One of the interesting new concepts being introduced with Exchange 2010 is “Personal Archiving” vs. “Organizational Archiving.”

At the recent TechEd, a Microsoft instructor introduced personal archives as a means to reduce primary mailbox size and circumvent quotas without losing organizational control. In effect, personal archives are a new replacement for PST files.

Personal archives are part of Exchange Server and are associated with an existing primary mailbox. Email can be moved from a primary to an archive mailbox using policies. Users access both primary and archive mailboxes side-by-side via Outlook and OWA.

The main functions you get from a personal archive are:

• Basic message retention (Move-to-Archive Policy; Delete Policy; Hold Policy)
• No single instance storage
• Simple role-based access (e.g., so auditors can view user mailboxes)
• Basic keyword and metadata-based search across mailboxes, typically via browser
• Bulk PST import/export from file share; no PST crawler

Organizational archiving goes beyond the scope of personal archiving and delivers full mailbox capture for all users, full single-instance storage across all data, and advanced search and case management tools for e-discovery.

By way of comparison, a typical third-party email archival solution can be expected to deliver all or a portion of the following key functions:

• Logs, WORM, read only
• Single instancing/compression
• Configuration auditing
• Mailbox auditing
• Journaling metadata
• Rogue admin protection
• Regulatory accreditation
• Protected content (signing/encryption)
• Federated discovery, retention, and reporting across content
• Data mining and visualization
• Case management and advanced e-discovery
• Archive for Bloomberg data and other non-Microsoft IM data
• Monitoring and supervisory tools
• Archive for files and SharePoint

In effect, Microsoft is positioning the new archiving features in Exchange 2010 for personal archiving and leaving the door open for third-party solutions to deliver more advanced feature necessary for organizational archiving. Small organizations will find the basic features of Exchange 2010 satisfactory to reduce the strain on storage growth and eliminate PST files. But for organizations that require full email retention and advanced e-discovery, a third-party email archiving solution is the answer for the next few years.

… Bob Spurzem

If you are considering Exchange 2010 for archiving, be aware of two factors that can increase the cost of, and delay, implementation:

• The archiving features of Exchange 2010 require enterprise CALs. If you are not already using enterprise CALs, then you must pay the additional cost to upgrade.
• To use Exchange 2010 archiving, you must also upgrade to Office 2010. This will ship six to nine months AFTER Exchange 2010 ships. This will add a significant cost to an organization that has Office 2007 deployed and does not wish to upgrade all of its desktop machines. Without Office 2010, you can’t leverage the archive functionality.

… Bob Spurzem

The latest versions of Windows allow for far greater scalability. Here’s why.

There are basically three ways to improve the compute performance of an IT platform:

• Increase the clock speed of the processor.
• Increase the number of processors--”scale up.”
• Increase the number of computers (processor/s + memory pairs)--”scale out.”

The above, of course, assumes that there is sufficient memory (RAM) to keep the processor/s busy, and sufficient I/O bandwidth to keep memory full. The former is the reason that the next release of Windows Server (Windows Server 2008 R2) will be available only in 64-bit versions.

As we discussed in an earlier posting (A Subtle Change to Microsoft Server Pricing), increasing clock speed is no longer a practical possibility, because doing so requires too much power and generates too much heat.

Processor manufacturers have responded to this limitation by increasing the number of processors that fit on a processor chip (scaling up), and this is a trend that will continue. Hardware system manufacturers have responded by increasing the number of processor chips (CPU packages) that can be plugged into a system (scaling up). This is relatively cheap to achieve when only a small number (2-4) of processor chips plug directly into a motherboard, but becomes much more expensive once a larger number of processor chips need to be supported.

Unfortunately, figuring out how to support a large number of processors at the hardware level and preventing contention for memory (RAM) from massively degrading performance deals with only part of the problem. Unless the OS can keep a large number of threads active, the expense of assembling systems with a large number of processors would be wasted. Historically, OSs have had difficulty doing this, largely because of their need to sequentialize access to data structures. It is often the case that a large number of processors are idle while waiting to access a dispatcher (thread to processor binder) data structure.

