Exchange 2010 upped Microsoft’s game when it came to the out-of-the-box compliance features available in the server. Exchange 2013 builds on that foundation to refine matters through features such as in-place holds and integration with SharePoint 2013; increased integration is available within Office 365 as Exchange and SharePoint Online share features like Data Loss Prevention. However, compelling and cost-effective as the Microsoft offering undoubtedly is, a market still exists for third-party compliance products.
I am frequently asked to recommend one product over another. Invariably, I decline to do so on the basis that a simple recommendation cannot take all of the factors that drive a very complex subject into account. Instead of giving the questioner a one-product answer, I prefer to propose a framework that a company can use to figure out what’s best for them.
The framework I use is composed of some simple but profound questions. Here’s how I look at the various products:
- Cost. In other words, how much will it cost to run one solution over another? Exchange is the big winner here because of the way that its functionality is integrated directly into the server and clients, but loses a little because of the need to deploy the latest software in order to make full use of its compliance features (for example, don’t expect to use Data Loss Prevention or site mailboxes unless you deploy Outlook 2013).
- Support. Overall, this is another positive point for Exchange, if only because it is much easier to deploy and support the single integrated solution rather than different software from different vendors. However, it might be that a company already has significant in-house expertise with another compliance product that offsets the Exchange advantage – or that cost-effective and expert support is available locally. This last point is really important as no product can meet business requirements if expertise is not available to support its deployment.
- Coverage. In other words, what material can be captured and preserved. Exchange is great for email and anything else that can be stuffed inside a mailbox; it is less impressive when other sources of important content are considered such as SharePoint, Lotus Notes, other email servers, web sites, file shares, and other databases. Exchange 2013 is better because of its tie-in with SharePoint 2013, but the problem of needing the latest versions rears its ugly head again. The advantage currently lies with third party vendors because they have used their years of working in the field to steadily expand coverage of different repositories.
- Legal needs. These are dictated by the legal department and differ from company to company and geography to geography. The likely categories to be considered include immutability (no one can interfere with information that is held on systems), discovery (how information is retrieved performed and who can perform discovery), and preservation (how software can preserve information required to meet regulatory or legal requirements). New features have to be regarded with some caution until you’re sure how they fit into the compliance framework. Office 365 Groups provide a good example. These groups use special document libraries (in SharePoint Online) to hold files of interest to group members, but there’s no way to apply retention policies or other controls to the files nor have auditing or reporting facilities yet been made available.
- Expertise or industry focus. Some ISVs have been working in the compliance space for many years and have accumulated a huge amount of expertise in how information should be handled, specifically in particular industries. Their software is probably designed to handle common industry scenarios and expertise in how to exploit the software is likely to be more available than if you try to adapt general-purpose software to meet your needs. All in all, if you work in a regulated industry, your best option might be to use a company that specializes in that industry.
- Existing technology infrastructure. If a company uses a product to archive or capture information from other sources and that product supports Exchange, then the best option might be to leverage what’s already in place to incorporate Exchange. Given the current strength of Office 365, another factor to consider is how your choice functions in the cloud. Remember, buying add-on software is only the start of the journey. The software has to be managed and maintained over the long term too and that’s where the majority of expense might lie.
Looking from an Exchange-centric view, Microsoft is in a strong position. The current versions of Exchange support databases that are so large and so well protected that the idea of keeping everything online is viable. This doesn’t mean that stubbing, a technique that has served businesses well even if it makes Microsoft unhappy (see the “Ask Perry” video chat for their view on the matter), will go away anytime soon because the simple fact is that if a product solves a business problem then its technical implementation will be a secondary concern. And anyway, ISVs like Symantec are advancing the state of their art too with developments such as the Enterprise Vault cloud service, similar in many respects to Microsoft’s Exchange Online Archiving service.
Whatever choice you make, keep an eye on the future and make sure that you don’t paint yourself into a corner. This means that the software you choose should be able to export and import data with maximum fidelity. The platform you select now might not be the one you want to use in five years.
The bottom line is that no simple answer exists for compliance. Put two lawyers in a room and ask them to define what compliance means for a company and you’ll wait a long time for an answer. The same is true of technologists… I guess.
Follow Tony @12Knocksinna