Few CIOs would knowingly install a piece of software that hunts for ways to overcome the corporate firewall, even going as far as pretending to be a web browser in order to gain unfettered access to the outside world.
But Instant messaging (IM) is just such software.
Although its origins are as a consumer technology, IM has gained ground in business not just because it provides an efficient way to communicate quickly with colleagues, but because of its low cost – most services are free – and because it is easy to install.
But CIOs and security officers are increasingly concerned that IM is exposing their businesses to undue risks. One computer networking expert told the Financial Times that IM was considered to be their “next security black hole”.
One challenge CIOs and CSOs face is that IM raises security and compliance issues at a number of levels.
If employees download an instant messaging application – or sign in to an IM client already on their computer using a personal account – companies cannot monitor that traffic. Although IM clients provide the ability to log conversations, that is not automatic and the text-only logs are easy to manipulate or falsify.
“By default you can install IM without logging. And some people think they can say what they want if they know they are not being logged,” says Lisa Watts, network manager at Nashville law firm Boult, Cummings, Conners & Berry. The company has now installed a hosted IM management service from vendor Postini.
IM allows peer-to-peer file transfer, so users could potentially receive infected documents over IM. This could happen accidentally, but there is evidence of criminals using fake or hijacked IM accounts in order to pass malware to unsuspecting users.
And hackers are using IM accounts to distribute links to web pages that, in turn, take employees to phishing or other sites that aim to capture personal information or to spread malware, such as key logging software. In addition, there is the danger that a rogue IM client could open a back door to corporate IT networks.
“IM clients are designed to circumvent firewall policies, by port hopping or even tunnelling out over port 80 [the port used for web browsing]: the traffic looks like web browsing when it goes out,” says Dan Hubbard, senior director, security and technology research at security company Websense. “They are quite ingenious, so you need something other than just a firewall to provide security.”
CIOs also have to allow for the fact that new instant messaging platforms will continue to emerge; IM could also be added as a feature to existing business applications. Then there is the issue of convergence: IM services are increasingly carrying voice and video traffic, while other communications tools, such as the internet telephony application Skype, also include a fully featured instant messaging client.
As a result, IT departments need to take a multi-layered approach to securing IM. An outright ban on running the software is unlikely to succeed or risks damaging productivity by closing down a useful communications channel. Symantec, the security vendor, estimates that IM can improve customer service levels by as much as 20 per cent.
Nonetheless, CIOs need to know that IM traffic is controlled, or at least monitored and filtered. Companies such as Websense do this by filtering IM traffic alongside web traffic: this can pick up both suspect URLs and keywords that suggest staff are sending sensitive information outside the company using IM.
Another approach is to intercept all IM traffic and route it through a central server. Symantec, for example, recently bought IM security specialist IM Logic for this capability.
The server applies policies – such as only allowing staff to use a single IM platform, or restricting traffic to internal messages only – as well as capturing the IM conversation for record-keeping and compliance purposes.
“We can also block a message if the server detects a suspect URL [web address] or give a warning message to the user, asking if they really know that it is safe to follow that link,” says Dr Guy Bunker, chief scientist at Symantec.
For other businesses, the best way to control instant messaging is to move to a business-grade IM system, such as Jabber or Microsoft’s Live Communications Server.
These dedicated IM servers have a number of security features such as logging, but also provide the assurance that the service is running on the corporate network, rather than through a service provider that may be more geared towards the consumer market.
“The idea of an enterprise-grade IM platform has parallels with e-mail in the early 1990s,” says Zig Serafin, general manager Microsoft’s Unified Communications Group. “E-mail was initially adopted as a service but businesses quickly started to look for an enterprise solution, such as Exchange. That is happening now with IM, as customers realise its importance as a communications tool.”