In Windows Server 2008 R2, Microsoft has achieved a major breakthrough: It has developed a lock-less dispatcher. This does not at a stroke eliminate lock contention (for example, to a database record, etc.), but it does mean that contention will not now occur at the most basic level of the OS. It is for this reason that we feel comfortable stating that Microsoft Windows Server 2008 R2 will “scale up” with a vengeance.

If systems can “scale up,” why bother to “scale out”? The answer is cost. A “scaled out” cluster of inexpensive computers is much, much cheaper than a single massively (>16 processors) “scaled up” system. What is more, systems can “scale out” from a hardware standpoint, effectively without limit, while “scale up” hardware is always restricted in the maximum number processors that a particular configuration can support. So what’s the catch?

The answer is software. In general, applications can only be “scaled out” when they can be broken up into an unlimited number of instances that run without interaction with each other--a so-called “shared nothing” application. A good example is an application that serves up Web content, either static or dynamic. Another, rather surprising application, is an Oracle database cluster. Neither Microsoft’s SQL Server nor IBM’s DB2 (UDB variant) are “shared nothing” systems, and are therefore, not amenable to “scaled out” deployment.

… Nick Shelness

Google Wave was announced at the Google IO developers’ conference in late May 2009.

Quick Summary:

• SaaS team workspace.
• To give you a general idea, think of a souped-up/Web 2.0 Wiki or bulletin board. My colleague Steve Kille aptly called it a “bulletin board on steroids” under the hood.
• Currently in an early state of development.
• Google wants to get developers to integrate with Google Wave. This presentation was to encourage them to start writing Wave applications.
• Expect general availability in perhaps mid-2010. As noted, this is still early-stages code.
• Main features currently:
  • Post messages and responses to them--build extensive conversations.
  • People can concurrently work on documents.
  • Send instant messages.
  • Post photos and videos.
  • Built-in access controls.
• Highly interactive.
• Support for mobile clients, with more limited user interfaces, is anticipated.
• There’s a very nice ability to see how conversations have evolved, step by step.
• Works with external workflows.

Application Platform:

• Many third-party integrated applications are anticipated.
• Google wants Wave to be open and interoperable. To this end, it will:
  • Publish a rich set of protocols and APIs.
  • Generally make it easy for third parties to write their own Wave servers and clients.
  • Make Google’s Wave implementation available as open source software.

You can see the main presentation here. It runs for 80 minutes; it’s worthwhile if you’re interested in SharePoint/teamspace style collaboration.

Comments:

• Wave has big potential to provide shared workspaces.
• Google presents Google Wave as a more modern alternative to email. It’s an exciting and attractive technology, but one that I think is more of an alternative to SharePoint and team workspaces in general.
• It has some very important advantages over SharePoint, some of which are its openness and user- and developer-friendliness.
• The ability to concurrently edit live documents (rather than the traditional ECM approach of checkin/checkout) is very attractive.
• It appears relatively easy to build third-party, tightly integrated applications.
• Several extremely attractive applications were demonstrated, including:
  • An intelligent context-sensitive spell checker. For example, it can choose between the correct versions of “been” and “bean”; or change “Icland” to “Iceland” or “island” depending on what’s appropriate.
  • A very nice on-the-fly language translator. The demo showed English/French; 40 languages are supported in all.
• Notably, it currently lacks group calendaring. Presumably this can be fixed before too long.
• Notably, it currently lacks good support for the posting of email items. That’s a harder problem, as SharePoint’s poor email system illustrates.
• Emails will be important elements of Wave spaces. Google should show natural and easy ways of posting and using them.
• There are various types of access controls. It’s unclear at this point how well they will serve corporate needs.

