White

Paper

Technical Overview

FCS / Cryoserver | [email protected] | www.cryoserver.com | +44 (0) 800 280 0525

1. EXECUTIVE OVERVIEW

1.1 Purpose This document describes the architecture of Cryoserver and explains how the
Cryoserver modules work together

1.2 Introduction

The New Cryoserver Appliance repositions the Cryoserver forensic email

compliance solution from the pure security sector into email/IM security and
storage management. Cryoserver eliminates the need for email backup, DR and
quotas while providing unprecedented compliance & lifecycle management.
Simple to use, installed in minutes, providing email protection forever.

Cryoserver is considered one of the leading Forensic Compliance Systems.

It takes an audit copy of electronic communication sent to, from and around
an organization in real-time. Data is held within the Cryoserver Appliance in
an encrypted, tamper-evident environment that can be searched extremely
quickly. This is suitable for use in legal/regulatory compliance, producing data
in court with high evidential weight and for speedy resolution of disputes and
other situations that require or demand electronic messaging as evidence.
The Cryoserver repository of messages is designed to prevent arbitrary and
unauthorized deletion or alteration.

Additional technical information is provided to help the reader assess the

infrastructure impact and requirements of implementing Cryoserver.

Cryoserver accepts email messages, either by network interception or more

1.3 Overview
typically using journaling, POP or IMAP collector, from a variety of Email
messaging platforms. These include Microsoft Exchange, IBM Lotus Notes,
Novell GroupWise, Sun Java Enterprise System (JES), Scalix, Fujitsu Teamware
and others.

Cryoserver captures Instant Messages using network interception.

Cryoserver copies messages for storage and indexing. A search engine is

provided that can query large volumes of archived data by content, including any
attachments and metadata. Cryoserver is a distributed system and designed to
be scalable and robust.

3
2. ARCHITECTURE

2.1 Design Goals Cryoserver has been designed to aid organizations requiring a totally dependable
system for storing electronic messages for later retrieval. We believe that
Cryoserver satisfies the requirements for regulatory authorities and is able to
provide a trail of data with high evidential weight for use in a court of law.

Distributed A distributed architecture enables the system to

be configured to avoid processing, storage and
network traffic bottlenecks.

Appliance Cryoserver is delivered as independent pre-built

independence Appliance solution. The solution has also been
certified on IBM, Sun, HP and Dell servers.

Scalable Cryoserver’s Appliance architecture means that

it can be scaled to meet existing and future
requirements simply by adding more appliances
as necessary, without impacting the existing
storage and indexing configuration.

Open Cryoserver’s open architecture means that IT

architecture professionals can be satisfied that it will meet
required performance, scalability, robustness and
security standards. It also means that Cryoserver
can be integrated with third-party email, storage
and indexing systems.

Robust Full use is made of hardware and operating

system level redundancy capabilities, integrating
readily with an organization’s business continuity
and disaster recovery programmes.

2.2 Key User Features Cryoserver has been designed to be intuitive and easy to use.

Searching Relevance-ranked reporting of messages that

satisfy a user’s search criteria. Capability to
sort the reports according to user-specified
requirements (size, date etc.) Dynamic links
are provided directly to summarised email (and
attachments).

Flexibility of Simple search on content and metadata plus

Searching sophisticated searching utilising stemming,
sound-alike and proximity.

Email Retrieval of messages by individual users with

Recovery the ‘forward to inbox’ facility.

Secure The front-end is delivered seamlessly

Access through Outlook or over HTTPS and users are
authenticated against LDAP or Active Directory.

4
 Remote Remote access through any appropriate browser
Access system (subject to security constraints).

Credibility As Cryoserver retains a copy of messages

and their associated metadata, in real time,
messages retrieved demonstrate a full chain
of communications and be more credible than
data retrieved from servers or back-up tapes
(which may not show a full record as deletions/
alterations are possible).

The Cryoserver architecture also supports storage management features with

3. STORAGE
the ‘mailbox management’ or stubbing facility. Companies, if they choose
MANAGEMENT & to, can eliminate the need for quotas and message size restrictions and give
STUBBING users a mailbox of virtually unlimited size while also controlling message
store growth. Exchange store management significantly reduces the size of
Microsoft Exchange stores, further reducing e-mail storage by as much as
80 per cent1. Furthermore Administrators can significantly reduce the time
spent dealing with mailbox housekeeping. Combined with other features of
the Cryoserver solution, the need for Exchange Server backup operations is
significantly reduced (and can be eliminated).

