Use digital certificates to authenticate IM users

The CIO-level business angle on the latest tech

According to a 2006 report by Osterman Research, 72% of all organizations will use instant messaging IM in 2007. That number will grow to 93% of all organizations by 2009, closely matching the number of companies that use e-mail (99%).

While IM can be a great productivity tool, it also can be a security disaster waiting to happen. Survey statistics from the Osterman Research report “Presence, IM and Real Time Communication Trends, 2007-2010” show that 35% of organizations have suffered from IM vulnerability and 2% have fired IM abusers. The vast majority of survey respondents estimate that an IM or data breach would cost at least $10,000, and one-tenth put the damage at $500,000 or more.

Perhaps part of the problem is that many businesses and professional organizations use or communicate with people using consumer-grade IM products instead of tools that have been specifically developed for business use. Osterman estimates that in 2006, only 54% or businesses used an enterprise IM product, while 87% used a consumer-oriented product. The top IM clients – in business as well as in the home – are AOL Instant Messenger, MSN Messenger, and Yahoo! Messenger.

Though serious IM threats abound, there’s no reason to block IM from your organization. A well-executed program of IM security and hygiene should help make instant messaging the productivity enhancer you expect it to be without the worries of data breaches and other problems.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

According to a 2006 report by Osterman Research, 72% of all organizations will use instant messaging IM in 2007. That number will grow to 93% of all organizations by 2009, closely matching the number of companies that use e-mail (99%).

While IM can be a great productivity tool, it also can be a security disaster waiting to happen. Survey statistics from the Osterman Research report “Presence, IM and Real Time Communication Trends, 2007-2010” show that 35% of organizations have suffered from IM vulnerability and 2% have fired IM abusers. The vast majority of survey respondents estimate that an IM or data breach would cost at least $10,000, and one-tenth put the damage at $500,000 or more.

Perhaps part of the problem is that many businesses and professional organizations use or communicate with people using consumer-grade IM products instead of tools that have been specifically developed for business use. Osterman estimates that in 2006, only 54% or businesses used an enterprise IM product, while 87% used a consumer-oriented product. The top IM clients – in business as well as in the home – are AOL Instant Messenger, MSN Messenger, and Yahoo! Messenger.

Though serious IM threats abound, there’s no reason to block IM from your organization. A well-executed program of IM security and hygiene should help make instant messaging the productivity enhancer you expect it to be without the worries of data breaches and other problems.

There are four management areas that enterprise IM should address: authorization, encryption, archival and authentication. Today I’ll cover authentication because there’s a new tool just out on the market that provides authentication of IM users via digital certificates.

Presensoft IM Caller ID from Presensoft addresses the problem of not knowing exactly who is on the other end of your IM conversation. This solution gives you true peer-to-peer authentication, even if you are using a public or consumer IM product, and eliminates identity spoofing. This is critically important for business deals that are transacted via IM – stock trades, energy trades, etc. (Encryption also can be enabled with this technology if Presensoft IM Policy Manager is used in conjunction, giving a secure and compliant IM solution to the previously ignored B2C marketplace.)

The end users of Presensoft IM Caller ID can be your own employees and/or outside users who need to communicate with your employees, including customers, trading partners, suppliers and so on. Basically, if you need to be 100% sure of who is on each end of an IM conversation, both parties should be using Presensoft IM Caller ID.

A successful authentication will display predetermined user profile information on the IM window at the start of the conversation. The information is likely to include Name, E-mail and other pertinent information that you require. If Presensoft IM Caller ID is unable to authenticate an IM user, it will display a failure notice. At this point, the conversation can continue, knowing full well that one party is technically unknown, or it will be blocked according to company policy. The user profile information also gives Compliance and Legal an advantage in e-discovery by essentially indexing both sides of a conversation for pinpoint accuracy during data collection.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.