… David Ferris

Many of you may recall how, in the mid- to late-1990s, email was considered “a toy” in many companies. Technology was still evolving, the prominence of the Internet was still coalescing, and server-based email solutions such as Microsoft Exchange were still in their infancy. Consider the ever-present and even addictive nature of email today, and we find many organizations where email has become mission critical.

The email wave was followed by the instant messaging wave, which has taken a similar path, coming approximately five years behind the email wave. Until several years ago, instant messaging was just something for young people to use, but not a serious technology for the enterprise. While parts of Europe and much of Asia still see instant messaging in this way, enterprise instant messaging and presence solutions such as Microsoft Office Communications Server (OCS), IBM Sametime, and Cisco Jabber have become a very real part of corporate messaging deployments throughout North America. Companies use instant messaging extensively for back-channel chats and for quick communications in lieu of email, and presence-enablement is starting to find its way into business applications.

We see social networking technologies as the third such wave, following the instant messaging wave by another five years. Currently most enterprise IT departments view social networking as a consumer application — essentially as a “toy” from a corporate perspective — though we are starting to see companies paying attention to Facebook, Twitter, and similar technologies. Whether trying to provide 140-character tweets to a rapidly growing audience, updating one’s Facebook status via a BlackBerry client, or simply networking through LinkedIn. We expect social networking technologies for the enterprise to start appearing in familiar applications, and social networking connectors like that announced by Virgin Mobile several months ago to increase in prominence. And we expect the evolution of social networking technologies to become mainstream in the enterprise within three to five years.

Our recommendation, then, is that companies should be planning ahead when it comes to compliance, data leak protection, and overall manageability around social networking technologies over the coming few years. We are seeing many organizations block (or attempt to block) popular social networking sites today, but expect this will only be a temporary phase in many cases, giving way to certain subsets of business-related social networking technologies as they emerge and are proven to add value to business.

… David Sengupta

In 2005, Microsoft acquired Frontbridge, one of the major providers of hosted email security services.

When it launched the Microsoft-branded version of the service, it was named Exchange Hosted Services (EHS). At the time, we said this was confusing, because:

1. It sounded as though it was a hosted Exchange service, rather than hosted services for your existing Exchange installation.
2. The services weren’t only for Exchange; they still worked with Notes/Domino and other email systems.
3. There was no recognition of Microsoft’s overarching security brand: Forefront.

Microsoft has now addressed these issues. The security components of EHS are now known as Forefront Online Security for Exchange.

It’s only taken four years. The typical perils of a large, siloed company.

… Richi Jennings

Google’s recent announcement of a Google Apps Connector for BlackBerry Enterprise Server (BES) represents another big stride in the ongoing Google Apps vs. Microsoft Exchange Online war that has been shaping up.

Free for Google Apps Premier and Education customers, the Google Apps Connector will provide near-instant push of Gmail messages to end-user BlackBerry devices, over-the-air synch or read/deleted status, synch of folders with Gmail labels, one-way (Google to BlackBerry) calendaring synch based on Google Calendar, Contacts synch, and offline e-mail access. Unsupported features include labels and mailbox search. The connector is installed on a BES server within the customer environment.

We believe this to be a major step for Google, however the lack of mailbox search and the unidirectional calendar synch will be an issue for many customers. Google will need to respond quickly with support for these features if it is to gain much traction in the mid- and larger-sized enterprise arena. The July release will be adequate for small businesses that have a dependency on BlackBerry devices, and should open the door for larger-sized organizations to start taking a serious look at Google Apps as a contender for hosted messaging and collaboration.

… David Sengupta

Leading content control vendor Clearswift has gone rather quiet for the last couple of years. Here’s a quick update.