Automated policies on the Exchange server replace each attachment with

a referrer which points to the email attachment in the Cryoserver repository
instead. This gives immediate benefits back to an organisation, as less
expensive primary disk is utilized on the Exchange server, an application
server. Reduction in storage volumes being used gives a boost in performance
to Exchange and resulting in end user productivity. Original attachments are
replaced, for example a 10MB email can be reduced to a 15kb email in the user’s
mailboxes which opens the attachment from the Cryoserver repository instead.
To the end user it is a transparent process and requires zero .

1
The actual amount of storage saving is dependent on the stubbing rules defined. The more lower the stubbing
rule latency (i.e. the shorter the time emails are retained) the greater the storage savings

5
4. CRYOSERVER
ADMINISTRATION
Within Cryoserver there are four types of users: basic, privileged, administrator
and superuser. Cryoserver administration is carried out by administrators and
superusers.

4.1 Administrators Administrators are responsible for creating and maintaining Cryoserver
specific accounts, which are normally restricted to a small number of privileged
and administrative accounts. All actions are logged for audit purposes;
administrators have no access to the email repository.

When an administrator logs in they are directed to the User Administration

section of Cryoserver, which is shown in the image below:

Administrative User Interface

Company Details include, Configuration, License Key, Reports, Data Guardian,

retention period, SMTP address, LDAP configuration, email format and data
guardians.

The Monitoring screen (shown below) is important as it provides the ability to

view the status of all of the Cryoserver modules (nodes) to be viewed, even if
they are installed on different servers in a distributed configuration.

The image below shows the status of (in order), the Storage Director (SD),
the Search Engine (SE), the Spool Manager (SP), the Index Manager (IM) and
the Storage Manager (SM). Where mirrored pairs of managers are used for
resilience, the Partner column identifies the partner of each mirrored node. For
nodes that use disk space the Capacity column shows the percentage and
actual amounts of disk space currently used by the node.

6
 Monitoring Page

All activity performed by the superuser is logged in Cryoserver and the audit log
is emailed to the Data Guardian(s), who watch over the system.

7
5. SEARCH AND
RETRIEVAL
The Cryoserver email repository can be searched by basic and privileged users
only.

5.1 Basic Users Basic users may use Cryoserver’s powerful email search facilities to access
their own repository of emails. They normally access Cryoserver using their
normal network login using LDAP / Active Directory authentication, although it
is possible for administrators to create basic user accounts within Cryoserver
if necessary.

Privileged users have the ability to search emails throughout the entire
5.2 Privileged Users
repository. This level of access is intended for a few trusted individuals (such
as a Compliance Officer, HR Manager or Data Protection Official) within an
organization and should be considered in co-ordination with privacy regulations,
both corporate and legislative. Privileged users are required to state their
reasons for searching. All searches they carry out are logged, and session
transcripts are automatically stored in encrypted format in Cryoserver as well
as being sent by email to nominated Data Guardians who have the responsibility
for checking that searches are in accordance with the stated reason, corporate
policy and regulatory requirements.

The standard search interface is shown below. Users can search for emails by
5.3 Search Interface
specifying any of the search criteria. Searches can be refined where necessary
by adding further search criteria and reissuing the search. Cryoserver’s speedy
search capability ensures that users are able to quickly find the messages they
are looking for.

Basic search screen, or

Outlook look and feel

8
 The advanced search provides more sophisticated searching capabilities,
rather similar to what you might expect from a document management system.
For example, you can search for combinations of words, for “stems” (words
beginning with the same characters), and for words sounding similar.

Advanced search screen

New to Version 4 of Cryoserver and by customer demand is the ability to export

5.4 Exporting
multiple records out of the Cryoserver system.

Cryoserver supports the ability to export via a single click button into
multiple formats. These formats include the ability zip up the emails; and to
extract email to ..EMLs or into .pdf

9
6. SECURITY

6.1 Introduction In a distributed Cryoserver Appliance configuration consisting of multiple

servers, the Cryoserver modules communicate with each other using RMI over
SSL. Users access the search engine with HTTP over SSL.

