SCIENTIFIC-LINUX-USERS Archives

February 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Exchange server alternative?
From:
Paul Robert Marino <[log in to unmask]>
Reply To:
Paul Robert Marino <[log in to unmask]>
Date:
Sun, 9 Feb 2014 15:50:13 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (111 lines) 
On Sun, Feb 9, 2014 at 10:46 AM, Nico Kadel-Garcia <[log in to unmask]> wrote:
> On Sun, Feb 9, 2014 at 8:58 AM, Paul Robert Marino <[log in to unmask]> wrote:
>> You know what you also can't do with Gmail create a SOX compliant export for
>> regulators if you get audited.
>
> You mean like the regulations the Google Apps Vault was designed to
> support?

Google Vault is not SOX compliant because users can decide to make a
conversation off the record.
its in their FAQ.

 I can see the risks if you've convinced that "legal" tapping
> may be committed, to your detriment. It's a risk of any SAAS
> businesses, and for a company with military or high value
> international traffic, certainly. Consider the NSA or even foreign
> intelligence to already have access to all the traffic. But in many
> environments, *they have it anyway*, without a warrant. The
> "Carnivore" email monitoring system is still in place, or a renamed
> version of it,  to monitor email at the backbones of the Internet.

Yes I'm aware of that for any one who isn't familiar with Carnivore
well the FBI has their own version of the NSA's Phone collection
bigdata softwaer for email on internet backbones and its a lot older
http://www.linuxjournal.com/article/5062


> In-house email repositories are vulnerable to external abuse of
> backdoors in firewalls and routers to grab your internal credentials
> and go poking around your systems, or rootkitted laptops may have
> already penetrated your systems.
>
> Securing against that kind of intrusion is a *lot* of work, and it
> doesn't usually pay the bills or get glowing project reports on your
> annual reviews. Using something like Scientific Linux and RHEL for
> internal services is a good place to start. Handing it off to someone
> who can afford a very sophisticated group to do precisely that kind of
> protecton or, as needed, access i often a wise investment.

It can be and it also depends on what industry you are in you may need
it any way even if you outsource your email system.

>
>> So if there is reason to believe that your companies emails contains data
>> pertinent to the financial transactions of your company and your company
>> gets audited you are in deep trouble. It is also the legal responsibility of
>> the person or people in charge of maintaining the email system to ensure the
>> compliant backups are taken and made available upon request.
>> That's why most large and or financial companies in the united states won't
>> use it.
>
> They're learning. Setting up in-house mail systems is fraught with
> adventures: ensuring high availability, supportability, archival
> access, and infosec have all grown and evolved. This is where "build
> your own" with even a good environment like Scientific Linux gets
> adventuresome. Setting up reliable backups, firewall control to the
> servers, good failover, spam

Small companies you are somewhat right but not completely many of them
hire a consulting company or managed network security company to do it
for them on their own hardware, larger companies still tend to hire in
house staff but I've seen some which used managed infosec firms as
well.
I actually work for a managed financial network security firm some
years back it was a lucrative business all around, it saved our
clients a fortune in staff and they paid us a lot better than most in
house department for one company would get, although it was a whole
lot of work. and going through all of those weekly Nessus scan reports
and keeping all those custom snort rules up to date was a chore. and
dnot even get me started on the fun of trying to get several different
companies with limited in house staff to install critical patches in a
timely manner.

>
>> And some times the regulators are the ones who are actually asking for the
>> tap via a compliance officer on some ones emails without managerial approval
>> and its really bad if they can't do that.
>> You can thank Enron for that.
>
> That gets tricky, and it's not just Enron. Archival of mail beyond the
> required period is considered, by some, to be a legal liability:
> whether or not they've been engaged in wrongdoing, it preserves
> evidence that might be used against them in court. Heck, you should

Well thats why you should always delete backups containing obsolete
data like old emails as soon as you are no longer legally required to
keep them.

> have seen the *outgoing* email filter I was involved in setting up
> once, to filter all email against a secured database of "sensitive"
> content that should not be in email. Creating filters based on data
> you are not allowed to see is.... an artform.

No doubt.

>
> It also ties directly to backup. Backup is often ignored, or relegated
> to an afterthought for critical email systems.

I severely doubt you have never sat across a table from a S.E.C.
auditor, they usually are very much interested in your backups. As a
matter of fact they tend to trust tape backups more than the live data
in the systems because thats usually how they catch people altering
data after the fact. It's easy to edit the data in your running
servers, but its far more difficult to edit data on a tape with a well
documented chain of custody in a timely manner and as a result its
what usually gets overlooked if any one tries to cover any thing up.
Also SEC auditors will make a public example of you, if your backup
are not in order because that makes them suspect you are assisting
someone with covering something up.

ATOM RSS1 RSS2