Instant Messaging can speed critical communications across the corporate network, saving
time and giving an edge to team projects. The trouble is that IM also can speed viruses into
the network, and shoot corporate secrets out to competitors without leaving any trail behind
it.
IM technology, at this point in its maturity level, isn’t the most secure of communication
tools. And what’s making it a real nightmare for IT and security managers is that a lot of
employees are running wild and uncensored, downloading their favorite IM software and
running under IT’s radar. Without IT to keep an eye it, there’s no way to put the brakes on
what could be a huge security problem.
”IM is becoming as common as email, but firms cannot permit their staff to just sign up for
AOL or Yahoo! Messenger and be done with it,” says Damon Kovelsky, an analyst with
Financial Insights, a research firm based in Framingham, Mass.
Not so long ago, Instant Messaging was the province of the teen and college population. In
the last couple of years, however, it has made the transition from cool tool to business
tool. According to IDC, a major analyst firm based in Framingham, Mass., more than 20
million businesspeople worldwide are using IM. That figure is expected to soar to 300
million by the end of 2005.
The problem is, however, that the adoption has been driven by the end user and not top
management.
A study by Osterman Research, based in Black Diamond, Wash., reveals that while IM currently
has a presence in 91 percent of enterprises, only about 26 percent are utilizing an
enterprise-grade IM system That means 65 percent rely on consumer products.
”Consumer-grade IM clients and the use of public IM networks can create significant
security problems for an enterprise by using unauthorized ports in the corporate firewall,”
says analyst Michael Osterman. ”This allows an entry point for viruses or rogue protocols
to bypassing corporate authentication systems and so forth.”
Some companies try to fit consumer systems into the corporate security picture by adding on
a series of third-party products.
According to Tod Turner, CEO of LINQware, an IM provider and maker of the Collabrix
enterprise IM system, that strategy is inherently flawed.
Most IM systems on the market today are peer-to-peer (P2P), meaning that once conversations
start, they are directly between the users’ client machines, and do not pass through
servers. This architecture eliminates administrator’s ability to capture the history of the
conversation.
”Applications like P2P and IM allow employees to communicate and share files covertly with
outside parties,” notes Mark Glowacki, HIPAA Compliance Manager of the HIPAA Academy.
”Because these applications can run without being detected by conventional security
appliances, like firewalls, security violations are only discovered after the fact.”
All of this means that instant messaging carries a high potential for liability,
particularly in heavily regulated industries, such as financial services and health care.
HIPAA, the Health Insurance Portability and Accountability Act, for example, sternly calls
into the question the use of IM in the healthcare industry. Undocumented communications
regarding a patient, for instance, could occur without management’s knowledge leading to a
breach of HIPAA’s access requirements. Such violations could invoke heavy fines.
Public IM systems do not offer any mechanism for capturing conversation transcripts.
Third-party tools exist which can capture the conversation at its conclusion. However,
conversations that are dropped midstream are lost, unless the IM system is server based.
”With few exceptions, consumer-grade IM clients do not provide a means of recording content
of IM conversations,” says Osterman. ”This is a particularly significant shortcoming for
firms that are required by statute or convention to retain a copy of communications with
customers, business partners and others.”
Another issue is that most systems on the market today are open, meaning that if you know a
person’s IM address, you can message them directly. Anyone with an IM address, therefore,
has the potential to share sensitive data and bypass any corporate audit capabilities.
The best approach to dealing with this issue is to deploy a closed system that can still be
exposed to key outside customers and vendors.
And IT managers need to be aware that in generic IM products, transmissions between users
utilize clear text that can be captured and analyzed by outsiders. Fortunately, there are
fixes via third-party software that improve the security of messages sent over public
pipelines.
”In a corporation of any size, it is essential to harness security standards, such as
encoded XML and encrypted messages using SSL,” says LINQware’s Turner. ”Otherwise, you
have no idea who might be reading your messages.”
And in an age when viruses and worms are causing billions of dollars in damage on a regular
basis, that is always a key security concern. And as IM usage becomes more and more
prevalent, virus writers will increasingly turn their attention to this new medium.
Virtually all IM systems allow for file transfers that bypass virus checking software. This
exposes networks to serious threats, such as the Blaster worm which took down more than 1
million computers in its first 24 hours in the wild.
”No add-on will plug this gaping hole,” says Turner. ”It requires an enterprise-class
system with administrative privileges, which allows you to turn off file transfers between
users.”
IM is here, whether IT managers are ready for it or not. The best approach, therefore, is to
take control of its usage by establishing corporate policies and adopting an IM system that
is designed for the corporate world.