Email Policy Engines
by Michael Sampson
In the November/December 2006 issue of Messaging News, the article The Impact of E-Policy Management reviews why an organization or business should be interested in technology facilitated ways of enforcing policies on email messages. Once it is agreed that a policy is important-or required if a highly regulated industry- how does one best go about implementing technology-facilitated policy enforcement?
Triggers and Actions
An email policy is composed of two sections: a trigger and actions. A policy trigger is a logic rule that specifies the conditions under which a message is subject to a policy. The inclusions of personally identifiable information, confidential business information and intellectual property, or offensive language are examples. If such things are found in email messages, one or more policies are triggered.
Actions are one or more results that can take place as a consequence of a policy being triggered; they define the "what now?" of a policy. Four common policy actions are block, quarantine, notify, and encrypt.
Block.
Messages that clearly contravene policy should be blocked. These messages are tagged so that they cannot ever be sent over email as long as the policy remains active.
Quarantine.
Messages that may contravene policy, but need a final decision by a policy person should be quarantined. These messages are tagged and go into a queue for review. If the policy auditor decides the message is okay, it gets released. Otherwise the message is blocked and a notification is sent to the originator and/or the appropriate organization authority figure.
Notify.
Notification involves stopping a message prior to its release and notifying someone about the policy contravention. For minor policy infringements, for example, the message may be pushed back to the originator with a cover note outlining what they did wrong (e.g. the use of offensive language). Alternatively, for serious policy infringements (e.g. sending a complete client list to an unknown Gmail account, or sending corporate intellectual property to a competitor) the originator's manager or even the Chief Security or Privacy Officer may be notified. In this case, something more significant is going on, and an appropriate human response is needed to stop further policy contravention.
Encrypt.
Some regulations require the encryption of sensitive information. If an encryption policy is triggered, then the message is flagged for encryption prior to release.
These four actions are not necessarily mutually exclusive. A message may result in multiple actions; for example, quarantine, notify and when finally released, encrypt. Further, based on membership in a specific organizational group, different actions may be triggered. For example, executives and senior managers may face a different set of defined policy actions than lower-level employees.
Email policy engine vendors like Proofpoint and Vontu ship predefined policy templates for point-and-click policy compliance. For instance, Proofpoint has a patternmatching template for identifying sensitive information such as social security and credit card numbers in email messages. These out-of-the-box policy templates enable organizations to implement policy faster.
There are nuances in policy actions that have to be determined by each organization. For example, when a policy action of "encrypt" is required, you can either do it invisibly or block the message and notify the originator that encryption is required. The organization that chooses to encrypt messages invisibly believes this is something that should happen in the background, which does not require a special step by the sender. It is viewed as an infrastructure-level action that doesn't require end-user involvement. On the other hand, an organization may want to cultivate a heightened awareness of the encryption requirements among its staff. It is a subtle culture change strategy to block messages and notify the originator that encryption is required. Neither is objectively right or wrong; each organization needs to make the "right" decision for their environment.
Steps to a Technology-Facilitated Policy Environment
Organizations should follow a four-step process in implementing a technology-facilitated policy enforcement environment:
Define Vulnerabilities and Risks.
Develop a clear sense of the specific vulnerabilities and risks faced by your organization. Start with existing written policies already in place. Check with your legal department about compliance mandates. Consider engaging an external expert for advice on what's important. Talk with email policy engine vendors about their view of your situation, but be careful not to unwittingly compromise your future decision by aligning too closely with a specific policy vendor at this stage.
Choose the Right Product.
There are numerous policy products on the market, and you have to choose the right one for your environment. Aside from all of the commercial factors around pricing, support and vendor alignment, there are also key technology factors to consider. These factors are directory integration (products absolutely have to integrate with your incumbent directory); out-of-the box policy templates and dictionaries (for quick policy compliance); and the need or not for broad policy application (email only or multiple channel). Larger Enterprises will want to ensure that proposed solutions offer sufficient scalability and robustness for their environments. Notify Employees. Notify your employees that the organization is shifting from a paper-only policy environment to a technology-facilitated one. Clearly explain the business and environmental reasons why your organization is forced to do this, and explain the various things that the policy engine will be looking for. Unreasonable employees will be unreasonable, but the majority should be willing to adapt.
Start With Monitoring and Ramp Up.
Once the selected policy engine is in place, turn on and monitor for violations. Expect to find violations almost immediately. Proofpoint's 2006 research found that one in five messages were potentially bad. In the first couple of weeks, you don't have to do anything, just watch what's happening. This provides good data for finetuning policies. Then tighten the screws and start enforcing policy through quarantines, blocks and notifications.
Future Considerations
Technology-facilitated policy enforcement isn't just about "email policy", even though today it is generally interpreted that way. The primary principle in most regulations is one of appropriate control over electronic communications, irrespective of which channel is employed. The decision is between an email-only policy deployment for now, and a multichannel one for now and later. The email-only approach involves finding the best product(s) currently available to address the problems of today-the most common one being email compliance. The multi-channel approach involves planning an overall architecture for policy enforcement that clearly distinguishes between policy definition (in general) and policy application (for specific channels). Coldspark is one vendor to consider speaking with in this regard.
Proofpoint and Vontu offer multichannel capabilities natively or through partnerships. Coldspark, on the other hand, is focused on email-only but with a twist: it doesn't have to be the master place where policy is defined; it is capable of integrating with other policy definition applications from which to draw policy that it then applies. Such separation is good and appropriate for a flexible policy environment. MS/TMP