Information and content in the enterprise continues to grow at exponential rates. According to the Radicati analyst firm, 161 billion emails will be exchanged from 775 million corporate email boxes in 2006. Information or content has long been recognized as an asset that requires lifecycle management depending on the type of information and its use in the enterprise. Typically, an enterprise has data or information at rest within databases and repositories as well as data or information in motion. Data at rest includes customer account information, financial and employee records, etc. Data in motion includes information or content that is communicated via email, instant messages, posted in blogs or transferred as files. Industry regulations and cases that end up in court continually impact how information and content should be handled in the enterprise.
The Securities Exchange Commission has actively been enforcing the Sarbanes-Oxley Act for a number of years, with recent judgments against very high profile companies such as Bristol-Myers for $150M, and WorldCom for $750M. The regulations related to online privacy and security of content for email, web, instant messaging and file transfers are forcing enterprises to implement policies and processes to help in their compliance and help avoid fines and mitigatethe potential risk of jail time for executives, similar to the 25-year term that WorldCom’s CEO received in 2005.
Copyright 2006 Entrust. All rights reserved. Myths and Realities in Compliance How to Achieve Better Content Control in the Enterprise February 2006 Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 1 www.entrust.com Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. Entrust is a registered trademark of Entrust Limited in Canada. All other company and product names are trademarks or registered trademarks of their respective owners. The material provided in this document is for information purposes only. It is not intended to be advice. You should not act or abstain from acting based upon such information without first consulting a professional. ENTRUST DOES NOT WARRANT THE QUALITY, ACCURACY OR COMPLETENESS OF THE INFORMATION CONTAINED IN THIS ARTICLE. SUCH INFORMATION IS PROVIDED "AS IS" WITHOUT ANY REPRESENTATIONS AND/OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, BY USAGE OF TRADE, OR OTHERWISE, AND ENTRUST SPECIFICALLY DISCLAIMS ANY AND ALL REPRESENTATIONS, AND/OR WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, NON-INFRINGEMENT, OR FITNESS FOR A SPECIFIC PURPOSE. Copyright 2006 Entrust. All rights reserved. Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 2 www.entrust.com Table of Contents 1 Introduction ......................................................................................................................... 3 2 The Challenge...................................................................................................................... 4 3 The Myths and the Realities............................................................................................... 5 Myth #1 - Save all email........................................................................................................ 5 Myth #2 - Delete all email...................................................................................................... 5 Myth #3 - Word rule filters are effective content control filters.............................................. 6 Myth #4 - SPAM filters are effective content control filters ................................................... 6 Myth #5 - Packet word filters are effective for content control.............................................. 7 Myth #6 - Desktop Solutions are better than Server Solutions............................................. 7 Myth #7 - Signature Methods are good Content Analyzers.................................................. 8 Myth #8 Encrypted email cannot be analyzed ................................................................... 8 Myth #9 - End Users can reliably encrypt sensitive content ................................................. 8 Myth #10 - Content Analysis is useless for IM or Web content ............................................ 9 4 The Entrust Solution......................................................................................................... 10 5 About Entrust .................................................................................................................... 12 Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 3 www.entrust.com 1 Introduction Information and content in the enterprise continues to grow at exponential rates. According to the Radicati analyst firm, 161 billion emails will be exchanged from 775 million corporate email boxes in 20061. Information or content has long been recognized as an asset that requires lifecycle management depending on the type of information and its use in the enterprise. Typically, an enterprise has data or information at rest within databases and repositories as well as data or information in motion. Data at rest includes customer account information, financial and employee records, etc. Data in motion includes information or content that is communicated via email, instant messages, posted in blogs or transferred as files. Industry regulations and cases that end up in court continually impact how information and content should be handled in the enterprise. The Securities Exchange Commission has actively been enforcing the Sarbanes-Oxley Act for a number of years, with recent judgments against very high profile companies such as Bristol-Myers for 150M, and WorldCom for 750M2. The regulations related to online privacy and security of content for email, web, instant messaging and file transfers are forcing enterprises to implement policies and processes to help in their compliance and help avoid fines and mitigate the potential risk of jail time for executives, similar to the 25-year term