AUGUST 29, 2005
(COMPUTERWORLD) - Instant messaging has fought the battle for business turf and won. The use of IM in the corporate sector has reached mainstream status, and it's a welcome productivity boost. "Before IM, we had too many salespeople who had to get up and go meet face to face because someone couldn't be reached. And with e-mail, you have a latency issue, so employees would get up and go talk to each other," says Josh Stallings, vice president of strategic initiatives at No Red Tape Mortgage in Sherman Oaks, Calif.
"Now our people are on the phone all day because they can [simultaneously] IM our processing team to get the information they need for our clients," he says.
IM is a real-time text communications technology with which messages can be sent, received and viewed immediately. And it's nearly everywhere, says Paul Ritter, research director for messaging and collaboration at Wainhouse Research, a communications market research firm in Duxbury, Mass. "Our research shows that more than 80% of large companies in the U.S. have some form of IM," he says.
But IM is risky and could cause as much damage as rogue e-mail, says S.V. Purushothaman, program leader of the conferencing and collaboration group at Frost & Sullivan Ltd., a high-tech consultancy in New York. "Today, 10% of global IM messages are spim," or IM spam, says Purushothaman. "It has the same potential as e-mail spam."
Moreover, hackers are finding it easier to break in through IM buddy lists than by other means, he says.
While some companies have outlawed IM because of security concerns, many are looking for ways to mitigate risks while enjoying the business benefits. Here are steps you can take to secure IM in your organization.
Manage unauthorized IM clients. This applies to anything that's added to IT assets and infrastructure, says David MacLeod, director of information protection and assurance at The Regence Group, a health insurance carrier in Portland, Ore. "We have a very well-defined, -controlled and -monitored electronic perimeter," he says. "We know what can leave our organization and what can come in. That is clearly the first and most important step when you want to introduce anything new onto the network."
Address risks that arise from change. Simply adding IM to the network, like adding any software, introduces risk. "It's not because it happens to be IM. Anytime we add something new to our environment, there are security and privacy considerations," says MacLeod. "You need to determine whether it has altered the security posture of the organization."
Identify and verify users to curtail unauthorized access. This is what's referred to as authenticating the user. CIO Tim Hudson at Man Financial, the brokerage arm of London-based Man Group PLC, accomplishes this by tying the party's identity and permissions for various types of uses to existing technologies that identify people who have access rights on the network. "If someone has logged onto IM, we know that she or he is that person," says Hudson.
Establish appropriate-use policies. "If you have an IM product you want to use, you need to do due diligence and have proper policies in place," says Frost & Sullivan's Purushothaman. Policies may include rules such as not allowing users to send files via IM, because sending and receiving attachments makes it easy to spread viruses, he says.
Or you may not want different workgroups to IM one another. "We have separate user groups and don't necessarily allow them to IM each other. This ensures that research, sales, and institutional and product client groups are appropriately connected or disconnected," says Hudson. The same technologies that identify users can identify the workgroups they belong to with their individual IM privileges, he says.
Educate employees about IM use and policies. Employees play an important role in IM security. "Educate your users that they shouldn't be sharing passwords and that if they are, they're handing over their identity to their colleague," says Hudson.
At The Regence Group, people management is key to securing IM. "We have clearly articulated our policies around what kinds of information should be shared, what kinds should be protected and what are appropriate mechanisms for sharing information," says MacLeod.
Enforce policies. "We have tools that automatically apprise us when it appears that something against policy has occurred,"says MacLeod. "We work with human resources and our leadership team to make sure that the employees involved understand why that's not appropriate and to coach them on how to do that kind of information exchange in a more secure and appropriate manner."
Purushothaman takes a harder line against IM misuse. He suggests issuing one or two warnings and then probation for offending employees.
Monitor risks related to security and privacy legislation. Many companies using IM are subject to multiple privacy and security regulations, such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act.
The compliance concern is that information that should be secured can be passed on quickly and easily to numerous parties in the public domain, CIOs say.
Therefore, in industries such as financial services, pharmaceuticals and health care, IM conversations must be archived and logged. There also need to be policies to prevent any damaging information from getting out, says Purushothaman.
Manage IM patches. Take the same care with IM patches that you do with any other software. "We evaluate all IM patches to determine if they address something that is at risk for our organization, and if they do, they are prioritized and applied as quickly as appropriate," says MacLeod.
If you send instant messages outside the company, recognize the unique risks associated with that. "If a CIO believes she or he needs to IM outside the company, that introduces an entirely different set of concerns," MacLeod says. "You require a different set of controls, and it should be segregated from the internal messaging capabilities."
Additional authentication measures might be necessary to adequately identify who is sending instant messages from outside the company, Hudson adds.
Sidebar: Outside the Walls
Managed public instant messaging, which uses gateways to and from public systems, lets companies communicate beyond their walls to a vast world of customers, partners and contacts using whatever IM software they want.
The benefits of being able to reach everyone instantly are pushing companies to find secure managed public IM products and driving vendors to provide them, says S.V. Purushothaman, program leader of the conferencing and collaboration group at Frost & Sullivan.
IM vendors such as Microsoft Corp. and IBM, which sell server software to companies that want to run their own IM systems, are striking deals with public networks like American Online Inc.'s IM network, says Paul Ritter, research director for messaging and collaboration at Wainhouse Research. At the same time, managed public IM vendors, including IMLogic Inc., FaceTime Communications Inc. and Akonix Systems Inc., are selling gateways designed to securely regulate traffic between public and internal IM networks, Purushothaman says.
The managed public IM vendors are also developing environments called federated clearinghouses that enable users with public IM user IDs to send and receive instant messages securely, he adds.
These clearinghouses mitigate the risks of intercompany IM because they don't include the millions of users on public IM, Purushothaman explains. "You might have access by invitation," he says. "If you are a preferred partner, for example, a company could choose to provide you access to its internal IM network. The access won't be provided to the entire workforce of the partner. It could be limited to 10 to 20 users."
At No Red Tape Mortgage, business-class IM is provided on a secure, external network, says Josh Stallings, vice president of strategic initiatives.
The company selected an external IM service to segregate IM from the company network. "We chose this model to remove IM from a position of access to other applications on our network," says Stallings. This isolates IM from the company's internal applications and network for security reasons. It also keeps IM from using up the bandwidth reserved for those other applications, Stallings says.
