IM secured

As employees flock to public instant-message services, net execs pour on the security countermeasures.

Every day, millions of users log on to personal AOL Instant Messenger, Microsoft MSN Messenger or Yahoo Messenger accounts from enterprise-issued computers to hash out work issues. Many do so with the honest intent of increased productivity, yet unwittingly jeopardize their corporation’s well being.

Uncontrolled public instant-message service use exposes a company to three types of risk. The first comes from malicious code. Unless a user takes precautions, the files or executables sent between instant-message clients registered with public servers aren’t scanned for viruses. That means hackers can introduce viruses and worms into networks via content transmitted in instant messages.

Next comes the threat of corporate espionage. An employee with a public instant-message client running on an enterprise PC could use FTP to send a sensitive file to someone outside the organization, without difficulty and without leaving a trace. Or an outside instant-message user could assume a false identity and present himself as a trusted individual – a superior or other employee, a friend, a supplier or a customer – to gain sensitive information. Even when public instant-message service users trust one another’s identities, the “clear text” chats they have over the Internet are at risk, security experts say.

Finally, uncontrolled use of public instant-message services can expose companies to legal risks. A company could come under fire, for example, if employees wrongfully distribute copyrighted works. And those in the regulation-laden financial services and healthcare industries could suffer legal consequences if instant messages aren’t monitored and logged according to federal mandate.

IT managers confronted with public instant-message service use are left weighing these risks against productivity gains. The primary reason for blocking instant-message use is to manage risk, not to prevent personal chats or to ward off offensive or promotional content from unknown third parties, users say.

That’s why the District of Columbia Bar Association decided to block instant messaging after it discovered public instant-message clients on more than 50% of the association’s 85 employee desktops, says John Kinas, senior network administrator. Managers studied instant-message use and decided instant messages are not appropriate business communications for the association. “There just weren’t circumstances in which the benefits outweighed the risks,” Kinas says.

The bar association is in good company. In a September 2002 study, Osterman Research found that nearly one-quarter of the 196 companies surveyed were actively blocking public instant-message services.

Managing IM use

The good news is AOL, Microsoft and Yahoo recognize the need to provide better management and greater security for public instant-message service use in companies. Each has announced relationships and introduced products targeting business-customer needs.

AOL offers AIM Enterprise Gateway, software built on technology from real-time communications management provider FaceTime Communications. The gateway manages AIM use from enterprise directories behind a corporate firewall. Network executives can control employees’ use of the service, or log, audit and create reports on AIM communications to satisfy regulatory compliance needs. AOL says a release set for later this year would let enterprise AIM users send and receive encrypted messages; this functionality comes through a deal with VeriSign.

Microsoft MSN offers a similar enterprise gateway product, MSN Connect for Enterprise, which is based on software from IMlogic. Yahoo Messenger Enterprise Edition is a service and gateway.

The bad news for IT managers looking for near-term security fixes is these business models are still unproven, and these offerings are limited in that they only apply to users of each provider’s particular service.

That makes configuring firewalls to block specific ports and instant-message-related services the first line of defense for most IT managers. Unfortunately, sophisticated users and the public instant-message service providers have ways to circumvent port-specific blocks.

Alternatively, IT managers can rely on specialized public instant-message management software available from vendors such as Akonix, FaceTime, IMlogic and IM-Age Software. The software is designed to measure public instant-message service use in an enterprise network without tampering with firewalls.

Public instant-message service management software with teeth to enforce policies doesn’t come free. Depending on functionality, the protocols under scrutiny and the size of the company, the annual fee for public instant-message service security, logging and auditing can run as much as $50 per seat. However, that cost could drop to as low as $8 per user within a year or two as the market consolidates, says Matt Cain, a Meta Group analyst.

Some freeware programs are available. For example, Akonix’s Rogue Aware and IM-Age’s IM-Sniffer detect and audit (and to differing degrees allow selective blockage of) public instant-message service use while running on a corporate server. Products such as these reveal trends, which let companies set and eventually enforce usage policies.

Instant-message management tools come in two flavors. Industry-leading IMlogic’s IM Manager, as well as FaceTime’s IM Auditor Enterprise and Akonix’s L7 Enterprise, monitor and manage by way of software that runs on one or more general-purpose servers inside (or in conjunction with) the firewall, for instance. All public instant-message service traffic is routed through the server for logging and enforcement of corporate instant-message usage policies.

At California State University San Marcos, Akonix’s L7 Enterprise software lets IT meet network security objectives while not jeopardizing university policy. “We are fundamentally opposed to the notion of interfering with free speech,” says Mike Irick, assistant IT director at the college. “We would never dream of blocking public IM traffic.”

Server products such as these have several benefits. For instance, they enable in-house management for rapid and seamless integration with existing network-based corporate directories. They offer the ability to change policies by time, day or any other criteria including policy management by user group or individual from a single interface. They provide centralized data storage, search and retrieval. No special client software is necessary.

On the other hand, IM-Age offers IM Policy Manager client/server software. In this architecture, IT managers must install the application on every desktop that needs to be secured, logged or audited. As of this writing, IM-Policy Manager is the only public instant-message management product with encryption. IM-Age uses 448-bit Rolling Salt Blowfish encryption.

One benefit of the client/server architecture, which IM-Age also offers as an outsourced product, is that policies are enforced and all traffic on the client PC is logged, even if the instant-message policy server is down or otherwise inaccessible. Once reconnected, the client synchronizes with the server.

Maurice Lonergan, IT director at Wire One, a videoconferencing reseller in Hillside, N.J., finds use of IM-Age’s IM Policy Manager sensible for two reasons. First, it operates as a deterrent because whenever an employee initiates an instant-message session using a public instant-message service, the software notifies all parties that their communications are being archived.

“We are interested in knowing how much time employees are spending on personal communications,” Lonergan says. “But we already know that by telling everyone we are logging traffic on public instant-message networks we are reducing the temptation some people feel to communicate with friends and family when their employer expects them to be productive.”

IM Policy Manager also reduces Wire One’s vulnerability to data leakage through unencrypted messages. “Our intellectual property is our biggest strategic advantage, and we don’t want it inadvertently or intentionally getting into our competitor’s hands,” Lonergan says.

Future IM use

As instant-message use becomes commonplace in the home and at colleges, public instant-message service usage in companies will only increase. With proper desktop and network management tools, IT managers can certainly reduce, if not eliminate, the risks associated with it. Still, over the long run, corporate instant-message packages with comprehensive and easy-to-manage private-to-public gateways are likely to hold more appeal to enterprise users and IT managers.

When such private-to-public instant-message communications gateways and enterprise-to-enterprise presence and instant-message tools become available this year and next, they will better fulfill security and risk management needs for monitoring, logging and auditing the flow of enterprise data. And network managers might review their policies toward public instant-message use accordingly.

Perey, president of Perey Research & Consulting in Placerville, Calif., specializes in rich media collaboration and communications. She is also a member of the Network World Global Test Alliance and can be reached at cperey@perey.com.