Use digital certificates to authenticate IM users

* Presensoft IM Caller ID provides authentication of IM users via digital certificates

According to a 2006 report by Osterman Research, 72% of all organizations will use instant messaging IM in 2007. That number will grow to 93% of all organizations by 2009, closely matching the number of companies that use e-mail (99%).

While IM can be a great productivity tool, it also can be a security disaster waiting to happen. Survey statistics from the Osterman Research report “Presence, IM and Real Time Communication Trends, 2007-2010” show that 35% of organizations have suffered from IM vulnerability and 2% have fired IM abusers. The vast majority of survey respondents estimate that an IM or data breach would cost at least $10,000, and one-tenth put the damage at $500,000 or more.

Perhaps part of the problem is that many businesses and professional organizations use or communicate with people using consumer-grade IM products instead of tools that have been specifically developed for business use. Osterman estimates that in 2006, only 54% or businesses used an enterprise IM product, while 87% used a consumer-oriented product. The top IM clients – in business as well as in the home – are AOL Instant Messenger, MSN Messenger, and Yahoo! Messenger.

Though serious IM threats abound, there’s no reason to block IM from your organization. A well-executed program of IM security and hygiene should help make instant messaging the productivity enhancer you expect it to be without the worries of data breaches and other problems.

There are four management areas that enterprise IM should address: authorization, encryption, archival and authentication. Today I’ll cover authentication because there’s a new tool just out on the market that provides authentication of IM users via digital certificates.

Presensoft IM Caller ID from Presensoft addresses the problem of not knowing exactly who is on the other end of your IM conversation. This solution gives you true peer-to-peer authentication, even if you are using a public or consumer IM product, and eliminates identity spoofing. This is critically important for business deals that are transacted via IM – stock trades, energy trades, etc. (Encryption also can be enabled with this technology if Presensoft IM Policy Manager is used in conjunction, giving a secure and compliant IM solution to the previously ignored B2C marketplace.)

The end users of Presensoft IM Caller ID can be your own employees and/or outside users who need to communicate with your employees, including customers, trading partners, suppliers and so on. Basically, if you need to be 100% sure of who is on each end of an IM conversation, both parties should be using Presensoft IM Caller ID.

A successful authentication will display predetermined user profile information on the IM window at the start of the conversation. The information is likely to include Name, E-mail and other pertinent information that you require. If Presensoft IM Caller ID is unable to authenticate an IM user, it will display a failure notice. At this point, the conversation can continue, knowing full well that one party is technically unknown, or it will be blocked according to company policy. The user profile information also gives Compliance and Legal an advantage in e-discovery by essentially indexing both sides of a conversation for pinpoint accuracy during data collection.

Here’s a quick overview of how it works.

To get started, you need to install or connect to various software services.1. As a Presensoft customer, your company installs Microsoft Certificate Authority (CA) server for certificate management or utilizes the secure Presensoft Hosted CA Environment.

2. Your company also has a Web portal and login access for your outside customers/contacts, or you can utilize the secure Presensoft Hosted CA Environment.

3. And finally, your company installs Presensoft Web service or you develop your own Web service which will provide limited access to your customer database through a secure channel.

Once everything is properly configured, here’s the process flow of using Presensoft IM Caller ID. Other than users being asked to request a certificate at the outset, the rest of the process is automatic and hidden from view.

1. The customer logs in to your company Web portal using his valid user name and password and requests a certificate for IM authentication after registering his IM IDs.

2. The Web console interacts with Presensoft-supplied enrollment Web services and CA server to generate appropriate password protected digital certificates for the user which he can download and install on the fly.

3. Downloaded digital IDs are safely stored in a secure certificate store guarded by installation environment (User Name, Machine Name etc) and cannot be used as such on other machines or logins.

4. On first IM session initiation, an authentication handshake takes place between the company representative and the customer. This is invisible to the users and takes place between Presensoft agents at both ends. Additional restriction can be added to only allow the certificate handshake to take place with the presence of the installation password.

5. After a successful handshake, the desktop agents at both ends send an account validation request to the Presensoft validation web service. This is to ensure that users with a valid certificate but an invalid account (closed/expired/blocked) with the company are not authenticated.

6. The Presensoft validation Web service queries the contact's account status information from the live database. A successful validation returns some user information like Name, Contact Details etc. to be displayed in the contact’s IM window. User validation information always comes from a live, real-time database and not a “stale” certificate. The information to be returned for display is configurable by your company administrator.

7. Session information is updated in the IM Security Dashboard and subsequent conversations are immediately authenticated until one of the users signs out.

The process looks long and complicated, but it’s really fairly simple and fast. And the result is something like this when an IM conversation starts:

Lmusthaler (10:32:13 AM): Are we still doing the briefing at 3 today?

Jblodgett (10:33:09 AM) [Presensoft IM Caller ID: Contact validated as Joe Blodgett, Blodgett Communications, ID# 8629]

Jblodgett (10:33:47 AM): Yes, I’ll send you the dial-in number shortly.

Lmusthaler (10:34:20 AM): Great, talk to you at 3.

The authentication message from Presensoft IM Caller ID is automatic and cannot be changed or removed. It ensures complete non-repudiation for public IM sessions and enterprise messaging and allows for pinpoint accuracy in collections and reporting for use in a court of law, regardless of what buddy name or display name the users choose.

Presensoft IM Caller ID is compatible with various IM clients, including MSN Messenger, AIM, Yahoo! Messenger, and ICQ. It also leverages your existing technology investments, like your IM policy management software.

The official release of Presensoft IM Caller ID is Sept. 24, but Presensoft already has a number of financial industry and energy industry clients. These kinds of businesses want the productivity of IM but need the assurance of absolute authentication with customers and trading partners.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.