There are two products:

Clearswift Email Appliance:

• Software product, sometimes sold as appliance
• Usually runs in VMware virtualized environment
• Main functions:
  • Policy-based scanning and control
  • Policy-based encryption (can use third-party encryption)
  • Virus control (can use one or more third party virus control services)
  • Spam control (either from Clearswift or third parties)
  • Image control
• Basic content scanning algorithm: boolean logic on metadata and regular expressions, managed list lookups
• Scans emails at Internet boundary; for MS Exchange also scans internal traffic

Clearswift Web Appliance:

• Software product, sometimes sold as appliance
• Usually runs in VMware virtualized environment
• Main functions:
  • URL category time and quota browsing controls
  • Malware and spyware suppression
  • Controls content written to webmail services, blogs and wikis
  • Multi-language profanity, business and compliance terms checks
  • Supports FTP over HTTP, HTTP & HTTPS/SSL
• Lexical keyword and regular expressions scans for searching for credit card (PCI) and social/national security number data (PII), customer defined phrases or using prebuilt dictionaries over all web traffic
• Outgoing and ingoing material is fully inspected before being transmitted onwards

Typical pricing:

• 2,000 seats for email and web appliance, recommended retail price inclusive of 24×5 telephone helpline support and all components:
  • Virtual Web Appliance including HTTPS; anti-virus; URL filter; anti-spyware and MIMEsweeper content control costs $43,800 for a perpetual license and the first year’s support; support from year 2 onwards is $24,090 annually
  • Virtual Email Appliance including anti-spam; anti-virus and MIMEsweeper content control costs $32,100 for a perpetual license and the first year’s support; support from year 2 onwards is $16,080 annually
• Ie, a total of about $26 annually on the basis of three-year costs

Competitive Position:

• Main competitors are Cisco/Ironport for email filtering, Websense for web filtering
• Company believes its main competitive strengths are:
  • Same technology behind email and web filtering, so unified administrator and user experience
  • Underlying technology is independent of type of electronic material, can work on many types of data structure
  • Production-ready support for virtualized environments (VMware, Microsoft Hyper-V)

Company:

• Privately held. Ferris Research estimates revenues at $15M to $20M annually
• CEO Richard Turner says that after a period of flat or declining revenue, GAAP sales for the year ending April 5, 2009 were 10% up on the prior 12 months
• Has been refining its sales messages. Focus now is to sell business solutions rather than technology
• 90% of sales are through channel: goal is to have 100% through channel
• Around 60% of revenues come from email scanning, the balance from the web appliance
• Has recently had major drive to reduce costs

Comments:

• With today’s content control technology, policy-setting is usually in IT hands. In principal, it makes much more sense to put this in the hands of qualified users. CONTENTsafe is recently shipping technology that lets users say “This is sensitive,” and then the system tries to define corresponding policy. Plus users can determine when to end-of-life the policy. Sounds like a very good idea
• No support for instant messaging today
• Image control is a hard problem. Eg it’s easy to confuse skin tones with kitchen cupboards, so you get many false positives or false negatives. 90% accuracy represents the state-of-the-art today
• Clearswift’s MIMEsweeper is the core of the offering. MIMEsweeper is a pioneer in the field of content control, and echoes of it are found in many competing products
• MIMEsweeper has suffered by being acquired by several organizations over the last ten years. Hopefully the changes over the last two years have refocused the company

… David Ferris

Since the early 1980s, Microsoft’s success has been predicated on a tripartite strategy:

1. Sell software, in volume, at about 20% of the incumbents’ prices.
2. Engage third-party developers.
3. Use industry-standard hardware.

These have clearly been the three keys to success for Microsoft — although we can argue the details of how revisionist this description of Bill Gates’ strategy is.

It’s also clear that Microsoft sees SaaS — if you insist, cloud computing — as an important part of its future business. For example:

• Exchange/SharePoint Online (Business Productivity Online Suite or BPOS)
• Exchange Hosted Services — including the Forefront Online Security for Exchange offering
• The Azure Services Platform

So this poses a problem for Microsoft. On the one hand, it’s important for it to sell its products for far less than its incumbent competition. On the other hand, the SaaS/cloud incumbents such as Google, Amazon, and Symantec use platforms that are less expensive to run at scale than Windows.

