LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Exchange server alternative?
From:	Nico Kadel-Garcia <[log in to unmask]>
Reply To:	Nico Kadel-Garcia <[log in to unmask]>
Date:	Sun, 9 Feb 2014 10:46:48 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (57 lines)

On Sun, Feb 9, 2014 at 8:58 AM, Paul Robert Marino <[log in to unmask]> wrote:
> You know what you also can't do with Gmail create a SOX compliant export for
> regulators if you get audited.

You mean like the regulations the Google Apps Vault was designed to
support? I can see the risks if you've convinced that "legal" tapping
may be committed, to your detriment. It's a risk of any SAAS
businesses, and for a company with military or high value
international traffic, certainly. Consider the NSA or even foreign
intelligence to already have access to all the traffic. But in many
environments, *they have it anyway*, without a warrant. The
"Carnivore" email monitoring system is still in place, or a renamed
version of it,  to monitor email at the backbones of the Internet.
In-house email repositories are vulnerable to external abuse of
backdoors in firewalls and routers to grab your internal credentials
and go poking around your systems, or rootkitted laptops may have
already penetrated your systems.

Securing against that kind of intrusion is a *lot* of work, and it
doesn't usually pay the bills or get glowing project reports on your
annual reviews. Using something like Scientific Linux and RHEL for
internal services is a good place to start. Handing it off to someone
who can afford a very sophisticated group to do precisely that kind of
protecton or, as needed, access i often a wise investment.

> So if there is reason to believe that your companies emails contains data
> pertinent to the financial transactions of your company and your company
> gets audited you are in deep trouble. It is also the legal responsibility of
> the person or people in charge of maintaining the email system to ensure the
> compliant backups are taken and made available upon request.
> That's why most large and or financial companies in the united states won't
> use it.

They're learning. Setting up in-house mail systems is fraught with
adventures: ensuring high availability, supportability, archival
access, and infosec have all grown and evolved. This is where "build
your own" with even a good environment like Scientific Linux gets
adventuresome. Setting up reliable backups, firewall control to the
servers, good failover, spam

> And some times the regulators are the ones who are actually asking for the
> tap via a compliance officer on some ones emails without managerial approval
> and its really bad if they can't do that.
> You can thank Enron for that.

That gets tricky, and it's not just Enron. Archival of mail beyond the
required period is considered, by some, to be a legal liability:
whether or not they've been engaged in wrongdoing, it preserves
evidence that might be used against them in court. Heck, you should
have seen the *outgoing* email filter I was involved in setting up
once, to filter all email against a secured database of "sensitive"
content that should not be in email. Creating filters based on data
you are not allowed to see is.... an artform.

It also ties directly to backup. Backup is often ignored, or relegated
to an afterthought for critical email systems.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV