“It’s compliance Jim, but not as we know it”

From Robin Smith, Technical Manager, EMEA, FaceTime Communications

I recently read an article posted on The Register, based out of the UK, about the great advances the current version of Microsoft’s Unified Communications platform (OCS) has made, when compared with previous incarnations. I’m in full agreement and look forward to the next release, currently called CS14, details can be found here. Given that a large number of our customers have either industry or legal compliance requirements they must comply with, I did feel one of the final comments needed a little more qualification than space in the article allowed for:

“…if compliance is a concern, you have IM archiving”

The moment I read that, I was catapulted back to the late 1980s and ever since haven’t been able to get the incredibly annoying “Star Trekkin” by “The Firm” out of my head. Click here or search YouTube for “The Firm – Star Trekking” if you have no idea what I’m talking about – your ears won’t thank you. Why? Well, compliance is in the eye of the person with a fine and possible jail sentence hanging over their head and as Spock’s line in the song goes:

 “it’s life Jim, but not as we know it.”

There are in fact a few different ways you can store OCS IMs both natively with Microsoft products and using third-party solutions. But, as those who write on bits of paper or print things out so they don’t forget or lose them and then can’t find the bit of paper when they actually need it can attest to, just because you’ve archived something doesn’t mean:

• you can ever find it again, even though you know it’s in that pile somewhere
  
• it will be complete, maybe the dog ate half of it
  
• that it will come back looking the same, maybe you spilled coffee on it or you printed out several pages and they’ve been mixed up so the order is wrong
  
• that someone else can look through the pile and find the piece of paper
  
• different things of difference genres or sizes will fit or stay in the pile properly
  

To achieve all of the above, you need special controls around how you capture, store, search and recover data.

You need to be able to show that what has been recovered is the same as what was originally stored and that it is a true representation of the original data. You should also make sure that in the case of a multi-party chat where someone wasn’t part of the whole conversation that the view of their data is different to that of the other participants’. Let alone the ease of use issues around eDiscovery; making it possible for someone (often non-technical) to search the archive and recover what they need without having to become an expert in SQL scripting. So if we can achieve that, are we compliant? Maybe, maybe not.

What about usage policy? Can my Traders and Research teams talk to each other? Do I want Billy in the call centre using my OCS system to ask all the eligible young ladies in the department out on dates?

What about content security? If I’m allowing file transfers, shouldn’t they be stored along with the IM conversation transcripts? Shouldn’t you be virus checking file transfers, making sure that staff aren’t using inappropriate language over IM, especially with business partners through my OCS edge server.

My point is that for some people compliance isn’t just about storing what happened, it’s about making sure certain things can’t happen in the first place and being able to retrieve it in a fashion that meets regulatory requirements.

“There’s Klingons on the starboard bow”


The list goes on…and we haven’t even thought about what else is happening on the corporate network. What about Skype, Yahoo, GoogleTalk , Windows Live Messenger and Blackberry PIN / SMS to name but a few?

Of course the OCS Archive server wasn’t designed to be an enterprise platform covering so many different flavours of IM – but it is rare to see just one flavour of Instant Messaging on a corporate network. From a management perspective alone it makes sense to have a consistent policy around all authorised channels and block everything else.

…and finally, there’s the whole issue surrounding Social Networking. “We block it”, I hear you say. Well, that’s all well and good, but last time someone told me that I searched Twitter and found no less than 5 accounts tweeting on behalf of the company. I then searched Facebook and found a network, groups and employees.

Couple this with the huge pressure many companies are under to enable sites like Facebook, LinkedIn & Twitter for legitimate business purposes along with the reach it gives sales and marketing for the company’s brand and you can see why there’s such a lot of noise in the corporate space surrounding Social Networking.

Ask FINRA (Financial Industry Regulatory Authority) or the UK’s FSA (Financial Services Authority), both have issued specific guidelines regarding social networking posts, saying that they need to be treated as forms of electronic messaging. This means that they effectively need to be subject to the same controls mentioned above.

So. Yes, you can indeed store your OCS IM conversations in the OCS Archive server. Does it give you IM compliance? Not as we know it, Captain.

Robin J Smith is FaceTime’s Technical Manager for EMEA, an occasional Star Trek viewer and is currently looking for suggestions on how to get the above song out of his head. You can follow him on Facebook, LinkedIn or Twitter.