There’s no way that Microsoft can compete on price in these markets. Don’t expect Microsoft to repeat its previous successes by undercutting its rivals.

… Richi Jennings, with thanks to Microsoft’s Bob Muglia for the succinct description of Microsoft’s strategy

Ferris Research has learned that Microsoft recently made a quiet shuffle at the top of its Unified Communications and SharePoint businesses, placing Senior VP Kurt DelBene in charge of both R&D organizations. Under the new arrangement Rajesh Jha, Corporate VP Exchange and Office Live, Gurdeep Singh Pall, Corporate VP Office Communications Server (OCS), and Senior Director for SharePoint Tom Rizzo now all report into DelBene.

We see this as a critical move by Microsoft to achieve better integration among Exchange, SharePoint, and OCS as these products play an increasingly intertwined role in serving organizations communications and collaboration platforms, and as the same set of products gain prominence in Business Productivity Online Suite as a part of Microsoft Online.

Congratulations to DelBene, and to Microsoft for recognizing the importance of aligning these R&D organizations more closely as Unified Communications and Collaboration play an increasingly critical role in customer organizations.

… David Sengupta

Ferris recently had a briefing from Microsoft on the security of its Business Process Online Services (BPOS)--Exchange Online, SharePoint Online, etc. This presentation turned out to be of more interest to Ferris for its subtext than for the specifics it contained.

The subtext was that Microsoft was encountering concern (pushback?) from organizations about both the security of data held in Microsoft Online services, and the security of the services themselves. Stated another way, organizations appear to want to apply the same analysis to cloud-delivered services that they apply to on-premise-delivered services. We cannot believe that these concerns are unique to Microsoft, and are therefore an issue that will have to be addressed by all providers of cloud-based services and associated cloud-based data storage.

In an earlier posting, Microsoft Online: Security Issues, we addressed Microsoft’s compliance with standards and conventions as a means of convincing organizations of the security of its cloud-based services and cloud-held data. In this posting, we address another approach of which we became aware during the presentation.

Microsoft is offering two variants of its Online services:

• Standard
• Dedicated

The Standard offering is delivered by Microsoft from multitenanted server platforms controlled and managed by Microsoft. An organization adds/deletes/configures users using a Web-based “Administration Center.” In the case of Exchange Online, at least, some features of on-premise Exchange 2007 are missing. Namely, Public Folders, and IMAP and POP3 support.

The Dedicated offering is delivered by Microsoft from a dedicated, virtual server, platform/s controlled and managed by the customer. When employing a Dedicated offering, an organization is merely migrating its on-premise systems from its own data center/s to Microsoft data center/s, and no features are missing.

In previous briefings on BPOS, Microsoft had made no mention of these twin offerings. As noted in our earlier posting, this move by Microsoft seems to reflect significant pushback from organizations about replacing their on-premise systems with multitenanted cloud-based services.

… Nick Shelness

Ferris recently had a briefing from Microsoft on the security of its Business Process Online Services (BPOS) — e.g., Exchange Online, SharePoint Online, etc. This presentation turned out to be of more interest to Ferris for its subtext than for the specifics it contained.

The subtext was that Microsoft was encountering concern (pushback?) from organizations about both the security of data held in Microsoft Online services, and the security of the services themselves. Stated another way, organizations appear to want to apply the same analysis to cloud-delivered services that they apply to on-premise-delivered services. We cannot believe that these concerns are unique to Microsoft, and are therefore an issue that will have to be addressed by all providers of cloud-based services and associated cloud-based data storage.

Based on the specifics of this briefing, it would appear that Microsoft is attempting to answer these concerns in a structured fashion, as opposed to responding to specific queries. Its approach is to adhere to a set of standards and conventions, and where appropriate, submit its data centers and services to third-party audit and/or certification of adherence.

