Locking down IM

It's found its place in many companies but still the warnings flow: before you embrace instant messaging, check the security risks.

Instant messaging has fought the battle for business turf and won. The use of IM in the corporate sector has reached mainstream status, and it's a welcome productivity boost.

"Before IM, we had too many salespeople who had to out and meet face to face because someone couldn't be reached. And with e-mail, you have a latency issue, so employees would get up and to talk to each other," says Josh Stallings, vice president of strategic initiatives at No Red Tape Mortgage.

"Now our people are on the phone all day because they can [simultaneously] IM our processing team to get the information they need for our clients," he says.

IM is a real-time text communications technology with which messages can be sent, received and viewed immediately. And it's nearly everywhere, says Paul Ritter, research director for messaging and collaboration at Wainhouse Research, a communications market researcher. "Our research shows that more than 80 percent of large companies in the US have some form of IM," he says.

But IM is risky and could cause as much damage as rogue e-mail, says SV Purushothaman, program leader of the conferencing and collaboration group at high-tech consultancy Frost & Sullivan. "Today, 10 percent of global IM messages are spim," or IM spam, says Purushothaman. "It has the same potential as e-mail spam."

Moreover, hackers are finding it easier to break in through IM buddy lists than by other means, he says.

While some companies have outlawed IM because of security concerns, many are looking for ways to mitigate risks while enjoying the business benefits. Here are steps you can take to secure IM in your organization.

Manage unauthorized IM clients. This applies to anything that's added to IT assets and infrastructure, says David MacLeod, director of information protection and assurance at The Regence Group, a health insurancer. "We have a well-defined, -controlled and -monitored electronic perimeter," he says. "We know what can leave our organization and what can come in. That is clearly the first and most important step when you want to introduce anything new onto the network."

Address risks that arise from change. Simply adding IM to the network, like adding any software, introduces risk. "It's not because it happens to be IM. Anytime we add something new to our environment, there are security and privacy considerations," MacLeod says. "You need to determine whether it has altered the security posture of the organization."

Identify and verify users to curtail unauthorized access. This is what's referred to as authenticating the user. CIO Tim Hudson at Man Financial, the brokerage arm of London-based Man Group, accomplishes this by tying the party's identity and permissions for various types of uses to existing technologies that identify people who have access rights on the network. "If someone has logged onto IM, we know that she or he is that person," Hudson says.

Establish appropriate-use policies. "If you have an IM product you want to use, you need to do due diligence and have proper policies in place," says Frost & Sullivan's Purushothaman. Policies may include rules such as not allowing users to send files via IM, because sending and receiving attachments makes it easy to spread viruses, he says.

Or you may not want different workgroups to IM one another. "We have separate user groups and don't necessarily allow them to IM each other. This ensures that research, sales, and institutional and product client groups are appropriately connected or disconnected," Hudson says. The same technologies that identify users can identify the workgroups they belong to with their individual IM privileges, he says.

Educate employees about IM use and policies. Employees play an important role in IM security. "Educate your users that they shouldn't be sharing passwords and that if they are, they're handing over their identity to their colleague," Hudson says.

At The Regence Group, people management is key to securing IM. "We have clearly articulated our policies around what kinds of information should be shared, what kinds should be protected and what are appropriate mechanisms for sharing information," MacLeod says.

Enforce policies. "We have tools that automatically apprise us when it appears that something against policy has occurred," MacLeod says. "We work with human resources and our leadership team to make sure that the employees involved understand why that's not appropriate and to coach them on how to do that kind of information exchange in a more secure and appropriate manner."

Purushothaman takes a harder line against IM misuse. He suggests issuing one or two warnings and then probation for offending employees.

Monitor risks related to security and privacy legislation. Many companies using IM are subject to multiple privacy and security regulations, such as the Sarbanes-Oxley Act.

The compliance concern is that information that should be secured can be passed on quickly and easily to numerous parties in the public domain, CIOs say.

Therefore, in industries such as financial services, pharmaceuticals and health care, IM conversations must be archived and logged. There also need to be policies to prevent any damaging information from getting out, Purushothaman says.

Manage IM patches. Take the same care with IM patches that you do with any other software. "We evaluate all IM patches to determine if they address something that is at risk for our organization, and if they do, they are prioritized and applied as quickly as appropriate," MacLeod says.

If you send instant messages outside the company, recognize the unique risks associated with that. "If a CIO believes she or he needs to IM outside the company, that introduces an entirely different set of concerns," MacLeod says. "You require a different set of controls, and it should be segregated from the internal messaging capabilities."

Additional authentication measures might be necessary to adequately identify who is sending instant messages from outside the company, Hudson adds.

Outside the walls

Managed public instant messaging, which uses gateways to and from public systems, lets companies communicate beyond their walls to a vast world of customers, partners and contacts using whatever IM software they want.

The benefits of being able to reach everyone instantly are pushing companies to find secure managed public IM products and driving vendors to provide them, says SV Purushothaman, program leader of the conferencing and collaboration group at Frost & Sullivan.

IM vendors such as Microsoft and IBM, which sell server software to companies that want to run their own IM systems, are striking deals with public networks, says Paul Ritter, research director for messaging and collaboration at Wainhouse Research. At the same time, managed public IM vendors, including IMLogic, FaceTime Communications and Akonix Systems, are selling gateways designed to securely regulate traffic between public and internal IM networks, Purushothaman says.

The managed public IM vendors are also developing environments called federated clearinghouses that enable users with public IM user IDs to send and receive instant messages securely, he adds.

These clearinghouses mitigate the risks of inter-company IM because they don't include the millions of users on public IM, Purushothaman says. "You might have access by invitation," he says. "If you are a preferred partner, for example, a company could choose to provide you access to its internal IM network. The access won't be provided to the entire workforce of the partner. It could be limited to 10 to 20 users."

At No Red Tape Mortgage, business-class IM is provided on a secure, external network, says Josh Stallings, vice president of strategic initiatives.

The company selected an external IM service to segregate IM from the company network. "We chose this model to remove IM from a position of access to other applications on our network," Stallings says. This isolates IM from the company's internal applications and network for security reasons. It also keeps IM from using up the bandwidth reserved for other applications, Stallings says.

Join the newsletter!

Error: Please check your email address.

More about ACTFaceTimeFrost & Sullivan (Aust)IBM AustraliaIM NetworksMicrosoftVIA

Show Comments