that WorldCom s CEO received in 20053. Organizations are using a combination of processes and technologies to address the challenge posed by demonstrating compliance to auditors. As auditors review how regulations are being met by organizations, it is important to demystify the possible approaches. This is further complicated, as the use of the Internet is further woven into the business processes of an organization through the use of web blogging and instant messages. Organizations have chosen to address compliance in a variety of ways, with some storing all electronic information in archives and document repositories, while others are auditing all electronic communications by sifting through millions of messages and transactions daily. Still, many organizations are confused over what methods are most effective in dealing with message flow in and out of their organization, be it through email, instant messages, web or file transfers. This whitepaper attempts to demystify compliance and the need for information and content control within enterprise communications. It is based on a series of myths and realities that first appeared as blogs about compliance at blog.entrust.com. This is a companion whitepaper to the Best Practices Whitepaper for Content Control, available for download at www.entrust.com. 1 Radicati Study, 2005. 2 Speech by SEC Commissioner: Remarks before the ALI-ABA Broker-Dealer Regulation Conference by Commissioner Annette L. Nazareth U.S. Securities and Exchange Commission Washington, DC January 12, 2006. Speech http://www.sec.gov/news/speech/spch011206aln.htm 3 Ebbers gets 25 years. Former WorldCom chief, 63 years-old, could spend the rest of his life in prison. July 13, 2005: 10:49 PM EDT By Krysten Crawford, CNN/Money staff writer. Full article at http://money.cnn.com/2005/07/13/news/newsmakers/ebbers_sentence/ Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 4 www.entrust.com 2 The Challenge When discussing regulatory compliance and electronic communications, there are a multitude of legislative and regulatory issues to consider. As an example, financial institutions face well over a dozen compliance regulations. An enterprise that is regulated may have obligations to, for example, examine any outbound content whether it is through email, instant messaging, file transfers or web postings and this can vary by industry, creating a complex overall set of policy objectives. In response, many organizations have established compliance and risk management teams focussed on electronic communications, with Compliance and Security Officers being asked to report to the CEO on any risks that have the potential to affect operations. Depending on the industry sector, an organization may be dealing with a number of compliance issues, including: Public-company regulations, such as Sarbanes-Oxley, established in response to the Enron debacle. Regulations affecting financial companies, such as banks and brokerages, who must adhere to Securities Exchange (SEC) rules, Graham-Leach Bliley (GLBA) and NASD; Regulations affecting healthcare privacy information, such as Health Insurance Portability and Accountability Act (HIPAA) and Personal Health Information or PHI. Intellectual property law, which is important for information asset protection for organizations in most sectors including Securities, Pharmaceutical, Technology, Manufacturing, etc.; Regulations affecting the privacy of information, including personal identification information such as PII information that is regularly collected from employees, customers and end users; Corporate Governance Policies, including those regarding disclosures to Boards of Directors and Auditors as well as Human Resources, Governance, Harassment/Code of Conduct and Ethics policies. While compliance and risk management teams are trying to solve their online information transfer problems, it seems that a backlash has resulted against the term "compliance." Vendors have been rushing to provide one-size-fits-all solutions to the many regulatory and governance requirements in the enterprise. However, in their drive to create the perfect solution, many vendors have lost sight of customer needs and end users have become confused about compliance requirements. In some cases, organizations believe that if they archive all electronic communications including email, instant messages and web postings, they will be compliant, while at the other extreme, some organizations believe that if they delete all electronic communications every 90 days, they cannot be found to be non-compliant. By discussing the top 10 myths and realities that surround regulatory compliance, we are hoping to highlight the issues and help clarify what compliancy really means, to provide organizations with a better understanding of the areas to be considered when examining regulatory and corporate governance requirements and implementing content control solutions. Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 5 www.entrust.com 3 The Myths and the Realities Myth #1 - Save all email A common approach to compliance has been to save all the emails, documents, faxes, news feeds, IM records, etc. that an organization generates in anticipation of future audits. This can become problematic when a large institution produces as many as 1 million emails per day or 260 million emails per year and does not categorize or organize them. Producing information that is needed by regulators in a timely manner can be next to impossible when it requires being retrieved from a massive, unorganized archive. This has certainly been the unfortunate case for Morgan Stanley (New York Times, May 17, 2005 http://www.nytimes.com), where some emails could not be found as required and this contributed to a 604 Million ruling against them followed by an additional 850 Million penalty which the company is appealing. Reality A better approach to saving all the email in the organization, is to practice content control