Every technical product has security gaps, the largest of which is most often the end user. Enterprise network owners must decide whether a product's benefits outweigh its potential problems. Skype, when used intelligently, solves many more problems than it creates.
Because its developers built encryption into Skype from the beginning, conversations, instant messages and file transfers are automatically encrypted. Other IM and personal VoIP options from AOL, Yahoo, MSN and Google offer no encryption or other security of that nature. Because of this encryption, technical support departments can use Skype to IM passwords to remote users without fear of interception. Encrypted file transfers, difficult to push for non-technical users, are the Skype default.
Unfortunately, Skype developed proprietary methods to establish its global peer-to-peer network, and proprietary software makes people nervous. Skype has contracted an outside security expert to vet its cryptography scheme (see this Skype document), and the two security holes reported earlier this fall resulted in no reported exploits, intrusions or losses to users. Reported problems with microphones being left on, obviously a security risk, weren't duplicated during my own testing.
Skype's founders recently said they built the program for individuals and small businesses, and don't plan to add the level of restrictive security some enterprises demand. With proper configuration (meaning it's set up so that no personal details are published), training and monitoring, encrypted Skype IM and voice connections add another low-cost tool to a company's communications repertoire. Trading some network resources used by Skype client applications in Skype's peer-to-peer model for encrypted IM and voice links will be a good deal for many companies.
Yes, corporate laptops with Skype set to load automatically are potential security holes. But most of these laptops have no hard disk encryption, and automatically load and authenticate to the corporate VPN, which are more serious security issues. With a bit of user training, the Skype application can be used as needed and closed, eliminating any potential security breach.
After eBay officially takes control of Skype, security options for corporate group use will improve, because the U.S. government can pressure eBay more than it could a Luxembourg-based Skype. Every company using eBay to reach customers will benefit by having a Skype Me button on its catalog page to reassure buyers wanting to hear a voice rather than just see a Web page.
Right or wrong, users want IM on their corporate desktop. Skype allows for encrypted messages while keeping a clear text history of chats on each local PC for compliance, a security upgrade over other public IM options. Simply put, there are bigger security battles inside most commercial networks that require attention before Skype needs to be put at the top of the security concern list.
The opposing viewpoint - by Rodney Thayer. - Discuss!
Your thoughts
Gaskin is an author of books and stories about technology. He can be reached at readers@gaskin.com.