Practice safe chat

Unprotected messaging can cause serious security and compliance problems.

Instant messaging is running on enterprise networks, whether IT managers want to acknowledge it or not. A recent Nemertes Research survey shows that IM is in use in 90% of companies, with 68% letting users access unprotected consumer services from AOLMicrosoft and Yahoo.

IT now must get control of IM services that are putting their networks - and in certain vertical industries their compliance success - in jeopardy.

Other than e-mail, IM is the most popular collaboration tool used in companies today, primarily because employees can download it for free, without help from IT. And IM is viral: If two or three members of a department regularly message each other, it isn't long before everyone wants in on the action.

Fifty percent of the 40 IT executives interviewed rated IM as "vital" or "very important," according to Nemertes' benchmark research, "Getting a Grip on Collaboration." IM is highly valued because its real-time nature ensures employees can get the information they need when they need it.

Salespeople use IM on client calls to back-channel with co-workers, team members use it to get answers about projects right when they need them, and executives use it to keep each other and their reports up to date on the latest company, market and competitive information.

But IM is also rated "unimportant" or only "moderately important" by more than a quarter of IT executives. Some wonder if it's more of a drain than a boon when it comes to productivity. "What if my employees have five or 10 different sessions running, like my teenage daughter?" asks the director of technology at a midsize retail services firm who requested anonymity. "I don't know how she does it, but I don't want that in the workplace. It's much more appropriate to have it completely restricted."

Others worry about the risks inherent in IM, including security, archiving and retrieval capabilities (or, more precisely, the lack thereof). They're right to be concerned, at least if they rely on consumer IM services to get the job done. Here are the main concerns that respondents raised:

•  Consumer services are not inherently safe (attachments can contain viruses and aren't automatically screened by e-mail anti-virus software).

•  They're easy to spoof (screen names aren't authenticated against directories and companies don't own domains, as they do with e-mail, so anyone can pretend to be billg@microsoft).

•  They're not automatically archived (unlike e-mail, instant messages disappear into the ether once the message string is ended).

•  They're not controlled by IT, opening the door to hackers and internal misuse.

Some IT executives are content to let employees use consumer services at will after formulating usage policies. "I worry about the security risks about everything," says the CIO at a technology company who asked not to be named. But, he trusts his users enough to give them IM guidelines and policies, without restricting its use. "We have our employee handbook that states the rules of conduct, and policies and procedures about use, and we have a good community. So I've taken more of a laissez-faire attitude."

Nemertes doesn't recommend that approach. A better option is to standardize on robust, enterprise-class IM software such as that from Bantu, IBM Lotus and WiredRed. Thirty-seven percent of companies in the Nemertes survey have standardized on an enterprise-class system, and 20% plan to do so in the next six months.

All the enterprise IM vendors offer a level of security beyond what's available in consumer services, typically through Secure Sockets Layer and 128-bit encryption. A handful of vendors specialize in secure messaging. Sigaba offers a secure IM platform that includes authentication, end-to-end encryption and support for digital signatures.

Interoperability is vital

However, even deploying enterprise-class IM isn't enough because today's IM systems lack interoperability. Competing software and services don't talk to one another, making it impossible for an AOL Instant Messenger user to message someone on MSN or Lotus Instant Messenger without the help of a third-party application.

That's not a trivial issue - if employees can't communicate with their partners, customers and friends on the enterprise system on which their company standardizes, they'll also probably continue to use a consumer service. Among the 37% of companies officially using an enterprise system, 30% continue to allow the use of consumer services, according to the survey.

Interoperability is top-of-mind for IT executives who responded to the survey, more than 50% of whom rate the issue as "vital" or "very important."

Partly, this is a technology problem; Session Initiation Protocol and SIP for IM and Presence Leveraging Extensions (SIMPLE) remain immature standards that, even when used today, often are tweaked so much as to effectively render the software built on them proprietary. But it's also a business decision on the part of the leading IM vendors, who fear for their very existence if integration happens.

Consumer IM vendors are essentially in the advertising business. They deliver free software to their customers, and eyeballs to their advertisers. When it comes to advertising, the more eyeballs you have, the more you can charge for space. By remaining proprietary, the vendors ensure users will have to continue to subscribe to their services to maintain contact with their buddies on that service. Once interoperability exists, IM users can choose one IM client - and there go the eyeballs on all the others.

There might be some wiggle room here - Yahoo, for instance, says it's open to full standards-compliance. But until AOL, the leading IM vendor, gets on board, the three main consumer services won't work together. At least, not until Microsoft makes the issue a non-issue by convincing more Outlook users to adopt its Windows Messenger client, which Nemertes expects to happen over the next three to five years.

Protect yourself against future shock

IM survey chartsDespite the existence of good technology from many smaller vendors, the battle over the enterprise is likely to be waged between Microsoft and IBM Lotus, the leading e-mail vendors. The small IM players and the consumer services will have a tough time staying alive in a mature enterprise market three to five years out, and IT managers must consider that as they standardize on a product today. (Many telephony vendors offer IM as part of their presence-based real-time communications portals, such as Nortel's MCS 5100 and Siemens' OpenScape, but Nemertes doesn't expect companies to use them as their standard IM platform until interoperability exists.)

In the meantime, several vendors focus on adding interoperability and security to consumer services, including Akonix, FaceTime Communications and IMlogic. Other vendors, such as Cordant, can help with IM monitoring and reporting, which is especially important for financial services firms and healthcare companies in light of regulations such as Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act of 2002. Other vendors still are building technology to add security and interoperability features to SIP and SIMPLE.

FaceTime gets around the interoperability issue by applying a consistent set of business policies to a given user's buddy names and networks, mapping that person's legitimate corporate ID on all the IM networks he uses. So the systems remain independent, but they operate as though they're one - which lets IT managers track and manage usage, and let users message people on a variety of clients without incurring additional security risks, among other things. The product also offers very detailed business policy controls that determine who can speak to whom, share files, and manage compliance and regulation issues.

IMlogic's IM Manager, which logs, archives and reports on IM use, can extend Microsoft's Live Communications Server's reach, letting Windows Messenger users connect to Microsoft's public IM network (Microsoft's MSN Connect does the same thing). IM Manager also offers built-in anti-spam and anti-virus capabilities. IMlogic also focuses on making it easier for companies to integrate IM into other collaborative applications, such as Web conferencing and online project rooms, via its IM Linkage product.

Try the two-pronged approach

Given the security and interoperability gaps for IM users today, Nemertes recommends that companies standardize on an enterprise-class system such as Windows Messenger or Lotus Instant Messenger, and also use a third-party application to secure, integrate and control consumer services. That way, employees can continue to message outside the organization, at least until IM works like e-mail and anyone can message everyone, no matter who's on what client.

The research firm also recommends IT executives apply anti-virus and anti-spam software to IM, another option built into many third-party management applications.

Learn more about this topic

Turek is principal research analyst and senior partner at Nemertes Research, an independent research firm that provides in-depth analysis of the business value of emerging technologies. Its new benchmark research, "Secure Messaging for a Changing World" is available now. She can be reached at melanie@nemertes.com.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.