and selectively archive, pre-tag or categorize the emails, instant messages, file transfers and documents en route to the archive so they can be effectively searched based on concepts such as "aggressive language," "illicit disclosures," "spam," "personal," etc. This can be achieved with content control solutions that automatically scan and analyze enterprise information based on a set of patterns or concepts. As such, the emails and documents can be scanned and tagged before being collected into a records management or archiving solution. Myth #2 - Delete all email Another approach to dealing with compliance has been to delete all the emails, documents, faxes, news feeds, IM records, etc. In some cases this has been used as a means of preventing regulators from finding information, while other times, it is used as a good housekeeping practice. Enron is the most famous example of the practice of deleting the archives to help avoid prosecution. Ultimately the concealment of evidence in this fashion made history, contributed to the organization s bankruptcy and in turn, resulted in the establishment of the Sarbanes-Oxley act 4. Often, organizations will implement an automatic 30 to 90 day deletion process for end user mailboxes, or when they reach their storage limits. This type of policy requires users to archive all important information on their desktops or in a central repository. This is not an effective way to clean end user mailboxes, as users will not consistently archive their inboxes and hard drives, creating future problems, since important records and documents are often lost or deleted. This approach is also not an effective way to avoid having evidence of possible oversights or wrong-doings in a company. Every email or electronic communications has a twin in a sense. Emails sent out live are kept in the archives of the receiver and sender in addition to appearing in the receiver's inbox, and therefore may easily surface in the face of an audit. Reality Organizations need to educate users on what kind of information is considered sensitive and what is appropriate, monitor outbound content, retain archives, delete archived information after the statute of limitation, and make sure they have a handle on the terabytes that their enterprise generates on a daily basis. Again, a better approach is to make use of a content control solution 4 A copy of the Sarbanes-Oxley Act and FAQ is available at the securities exchange website. Refer to http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 6 www.entrust.com and automatically scan incoming and outgoing electronic communications such as email, instant messages and web postings on a monthly basis, auto-categorize what needs to be archived and delete the rest. Myth #3 - Word rule filters are effective content control filters In the 1970 s, a technology called expert systems encapsulating expert knowledge using If-Then rules received a lot of attention. A great hype cycle followed and lasted well into the mid-1980s when expert systems were meant to replace experts in all walks of life. The hype cycle finally ended in the late 1980 s when these systems just could not truly encapsulate expert knowledge in a set of linear rules that were hard to formulate and produced unpredictable results based on rule order. Today, vendors are still trying to convince customers that rule-based systems are the magical solutions for compliance. Just as rule-based systems failed to replace experts in the 1980 s, rule-based systems appear to be failing to replace compliance teams today. As a matter of fact, the opposite occurs, with the increased overhead, administration and maintenance, as thousands of rule sets are required and will often generate false positives. The false positives will require thousands of rule exceptions, which further increase the burden. Reality To address regulator requirements, there needs to be a risk assessment and an analysis of electronic communication policy and regulations governing an organization. Once this is complete, a methodical review of possible solutions that combine process and technology in the enterprise should be implemented. The technology should be designed to include the capabilities that move well beyond rule-based approaches and move towards object-oriented or concept-based, information management approaches which have proven to be far more successful in the enterprise. These solutions can fit nicely with manual and electronic workflow processes within the enterprise. Myth #4 - SPAM filters are effective content control filters Many organizations believe that it is appropriate to use the same spam technology for incoming email to filter outgoing email and adhere to regulatory and corporate governance policies. This is not necessarily the best approach. SPAM filters are typically based on keywords, phrases, rules and document signature methods, where new words or paragraphs alter the document signature. For SPAM, there are typically thousands, if not millions of examples, whereas for compliance there may be only 1 or 2 example violations within a million email or instant messaging threads. For non-compliance, an organization would be looking for content in context, however, word lists and rules do not offer context, only content. SPAM filters used for outbound content filtering will often generate many false positives and miss content that the SPAM filter does not know about. This can create a major issue for risk management teams if just one or two important non-compliant emails are missed. Reality A separate solution targeted at addressing regulatory compliance is the most effective approach. Ideally, this outbound content control solution should be based on contextual analysis and is the most effective way to review and block outbound messages when deemed necessary. Conversely, a SPAM filter is best for filtering incoming messages for email hygiene purposes. Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 7 www.entrust.com Myth #5 - Packet word filters are effective for content control In 2005, a number of new vendors entered the field of outbound content control with technology for monitoring packets of Instant Messages (IM), Internet or web traffic (HTTP), file transfers (FTP), and email (SMTP). The philosophy behind monitoring packets is to detect wire speeds of non-compliant communications within a packet, block it or send its content to the compliance team. Many of the packet vendors today are monitoring packets and looking for words or possibly customer database fields that may contain customer or employee information such as account or credit card numbers. This approach is useful for the exact matching of database fields where there would not be any doubt of the match and too many false positives. However, it is not able to offer analysis of unstructured content such as that contained within email or web postings or instant messaging traffic, where content is as unique as the people who send it. As such, packet-based solutions also use outdated signature methods for email. These signature-based methods have been popular for SPAM, but require large teams of people to maintain and update as often as every 6 minutes. Many packet solutions claim to do contextual analysis, when in fact they actually only mean they can detect the mode of traffic of communication such as instant messaging, web, file transfer or email. The packet solutions do not detect the context of a communication between individuals, just the protocol it is using. Some solutions also claim to do lexical analysis which implies that they have templates or canned patterns to compare against processes that are also popular in SPAM filtering. Reality A better approach is to use a packet-level solution for IM, HTTP or FTP for exact matching of customer records (if that is all that is required), while continuing to use proven methods of automatic content analysis for outbound email content control. If instant messages, web postings or file transfers are not exact data from a customer database, then the real-time content analysis methods that some vendors offer for unstructured content will be far more effective. The content analysis methods have evolved significantly over the past few decades in terms of effective interpretation of content and have not tended to revert back to simplistic word-based pattern matching solutions as discussed in myths #3 and #4 above. Myth #6 - Desktop Solutions are better than Server Solutions There is confusion in the marketplace today regarding outbound content control or technology for compliance with regulations at the desktop versus at the server. Server solutions facilitate the administration, monitoring and auditing of corporate governance and regulatory policies, whereas desktop compliance solutions are limited to the activities at the end user desktop and are not centrally monitored. As such, end users are left to their own devices in terms of adhering to corporate or regulated policy. A counter to this argument is that many organizations do not want non-compliant information leaving the desktop, however, it must be noted that users who want to violate policy will find a way to defeat the solution through USB memory sticks or writing to CDs. Reality In the case of a server-based solution, as an email, IM thread or internet message is being routed out of the network, it is checked, blocked and audited, enabling compliance teams and auditors to more easily track non-compliance. Information at the desktop may still be important and server solutions also use thin clients at the desktop to centrally manage important documents and records. Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 8 www.entrust.com Myth #7 - Signature Methods are good Content Analyzers There is a resurgence of signature methods being used in the industry as a means to improve the detection of false positives that result from outbound content control through packet-based matching for Instant Messaging, Internet Mail and Browser traffic, file transfers, etc. Signature methods take a hash of an email or document and look for an exact match against any other outgoing information over IM, HTTP, SMTP, etc. These are the methods that were made popular by anti-spammers as far back as the year 2000. Signature methods have since been found to produce a lot of false positives, as a single character changes the hash value or signature. So Spammers can defeat these methods by adding extra characters or white space. Reality Signature methods have to be combined with other methods to improve accuracy. There are solutions in the Outbound Content Control Space that use signature methods and exact hash values in an attempt to detect sensitive information leaving the enterprise. Signature methods are good for exact matches of fields from structured customer database records that contain credit card or account numbers and exact matches can be effectively searched for. To further improve accuracy and improve on the poor signature methods, desktop agents have been introduced to crawl through thousands of documents and write their signatures into repositories. This approach has been found to be fairly untenable, if thousands of documents and thousands of users are involved since it has been found to decrease network and desktop performance. An alternative approach is to use a server-based content control solution that has a combination of sophisticated content analysis for unstructured content with selective encryption to help prevent sensitive information from leaving the enterprise. Myth #8 Encrypted email cannot be analyzed A popular belief in the security industry is that encrypted email cannot be scanned by any type of analysis technology, and therefore a percentage of messages may get through unfiltered. This is not factual. Reality There are solutions that are currently available in the marketplace which can decrypt, analyze and re-encrypt resulting in a secure environment. These technologies can also be implemented to encrypt outbound messages enhancing the protection of information leaving an organization. Take a look at the solutions at www.entrust.com, as a start. Myth #9 - End Users can reliably encrypt sensitive content Many organizations have relied on desktop encryption as a means of getting end users to encrypt sensitive information. In some cases, users encrypt everything, as they cannot decide what is sensitive while others will not encrypt any sensitive messages and attachments that they should be encrypting. Reality An advanced approach is to deploy a content control server solution that can selectively encrypt based on sensitive content. A selective encryption solution can even quarantine information that is deemed too sensitive for transmission to an external public network. Server solutions can also include web mail capabilities that can provide encryption to communications sent to external parties such as partners or boards of directors. A push or a pull model can be implemented for Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 9 www.entrust.com external web mail users allowing them to either click on a URL and then view an encrypted sensitive message, or get a certificate with the message that is encrypted and intended for them. Myth #10 - Content Analysis is useless for IM or Web content There is an urban legend that says that instant messages, web postings and outgoing web content cannot be stopped. Organizations have blocked IM and web access in some cases to avoid possible regulatory violations of outbound sensitive information. The truth is, whether content is from Instant Messages, Web, Files sent over FTP or even news stories, the important ingredient is a good content analysis engine. If it works well for email, which is unstructured content, it will certainly be suitable for more structured types of content such as news stories and unstructured content such as IM. Reality Structured content, such as web content or news stories, is unlike email content, which tends to be highly unstructured. The Meta tags in web content are used as indices to search on and as such can help determine context or meaning of content more easily. A number of vendors have products that automate this tagging process. Instant messages are highly unstructured, much like email messages, and present a challenge as they are often very short sentences and often include abbreviations. IM will also include graphical icons such as smiley faces as well as entire attachments and pictures. IM is analyzed based on a sequence or a series of conversations between individuals. As such, many single lines can be bundled into a longer discourse and analyzed. Content analysis breaks down any content into its constituent components and can compare it to various concepts within templates or within a statistical model. The key to good content analysis is a good policy editor which has a concept library and pre-built modules of patterns for regulations such as HIPAA, SEC rules, GLBA, SOX rules, etc. This library helps simplify administration, maintenance and customization for corporate policy. Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 10 www.entrust.com 4 The Entrust Solution The Entrust Content Control and Secure Messaging Solutions offer a comprehensive solution with an integrated suite of components that can provide advanced content analysis of inbound and outbound messages, centralized policy enforcement, automatic and content-based email encryption, support for mobile devices and more. The solutions can also be set up to monitor real-time email, instant messaging, web traffic and file transfers. The capabilities have been designed for large enterprises and government organizations needing to enforce corporate or regulatory compliance and mitigate the risks of communicating sensitive information for thousands of users sending millions of messages a day. The Entrust Secure Messaging solution can also be used in forensic or real-time mode, assisting an organization in their e-discovery activities as well as offering a solution for immediate tagging of archives for discovery requirements and auditors. Pre-defined or custom policies offer organizations the choice of subscribing to plug-and-play policy modules for: Corporate Governance (maintaining privacy of customer and employee information, detecting harassment, offensive language, protecting IP) and Regulatory Compliance (Sarbanes-Oxley, Securities Rules, NASD rules, Graham-Leach-Bliley GLBA, Healthcare Portability and Accountability Act - HIPAA, etc.). Leveraging automatic enforcement of those policies whether it is to block non-compliant communication, archive regulated information, bounce back emails with offensive language for reconsideration or automatically encrypt emails containing sensitive content or intellectual property the solution does not rely on the end users to enforce policy and can provide a comprehensive set of capabilities that can be tailored for various customer environments. Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 11 www.entrust.com Entrust Content Control and Secure Messaging Solution To learn more about the Entrust Solutions for Email Security and Message Compliance, please visit http://www.entrust.com. Untitled DocumentMyths and Realities in Compliance Copyright 2006 Entrust. All rights reserved. Page 12 www.entrust.com 5 About Entrust Entrust, Inc. [NASDAQ: ENTU] is a world-leader in securing digital identities and information. Over 1,400 enterprises and government agencies in more than 50 countries use Entrust solutions to help secure the digital lives of their citizens, customers, employees and partners. Our proven software and services help customers in achieving regulatory and corporate compliance, while helping to turn security challenges such as identity theft and e-mail security into business opportunities.