Author: Sean Gilbride, Director of Professional Services Operations
As promised in my last post, here are a couple of additional articles related to cloud computing that contain some great food for thought. I'd also like to hear what your thoughts are on this subject.
Cyberattack on Google Said to Hit Password System
Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google's crown jewels, a password system that controls access by millions of users worldwide to almost all of the company's Web services, including e-mail and business applications.
The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.
These new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google's that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as "cloud" computing, a single breach can lead to disastrous losses.
Spam Suspect Uses Google Docs; FBI Happy
FBI agents targeting alleged criminal spammers last year obtained a trove of incriminating documents from a suspect's Google Docs account, in what appears to be the first publicly acknowledged search warrant benefiting from a suspect's reliance on cloud computing.
The warrant, issued August 21 in the Western District of New York, targeted Levi Beers and Chris de Diego, the alleged operators of a firm called Pulse Marketing, which was suspected of launching a deceptive e-mail campaign touting a diet supplement called Acai Pure. The warrant demanded the e-mail and "all Google Apps content" belonging to the men, according to a summary in court records.
Google provided the files 10 days later. From Beers' account, the FBI got a spreadsheet titled "Pulse_weekly_Report Q-3 2008" that showed the firm spammed 3,082,097 e-mail addresses in a single five-hour spree. Another spreadsheet, "Yahoo_Hotmail_Gmail - IDs," listed 8,000 Yahoo webmail accounts the suspects allegedly created to push out their spam. The Yahoo accounts were established using false information, allegedly in violation of the CAN SPAM Act.
Privacy advocates have long warned that law enforcement agencies can access sensitive files stored on services like Google Docs with greater ease than files stored on a target's hard drive. In particular, the 1986 Stored Communications Act allows the government to access a customer's data whenever there are "reasonable grounds" to believe the information would be relevant in a criminal investigation - a much lower legal standard than the "probable cause" required for a search warrant.
Is your company moving toward, or considering, implementing a public cloud solution? I'd like to hear from you.
Author: Joseph Correia, Principal Consultant
In early 2009 it was announced that Exchange 2010 now had "built-in" archiving. This generated a lot of interest and excitement. Based on the information from Microsoft, it would appear that your archiving needs will be addressed by Exchange 2010, so why not put your plans on hold until you can upgrade or migrate to 2010?
Some of the benefits expected to be provided by Exchange 2010 archiving are elimination of PSTs across the organization, integrated user search of both active mailbox and archive mailbox, simple archival and deletion policies from Microsoft Records Management, multi-mailbox search for e-discovery, roles-based access control, and drag & drop access to your personal archive.
At first pass, it appears that most of the basic features you need in an archiving solution have been covered in Microsoft's first attempt with 2010, and I expect that they will improve the offering going forward. However, with only these features available, Exchange 2010 is probably only a good fit for small to mid-size businesses - those primarily concerned with archiving to eliminate PSTs and enable some form of search without implementing any additional software.
A deeper look at the native Exchange 2010 archiving functionality shows some significant issues that you should think about before proceeding. With Exchange 2010 archiving, mailbox database sizes are dramatically increased due to archived data being stored in the same database as the mailbox itself and the elimination of single instance storage (SIS). Other shortcomings include:
- Outlook 2010 is required to enable archiving
- eDiscovery searches are limited to the Exchange Organization
- There is no legal hold for Public Folders
- Archive access is not extended to cache mode
- There is no stubbing of messages.
Expanding on these points a little more, storing archive data in the same mailbox database as the user's mailbox means that your Exchange Server storage is not being reduced. The elimination of SIS further increases the likelihood that database sizes will increase going forward.
In addition, moving to Outlook 2010 is no simple task, as anyone who has been through an application rollout realizes. Furthermore, eDiscovery searches are limited to the Exchange organization and cannot be performed across multiple organizations thus rendering the search incomplete and somewhat indefensible in a courtroom.
So IMHO, Exchange 2010 archiving in its current iteration will likely not fit the needs and requirements of many companies that have even moderate amounts of messaging data. Mid-size to large customers will want to archive other data types (file system, Instant Messages, SharePoint) along with e-mail and require strong eDiscovery capabilities across those realms, let alone require a reduction of storage use at the archive.
Some questions you should be asking yourself before implementing archiving:
1. Why are you going to implement archiving? Is it for storage management, eDiscovery, compliance, all of the above?
2. How long will you be required to retain data within the archive?
3. How does the archiving solution scale?
4. If you currently have a 3rd party archiving solution how will it integrate or coexist?
5. What does the proposed solution give me? (For instance, storage reduction, eDiscovery capabilities, enhanced mobility, improved backups, improved DR, etc.)