts and Technical Marketing – Varonis Systems David Gibson has been in the IT industry for more than fifteen years, with a breadth of experience in data governance, network management, network security, system administration, and network design. He is currently Director of Technical Services at Varonis Systems where he oversees product marketing and positioning. As a former a technical consultant, Mr. Gibson has helped many companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems. He is a Certified Information Systems Security Professional (CISSP).