Among the relevant standards and conventions are the following:

• EU Data - Safe Harbor Framework. Compliance claimed by Microsoft.
• ISO/IEC 27001:2005. Compliance certified by British Standards Institute (BSI) Management Systems America.
• SAS 70 Type II. Third-party audits claimed by Microsoft.

What remains to be seen is whether this will be sufficient to satisfy organizations of the security of Microsoft’s cloud-based offerings, and if they are, what other vendors in this space (Google, Amazon, IBM, etc.) will do to achieve a similar outcome.

… Nick Shelness

AstraSync is a nice way to synchronize BlackBerries with Exchange:

• Synchronizes email, calendar, contact information.
• Synchronizes over the air using Microsoft’s ActiveSync protocol.
• No need for the additional cost and complexity of BES servers.
• No need for the RIM BlackBerry Desktop Manager.
• Consumers synching with a POP/IMAP mailbox don’t need the BlackBerry Internet Service.
• In addition to Exchange Server, works with MailSite Fusion, CommuniGate Pro, Zimbra, Scalix, FirstClass, and Kerio MailServer.
• No Outlook plugins required.
• Software download to BlackBerry required.
• $49/user/year; volume discounts apply.

… David Ferris

Stories about lost email. This case involves the Governor of North Carolina, his wife, leading officials at North Carolina State University, and corruption.

From an IT perspective, the following points are salient:

• Although the matter is currently active, the email in question dates back to 2005. This raises the issue of email retention and accessibility. Are you able to retrieve email that is years old? In this case the IT staff was asked to retrieve email that was over four years old.
• IT does not get input into the matter. Legally, the email was asked for, and it is IT’s job to find it. IT needs to work with its organization’s policy committee on such issues as email retention, so there is clear understanding of how long email is to be saved and the cost to retrieve it.
• Should the email not be found, as is the situation in this case, then the judge can issue an adverse judgment. This basically tells the jury that they can assume the worst because key email has been obviously destroyed to protect those being accused. This is clearly bad for IT, and the entire organization.

Email archiving is a well-accepted solution for keeping email secure and accessible long term. It’s becoming more and more common, so the argument that one didn’t have the right technology in place is gradually being diminished. If your organization is still not sure if it needs to archive email, it may be worthwhile forwarding this article to upper management.

… Bob Spurzem

Here’s an update on email and Web hygiene SaaS vendor MX Logic:

• SaaS offering:
  • Virus/spam/malware control for email
  • Email archiving
  • Email disaster recovery/continuity
  • Web malware filtering
• Main competition: Google/Postini and Symantec/MessageLabs.
• Competitive strengths: value pricing, ease of installation and use, strong reseller channel.
• Around 75% of sales are now through resellers; goal is to get 85% of revenues in 2009 this way, and ultimately to 90%.
• Company now spreading its reach internationally. Has good penetration in Japan.
• Financials: Privately held. Ferris Research estimates current revenue rate at $35M to $40M annually. VP Product Management Ryan Walsh says that the company has been profitable since February 2009.

Comments:

• The company has a big commitment to the channel, with some 1,800 partners. It expects almost all sales to be done by third parties, including sales to large organizations. That’s an interesting point of differentiation.
• It’s interesting that Microsoft’s anti-virus/spamware/malware SaaS offering isn’t the main competition. Microsoft has gone quiet in this regard over the last few years, presumably as it incorporates its FrontBridge acquisition.
• Another point of differentiation is value for money. MX Logic services are priced aggressively by its resellers. End customers often pay $1 to $3/user/month, depending of course on volume and mix of services.
• Given the current climate, it might be best if the recently achieved profitability can be maintained. That said, investment cash is available for pure startups and growing companies with a proven track record, so further fund-raising should be possible should MX Logic seek this.
• MX Logic has built its own cloud platform and feels its multitenant scalability is a major underlying strength. We see no reason to disbelieve this, although our knowledge of the platform is currently limited.

… David Ferris