6.2 Message Encryption Access to the Cryoserver queries and administration is monitored and restricted
by a User ID and password login. Security can be enhanced by using two-factor
authentication using the RSA ACE Server and SecurID token.

All messages are encrypted using Advanced Encryption Standard (AES-128)

as the encryption algorithm which offers high levels of data protection before
being committed to long-term storage. To put AES into context against, for
example, DES, National Institute of Standards and Technology (NIST) have
estimated the time to crack a 128-bit key (assuming a machine could crack a
DES key in 1 second): is a 149 trillion years.

Cryoserver uses the Java Cryptography Extension (JCE), which supports

pluggable cryptography modules. It is therefore possible to support a number
of different cryptographic algorithms to meet the most stringent security
requirements if required.

Before a message is committed to long-term storage an MD5 digest based

6.3 Message Digest
on its content is computed and stored with the message. When a message is
retrieved, a new MD5 digest is computed and compared to that stored with the
original message. This allows the system to detect whether the message has
been tampered with since it was stored. The user interface reports the results
of comparing these message digests.

Remote Method Invocation (RMI) is Sun’s architecture for distributed Java

6.4 Remote Method
applications. Even without encryption RMI has a reputation as a secure
Invocation protocol since the bulk of the traffic consists of serialised objects that are
the parameters or results of remote method calls, making reconstruction and
interpretation of an intercepted conversation extremely difficult.

Secure Sockets Layer (SSL) is an open standard for providing a communication

6.5 Secure Sockets Layer
link for client/server applications that prevents eavesdropping, tampering or
forgery. SSL is widely accepted as the standard for secure communication
over the Internet and is relied on for e-commerce and other security-critical
applications.

6.5 Secure Authentication Users connect to Cryoserver over HTTPS using a standard web browser.
Cryoserver is usually configured to authenticate basic users against an LDAP-
enabled directory, which avoids the need to create additional user lists within
Cryoserver. Administrative and privileged users are managed within Cryoserver’s
built-in authentication system

The authentication modules of Cryoserver are extensible, allowing for RSA

SecurID challenge-response authentication.

10
7. IMPLEMENTATION
CONSIDERATIONS

7.1 Platforms The standard Cryoserver modules are written in Java and have been certified
on Solaris and Linux operating systems. Modules depending on third-party
components such as collectors for proprietary email servers rely on platform-
dependent APIs.

Part of a Cryoserver implementation project involves documenting the relevant

7.2 Firewalls
network infrastructure to identify where internal firewalls may need to be
reconfigured to allow Cryoserver network traffic. The ports used by Cryoserver
for inter-module communication can be configured where necessary to conform
to local security/infrastructure policy.

In order to provide a Cryoserver Appliance solution with the highest availability

7.3 Redundancy and
and to provide resilience to a site disaster, it is recommended that Cryoserver
Reliability
Appliance is deployed in a mirrored configuration. In this configuration,
messages received by the master Cryoserver system are immediately copied
to the slave Cryoserver system. The messages are processed in parallel by
the respective Storage Manager(s) and Index Manager(s) and the systems are
maintained in an identical state at all times. It may not be necessary to perform
tape backups when a mirrored Cryoserver configuration is deployed, which
provides the very highest levels of availability. In the event of a disaster, it is
possible to restore data from one system to the other without losing or missing
messages.

Volumes of email traffic vary significantly from organization to organization.

7.4 Volumetrics
Analysis of email network traffic and storage requirements is normally
undertaken as part of a pre-installation audit.

7.4.1 Storage The Storage Managers and the Index Managers use permanent storage.
Cryoserver’s file-based Storage Manager saves messages in compressed
files; a compression ratio of approximately 50% can be expected
depending on message content distribution together with an overhead
of approximately 15-25% for index storage, which depends upon the mix
of messages and attachments. Experience has shown that the average
storage requirements of a typical user are approximately 1 GB per year.
Cryoserver typically configures its systems with sufficient storage for at
least two years, which equates to 2 GB per user. Obviously this varies
from one organization and industry sector to another.

