Journaling
and archiving are two concepts that are often confused for one another.
Both have to do with the retention of data, but the purpose behind the
concepts is the defining factor.
Journaling
is the process of recording all inbound and outbound email
communications in an organization to meet email retention or archival
strategy.
Archiving
is the process of managing the size of an environment’s data store by
taking a backup copy of historical data, removing it from its native
environment, and storing it elsewhere.
Each of these strategies can
be used for meeting certain regulatory requirements, and journaling can
often be used as a tool in an organization’s archiving strategy.
The Benefits of Journaling
Over the past several
years, there has been a significant increase in regulations requiring
organizations to maintain records of communication—especially relating
to the financial services, insurance, and health-care industries.
Additionally, many companies have found that maintaining accurate and
complete records of employee communications can assist them in the legal
arena, whether they are defending against or initiating lawsuits.
For example, a
disgruntled former employee might file a lawsuit against a company for
wrongful termination, stating that he had never been notified that his
behavior or performance was unsatisfactory. If the organization has an
email journaling solution in place, they could go through the historical
data and show specific examples where the behavior problems were
discussed with the employee. More and more courts are accepting, and
often insisting on, historical corporate messaging data to determine
culpability.
Some of the more
well-known U.S. regulations that, in recent years, have specified
requirements that might rely on journaling technology follow:
Sarbanes-Oxley Act of 2002 (SOX)—
One of the most widely known regulatory acts, the Sarbanes-Oxley Act is
a U.S. federal law that requires the preservation of records by certain
Exchange Server members, brokers, and dealers. This act was passed into
law in response to a number of major corporate and accounting scandals that resulted in a decline of public trust in corporate accounting and reporting practices.
Security Exchange Commission Rule 17a-4 (SEC Rule 17a-4)— A U.S. Security and Exchange Rule that provides rules regarding the retention of electronic correspondence and records.
National Association of Securities Dealers 3010 & 3110 (NASD 3010 & 3110)—
The NASD details requirements for member firms that include the
supervision of registered representatives, including inbound and
outbound electronic correspondence with the public. In addition, the
NASD details how long this information must be maintained and what
conditions must be met.
Health Insurance Portability and Accountability Act of 1996—
More commonly known as HIPAA, this U.S. federal law provides rights and
protections for participants and beneficiaries in group health plans.
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001—
Better known as the Patriot Act, this U.S. federal law expands the
authority of U.S. law enforcement for the stated purpose of fighting
terrorist acts in the United States and abroad.
Additionally, there are
regulations imposed outside of the U.S. that organizations with a
worldwide presence might need to adhere to, such as the following:
The European Union Data Protection Directive (EUDPD)–
A directive that standardizes the protection of data privacy for
citizens throughout the European Union (EU) by providing baseline
requirements that all member states must adhere to.
Japan’s Personal Information Protection Act—
A law created and enforced by the Japanese government to regulate the
collection, use, and transfer of personal information. The Personal
Information Protection Act applies to government or private entities
that collect, handle, or use personal information of 5,000 or more
individuals.
Using journaling technology is one way that companies can work toward meeting these (and other) regulatory requirements.
The Journaling Agent
In an Exchange Server 2010
environment, all email is processed by at least one Hub Transport
server. This includes messages that are sent to or received from
external organizations, mail sent from a mailbox on one server to a
mailbox on another, or even mail sent between mailboxes located on the
same server. All mail must pass through a Hub Transport server for
delivery.
The Journaling agent is an agent that processes messages on Hub Transport (HT) servers that is focused on compliance.
In Exchange Server 2010, there are two journaling options:
Standard journaling—
Configured on a mailbox database. Standard journaling enables the
Journaling agent (on the HT server) to journal all messages that are
sent to
or from any mailbox on that particular database. If an organization
wants to journal all mail sent and received by all mailboxes in their
environment, journaling must be configured on each mailbox database in
the organization.
Premium journaling—
Enables the creation and implementation of journaling rules that enable
the Journaling agent to be more specific about what is and isn’t
journaled. Rather than capturing all mail to all mailboxes in a
database, journal rules can be configured to only journal specific
mailboxes, or the mailboxes of all members in a distribution group. The
implementation of premium journaling requires an Exchange Enterprise
client access license (CAL).
Journal rules are comprised of three key components:
The Journal Rule Scope— Defines what messages are journaled by the Journaling agent.
Journal Recipients— The SMTP address of the recipient to be journaled
Journaling Mailbox— One or more mailboxes that are used for collecting journal reports.
Journal Rule Scope
When configuring a
journal rule, the scope of the rule defines what type of messages will
be journaled. You can choose from the following three scopes:
Internal—
When journaling entries are based on the Internal scope, messages that
are sent and received by mailboxes within the Exchange Server
organization are journaled.
External—
When journaling entries are based on the External scope, messages that
are sent to recipients outside the Exchange Server organization, or that
are received from senders outside of the Exchange Server organization,
are journaled.
Global—
When journaling entries are based on the Global scope, all messages
that pass through a server with the Hub Transport server role are
journaled.
Note
When the Global
scope is selected, the Hub Transport servers journal ALL messages that
pass through. This includes messages that might or might not have been
journaled already by rules in the Internal and External scopes.
