Spurred to action by guidelines issued by organizations like the National Association of Securities Dealers and the Securities and Exchange Commission, Wall Street firms have taken the lead in investing in logging, auditing, and management solutions for public IM, as well as their own standalone IM servers.
A number of firms in healthcare, too, have been taking close looks at enterprise IM solutions, since the implementation of the first portion of the Health Information Portability and Accountability Act in April.
Now other fields are moving to secure instant messaging in the enterprise, and next up could be the energy industry. While it’s not currently driven by the same sorts of regulatory concerns as financial services and healthcare, energy traders and providers are just as eager to address potential security holes created by their employees’ use of the consumer IM networks.
Employees at Amerex Energy regularly use instant messaging to talk with customers. But the company isn’t able to deploy an in-house enterprise IM product, or to standardize on one IM network, chiefly because its client roster hasn’t standardized, either.
“It’s kind of interesting how the IMs grew in trading environments,” said Brian Trudeau, chief information officer at Amerex. “On the natural gas side, a lot of them use AOL and Yahoo!, whereas on the energy side, they use MSN.”
Because of this diversity, Amerex doesn’t have the luxury of using a single platform — or the IM management products offered by each of the networks. America Online markets a management gateway called the AIM Enterprise Gateway, while Microsoft offers MSN Connect for Enterprises.Yahoo! offers a hosted, secure IM solution dubbed Yahoo! Business Messenger (and previously known as Yahoo! Messenger Enterprise Edition.)
“I can’t force every broker to use Yahoo! Enterprise, because they’ll say their customers use MSN,” Trudeau said, adding that multi-network clients like Cerulean Studios’ Trillian, which are not authorized by the major IM networks, are avoided as well because of their occasional problems. “Some people try to use Trillian, but we don’t support it. We try to tell them not to use Trillian on the floor, it’s too unpredictable.”
But establishing some form of security on the business’s widespread IM use remains paramount to firms in the sector.
As Amerex discovered, Truman Arnold Companies realized it needed to take steps to secure its use of consumer instant messaging — but couldn’t standardize on a single platform.
“We were scaling around trying to find a product that would encompass all the different forms of IM out there,” said Michael Davis, director of IT at Truman Arnold. “We had realized there were potential security problems, even without tracking. Also, we have a trading desk, where we trade petroleum and energy … where we use IM.”
Truman Arnold turned to Akonix Systems’ L7 Enterprise to apply security features to employees’ use of instant messaging.
“We’re a privately held company, and didn’t have to conform [to logging and auditing regulations] like a brokerage firm would be,” Davis said. “That wasn’t a big deal. The security focus was really where we had our target set, and the gravy was we can now log messages.”
Meanwhile, Amerex went with IMlogic, and said it views logging as critical, even if it’s not currently a requirement.
“We’re not mandated to [log] yet,” Trudeau said. “But it’s a really good practice. A lot of our customers are energy traders that are required to log, but we aren’t yet … but we’re trying to comply and be a little more proactive about it.”
Amerex wound up switching to IMlogic from its previous solution — what Trudeau described as a more inexpensive, bare-bones competitor — because of IMlogic’s partnerships with the IM networks. That became a critical selling point after Amerex suffered downtime using its previous vendor whenever the IM networks updated their protocols — as Microsoft did when it forced an update to MSN Messenger Version 6.
“When IM platforms change, it was becoming problematic to keep up with updates because the other product was sometimes a week or so behind,” Trudeau said. “If MSN went up to Version 6 or so, it would come out and all of a sudden, our logging would break, and they’d say ‘OK, here’s a patch,’ and sometimes would take a few hours or few days. But the problem was, we couldn’t afford to wait.”
“Now [with IMlogic], updates are probably even being addressed before we call — we might even have the update before the IM client is updated in public, which is really what we were looking for,” he added. “We were looking for an IM solution that ensures that the company is being proactive instead of reactive.”
Similar considerations drove the purchasing decision at Truman Arnold.
“What appealed to us was [Akonix’s] subscription platform,” Davis said. “As these IM platforms change from time to time, Akonix has an R&D department spooled up finding those updates and rolling them out to make sure our software doesn’t go stale.”
Along with IMlogic and Akonix, FaceTime Communications — the third of the three major IM gateway vendors — has signed clients including Gulf South Pipeline and Dominion Energy Clearinghouse.
The trend could only increase, considering that the rest of the energy industry might be soon prodded into action by upcoming efforts from the Federal Energy Regulatory Commission that could set in place requirements for electronic security in energy trading companies.
Mirroring activity in the financial services sector in recent years, other energy regulators and industry groups already are looking for ways to harden their information security procedures. For instance, the Board of Trustees of the North American Electric Reliability Council (NERC) also voted this year to have members begin self-assessments for their adherence to NERC’s proposed cybersecurity procedures — a number of which focus purely on PC and Internet security.
Christopher Saunders is managing editor of InstantMessagingPlanet.com.