Small and medium sized Cryoserver deployments are normally configured

using either the C100 (~100 users) or C250 (~250 users) appliances.
Larger Cryoserver implementations will go for the C500 (~500 user box).

For those wanting a customized solution we can utilize and install the
Cryoserver software onto HP, IBM, Dell or Sun hardware with securely
configured SAN’s for data storage. Cryoserver is supported on major
SAN platforms including EMC, HDS and HP. In SAN implementations

11
 it is possible to use storage replication software such as MirrorView
(CLARiiON) or SRDF (Symmetrix) from EMC to mirror data to remote
locations without the requirement for a second deployed Cryoserver.

Replicating email messages to Cryoserver will generate some additional

7.4.2 Newtork Traffic
network traffic. In general the effect will be to almost double the network
traffic due to email messages. However, in most environments the
impact on an organization’s network infrastructure will be fairly low as
the bandwidth generated by email traffic is not normally very high. It is
fairly straightforward to estimate the overall effect based on the number
and average size of messages sent at peak times.

7.5 Position of Cryoserver The following scenarios depict where the Cryoserver appliance might be
placed in an organization’s network architecture. Cryoserver is designed
in an Existing Network
to work in concert with existing firewall, virus scanning and content
Architecture
scanning technologies.

Cryoserver was also designed to be as flexible as possible, and so can be

integrated with many types of network architecture that are not shown in
this document. Large organizations with many mail servers may benefit
from having an equal number of Cryoserver devices to reduce network
traffic.

7.5.1 Collector Running on

the Mail Server
Cryoserver

Internet Firewall Content Scanning/ Mail Server User

Virus Checking

1 2 3

1. Inbound mail from the Internet is allowed onto the network by a

firewall.
2. Messages are scanned for viruses and inappropriate content.
3. Messages are delivered to the mail server. Cryoserver takes an audit
copy of each message.

This is the recommended configuration because both internal and

external messages are captured by Cryoserver. The Cryoserver
architecture is flexible and it is possible to configure Cryoserver to meet
other requirements.

12
8. FEATURE AND BENEFIT
SUMMARY
Regulatory requirements and good business practice can dictate that records
be kept for considerable periods of time. There are also new liabilities, and now
that the greatest single reason for employee dismissal is email abuse, it makes
it even more important to be able to keep full records of emails and speedily
find any that need to be relied upon for evidential purposes.

In some highly regulated industries, email must be retained for long periods,
particularly in financial, legal and healthcare sectors. In such environments
there is now growing awareness that there needs to be a fully auditable
forensically compliant copy of individual emails in order to meet legal and
regulatory requirements – sometimes in order to show that an organization
was not in possession of or communicating certain information.

In the event of litigation, records may need to be retained indefinitely. Yet there
are costs, time and expense associated with the need for data retention and
retrieval. Such systems need to be beyond interference and yet remain easily
accessible.

8.1 Table of Features and

Benefits

Features Benefits

Captures a copy of every email Users can quickly retrieve any email that they
Stores a copy of every internal and external may have inadvertently deleted (personal disas-
email including attachments ter recovery)
IT department will not waste time trying to re-
store lost mail
Complete Record

Email is captured, even if an employee tries to

delete it and hide evidence
No reliance upon end-users categorising emails
as they decide which ones should be archived.
Deters employees from sending non-work related
emails.
Reduce the amount of emails sent by users,
therefore efficiency increases

Content of emails and email attachments is indexed Allows very fast retrieval at a later date
prior to storage

13
 Features Benefits

No end-user ability to delete emails Email is legally admissible

Fully compliant record. Helps directors and
Complete Record (continued)

officers avoid accusation of poor record keeping

or email shredding.
Facilitate cause and effect chain of events to be
fully detailed from stored emails
Help prove a negative – show what information
has not been sent or received

Intercepts and stores blind carbon copy information Employees are discouraged from sending
confidential information out of the organization
Mail servers do not normally record this information, using hidden bcc addresses
but Cryoserver’s record is complete wherever possible

Records who was in the distribution list at the time an Administrator can check who was in a
email was sent / received distribution list at a particular time.