Journal Recipients
In addition to the
journaling scopes just discussed, specific SMTP addresses can be
targeted for journaling. This can be helpful when your organization has
specific individuals or positions that are subject to regulatory
requirements that are more stringent than other personnel in your
organization. In addition, this feature can be extremely useful when an
individual is investigated for a legal proceeding and your organization
wants to track his or her messages to be used as evidence.
Because
every journaled message takes up storage space, customizing your
journaling environment to match the actual needs of your organization,
rather than simply turning it on for “everyone” can go a long way toward
minimizing your costs.
All messages
sent to or from the journaling recipients specified in a journaling
rule are journaled. If a distribution group (rather than an individual
user) is specified in the rule, all messages to and from members of the
group are journaled. If a journal rule recipient is not specified, all
messages sent to or from recipients that match the criteria of the
journal rule scope are journaled.
For
organizations that also utilize Unified Messaging to consolidate their
voice mail and fax infrastructure into their email system, they must
evaluate if they want to journal their voice mail and missed call
notifications as well. Voice mail messages can be significant in size,
and costly in terms of disk space, so if there is no specific
requirement for your organization to save these messages, you might not
want to do so. However, messages that contain faxes and that are
generated by a Unified Messaging server are always journaled, even if
you disable journaling of unified messaging voice mail and missed call
notifications.
When you enable or
disable the journaling of voice mail and missed call notification
messages, your change is applied to all Hub Transport servers in your
organization.
Journaling Mailboxes
All of these
journaled messages must reside somewhere if they are ever to be
utilized; a journaling mailbox is one that is used only for collecting
journal reports. In Exchange Server, you have the flexibility to create a
single journaling mailbox to store all journal reports, or you can
create separate journaling mailboxes for each journal rule (or set of
journal rules) that you configure. This flexibility even enables you to
configure multiple journal rules to use one specific journaling mailbox
and then configure other rules to each use their own specific one. How
you configure your journaling mailboxes depends on your organization’s
policies and regulatory and legal requirements.
It is important to note
that journaling mailboxes collect messages that are sent to and from
recipients in your organization, and that these messages might contain
sensitive information, might be used as part of legal proceedings, or
might be used to meet regulatory requirements. Various laws are in place
that mandate that these messages remain tamper-free if they are to be
used by an investigatory authority. Administrators should work closely
with the legal department in their organization (if one exists) to
develop policies that specify who can access this data, and security
measures to ensure these policies are enforced. Access to the journaling
mailboxes should be limited to those with the “need to know” so to
speak. When a journaling solution is put in place, it should be reviewed
and certified by your legal representatives to make sure it complies
with all the laws and regulations that govern your organization.
Journal Rule Replication
When
a journal rule is created, modified, or deleted on a Hub Transport
server, the change is replicated to all Active Directory servers in the
organization. All Hub Transport servers in the organization get these
new configuration changes from AD and apply the new or modified rules to
messages that pass through them. Every time the Hub Transport server
retrieves a new journal rule, an event is logged in the Security log of
the Event Viewer.
By utilizing
replication of journal rules throughout the organization, Exchange
Server 2010 ensures a consistent set of rules are utilized throughout.
All messages passing through the Exchange Server organization are
subject to the same journaling rules.
Note
Journal
rule replication relies on AD replication. Administrators should take
link speeds and replication delays into consideration when implementing
new or modified journal rules.
To reduce the number of
requests that Hub Transport servers must make to AD, each one maintains a
recipient cache that is used to look up recipient and distribution list
information. This cache is updated every 4 hours, and the update
interval cannot be modified. Changes to journal rule recipients might
not be applied to journal rules until this cache is updated. To force an
immediate update of the recipient cache, the Microsoft Exchange
Transport service must be restarted on every Hub Transport server that
you want to immediately update the cache.
Journal Reports
A journal report is
the message that Exchange Server generates when a message is submitted
to the journaling mailbox. Exchange Server 2010 supports envelope
journaling only, which means that the original message matching the
journal rule is included (unaltered) as an attachment to the journal
report. The body of the journal report contains associated information
such as the sender email address, message subject, message ID, and
recipient address of the original message.
Creating a New Journal Rule
Unlike previous versions
of Exchange Server, the Journaling agent is a built-in agent that is no
longer visible in the Transport Agents tab in the EMC. It is also not
included in the results when running the Get-TranportAgent
cmdlet in the EMS. The Journaling agent is enabled by default in
Exchange Server 2010, so administrators do not need to enable it before
use.
To create a journal rule in the Exchange Management Console, follow these steps:
1. | Open the Exchange Management Console on the Hub Transport server.
|
2. | In the console tree, navigate to the Organization Configuration \ Hub Transport node.
|
3. | In the results pane, select the Journal Rules tab, and then in the action pane, click New Journal Rule.
|
4. | In the New Journal Rule dialog box, enter a name for your journaling rule.
|
5. | In the Send Journal Reports to E-mail Address field, click Browse and select the recipient who will receive the journal reports.
|
6. | Under
Scope, select the scope to which the journal rule should be applied.
See the previous section titled The Scope of a Journal Rule if you are
unsure which scope to select.
|
7. | If
you want to target a specific recipient, select the option for Journal
Messages for Recipient and click the Browse button. Select the desired
recipient.
|
8. | By
default, the rule will be enabled upon completion. If you do not want
the rule enabled, remove the check mark from the Enable Rule check box.
|
9. | Click New to create the new journal rule, and then click Finish.
|