The dangers of legacy email archives

To everyone who continues to own a legacy email archive -- beware! You are sitting on a ticking time bomb.

By legacy email archives, I am referring to an email archive that was designed in the early 2000’s and is likely deployed on premises; but in some cases is a hosted email archive solution. A legacy email archive presents three major risks to your IT infrastructure and organization as a whole.

The Security Risk

The problem with old email archives is that they were designed and deployed using very old hardware and software. Take Microsoft Windows Server 2003 and Windows SQL Server as an example. Both products were the mainstay of virtually every email archiving solution.

Today, there are still legacy email archives that are running on these end-of-life products and these present a critical security risk to your organization. I can share with you that we at Archive360 recently completed a legacy email archive migration for a customer whose archive was running on Microsoft SQL Server 2000. SQL Server 2000 has been end-of-life since April 2013.

Many of the security risks stem from the fact that "fixes" for known vulnerabilities in aging and/or soon to be end-of-life products were simply never introduced. There are various reasons for this being so, but many times the bottom-line guidance directly from Microsoft was to migrate away from these platforms. And, as discussed above, not everyone did so.

As an example, here is a link to a Microsoft Security Bulletin talking about a vulnerability in network location awareness service that could allow for a security bypass.

The Legal Risk

Frivolous law suits are a common threat to all organizations. In particular, law suits from ex-employees. The number one source of evidence for such law suits is email. Legacy email archives can potentially contain years of old email.

Here is a quick tip: take a minute and perform a search of your legacy email archive. How many years of email does it contain? Now approach your General Counsel and ask him/her what is the company retention policy for email. Try to get a clear answer -- say three, four or five years. Email retention may be governed by an industry regulation; and this is the responsibility of the General Counsel to figure out. Armed with the your company’s policy and the legally appropriate retention number (years), enforce it immediately on the email archive database.

Questions you should be asking:

1. What is your company policy for retaining email for ex-employees? It may be less than the retention period for active employees. Departed employees can number in the hundreds (or thousand) and huge amounts of email can accumulate in the email archive unnecessarily.

2. How much archive email is on legal hold? Have the cases been completed and can the legal hold be released? Check with your General Counsel and make sure that you are not keeping email that is on legal hold longer than is necessary.

The bottom line is your email archive will accumulate a vast amount of email. It is prudent to keep a close eye on email retention and dispose of email that does not need to be retained (and to protect email that must be preserved). Email that is kept past its useful life holds a legal risk to your organization.

The Support Risk

Let me preface this discussion by saying that it is a fact of business that companies (and products) are acquired and sold. So it is no surprise that the majority of legacy email archive products have had multiple owners. There are many benefits of new ownership, including new funding and additional resources to benefit the product. But there are also many disadvantages.

1. Consider first what was the reason for the ownership change? Was the new owner in pursuit of the archive product or was the archive product just part of a larger purchase? Many times the new owner has a minor interest in the archive product and is not likely to invest in its future potential.

2. Will the new owner have the technical resources to continue product development? Many new owners purchase a product to gain market share and are not interested in continuing a robust (and costly) product roadmap.

3. How good is the support with the new owner? The first change you can expect is that the new owner will increase support fees. How else can they recoup the cost of the acquisition? Will you continue to receive the same level of support? Will severity one bugs continue to be fixed?

Conclusion

If you are sitting on a legacy email archive and putting off the decision to make a change -- I hope that I have got your attention. Thousands of organizations have successfully moved to new email archive platforms, so there is a light at the end of the tunnel.

Bill has over 25 years of technology experience, including more than 15 years in archiving, information governance, and eDiscovery. He is a frequent speaker at legal and information governance events and has authored numerous books, articles and blogs.

Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.

Image credit: Pavel Ignatov / Shutterstock