Privileged and administrator level access to the Ensures employee privacy is protected and
system is audited using a transcript of their session access is not abused
Comprehensive Audit Trail

Protect investigators from being wrongly accused

Transcripts show: log in time, the search criteria, Increases trust in the IT Department
number of results, messages viewed and log out time.
These are then stored and sent out to a list of trusted
guardians

All privileged and administrative access to the system Ensures that emails are only accessed for
is recorded and retained securely legitimate reasons
Removes the temptation to snoop on employees
Summaries of such searches are emailed to nominated Allows officials to monitor each other’s activities
trusted individuals. and enforce good corporate governance

Mirrored configuration Complete hardware redundancy allows

Robust

continued operation even in the face of total loss

of a server.

14
 Features Benefits

Emails are stored with a timestamp and “digital Attempts to tamper with stored data can be
fingerprint” detected.
Allows proof of an accurate and complete record
of messaging data

Access to the system is only possible through a secure Only authorised users are able to access other
web interface individuals’ email.
Enforces data access policy. Allows compliance
with data protection rules concerning access to
personal data

All traffic passing between the Cryoserver modules is Information is protected as far as possible from
SSL encrypted eavesdropping
The front-end is delivered over HTTPS and user
passwords are stored in encrypted format

Level 1- Basic users All end users can quickly access copies of the
Complete Record

– Can only see messages they have sent or received emails

Level 2- Privileged users they have ever sent & received
– Can see all messages in the repository. All actions
taken are logged for audit to ensure employee privacy If necessary, and with safeguards, it is possible
is protected to find
Level 3- Administrators and retrieve any email within the entire repository
– Can create accounts, modify user details and reset
passwords. All actions they take are logged for audit. It is possible to give one department (IT)
Cannot see any emails. responsibility
Level 4 – Superusers for system management (Administrator rights),
- Manage overall system configuration and monitor but give responsibility for email investigations
performance and capacity. (Privileged rights) to another (HR)

Emails can be forwarded in real-time to a secondary Easy to implement long-term offsite storage at a
storage location disaster recovery centre
All data is secured from accidental or deliberate
sabotage by duplication into a trusted secondary
physical location
Reduce the load on existing mail servers by
removing emails

Email data is compressed before storage File storage reduced to save on storage space
and costs

15
 Features Benefits

Compatible with current mail servers Cryoserver will work in an environment with
legacy mail systems, capturing copies of emails
Microsoft Exchange, Novell GroupWise, Lotus Notes, into a single repository.
Sun JES and Teamware are amongst the mail servers Investments are protected because Cryoserver
supported allows you the flexibility to change mail server in
the future
Flexible

Modular system design Cryoserver will work in an environment with

legacy mail systems, capturing copies of emails
into a single repository.
Investments are protected because Cryoserver
allows you the flexibility to change mail server in
the future
Architecture Repositories can be strategically placed
throughout the organization or tactically placed
to monitor specific, sensitive business activities
either globally or locally

16
 Features Benefits

Browser-based user interface Familiar interface means no end-user training and

no need for desktop software installation, cutting
down set-up time and costs.
Data can be accessed from any convenient
Fast email retrieval

location, subject to security constraints

Simple search on content and metadata All users can very quickly and cost-effectively
track down their own historic emails containing
the subject matter that they are interested in.

Advanced search utilising stemming, Retrieve hard-to-find information, whether buried

sound-alike, and proximity within the body of an email or within an email
attachment
Allows response to Subject Access Requests
within seconds or other disclosure requests in a
timely and cost-effective manner

More storage and indexing capacity can be added as No longer a need for employees to keep insecure
requirements grow. and unreliable storage on their local hard-drives
(PST files) or to keep within mail quotas
No impact on the existing storage and indexing regime. The email load on the existing mail system
can be reduced, so improving reliability of mail
Capable of handling the many terabytes of data held by services.
larger organizations Cryoserver can be scaled to suit all sizes of end
user organization and service provider.
Scaleable

Distributed architecture Network traffic can be reduced by placing

storage modules close to individual mail servers

LDAP / Active Directory support No need to create or maintain a separate list of

email users on Cryoserver – reducing set-up and
Users can be authenticated against an existing user maintenance costs.
list.

17
Version: xxxxx xxxxxx