Rise and Shine From the IM Slumber
May 17, 2006
Instant messaging (IM) is a nightmare waiting to happen for corporate IS departments that have been snoozing on the issue for the past few years. Regulation and security are the two biggest fault lines.
To remain compliant with regulations like the Sarbanes-Oxley Act it's necessary to log and archive every message, and to maintain acceptable security there's little alternative but to scan every message for viruses, worms, and harmful URLs and to monitor file transfers closely.
The problem is that IM applications are frequently evasive and devious, as they are designed to allow messages to pass through firewalls using HTTP tunneling and port hopping without being detected. Since IM is so useful and convenient, many users see nothing wrong with downloading a client and using a public IM network like MSN, AIM, or Yahoo! without the knowledge or sanction of the IT department. Such "rogue" users can cause enormous damage in terms of networks security breaches and potential compliance problems unless a concerted effort is made to stop them.
What happens if you ignore IM on your network? Viruses and worms are increasingly using IM as a vector for their transmission, so realistically it is only a matter of time before one infects the network, possibly causing data loss, unusable machines, network slowdowns, severe corporate embarrassment, and a loss of business if customers' networks are infected with worms propagated from the network. The potential costs are enormous.
Apart from the malware problem, IM offers the potential for employees to transfer files surreptitiously (although, obviously, there are many other ways to do this), and with no control or logging and archiving of unsanctioned instant messages, an enterprise could face huge financial penalties for breaches in compliance regulations.
Thus, ignoring the communication medium is not an option.
Steps to Security
So how do you make IM a secure medium for use in the enterprise? First, get a handle on rogue usage. An easy way to get an idea of the extent of the problem is to download and run a free tool, such as Akonix's RogueAware, on the network. Many network managers are amazed to discover the extent of unsanctioned IM usage on their network. They are also often equally shocked by the amount of illegal peer-to-peer file sharing traffic clogging the pipeline.
The next step is to replace public IM client use with an enterprise IM system, assuming one isn't already in place. This enables the IS organization to control accounts more easily and set policies to govern who can use it, what the corporate naming policy will be (this is often linked to the corporate directory so employees can't impersonate other staff members), which departments can talk to other departments or to people outside the corporate network, and which users or job categories can transfer files (also often linked to the corporate directory so departmental policies can easily be drawn up).
Policies are all well and good and in fact are very important but they are no help at all unless they can be enforced. That's where an IM security company comes in. Typically, this is a software package that runs on the IM server or a server connected to it, or a dedicated policy enforcement appliance connected to the IM server. Enforcers, which are generally configured by an administrator using a Web interface, allow IM activity that conforms to policies and terminate connections when the IM usage is in breach of policies. Enforcers can also be used to send warnings and system messages to categories of users. For example, every morning when a user logs on she is reminded not to click on unknown URLs in instant messages.
Enforcing IM policies is important, but by itself it is useless. It must be carried out in conjunction with a security and hygiene effort that ensures instant messages coming into the network are not carrying any viruses, worms, or other threats, and likewise on the outbound side. To do this, what's usually needed is a security and hygiene module. This can take the form of software, or again, a dedicated security appliance. It is installed within the corporate firewall and acts as an IM gateway through which all incoming traffic passes and is checked, before moving on to the enforcement module, the IM server, and individual users' client software.
Symantec's recent purchase of the IM security vendor IMlogic suggests that in the future IM may be seen as just another kind of corporate messaging, and IM enforcement and hygiene modules may be subsumed into a larger "messaging security" appliance that sits inside the firewall monitoring all messaging traffic.
Another approach, which FaceTime favors, is to treat IM as separate from e-mail, in a notional "real-time communications" category that includes video conferencing, voice over IP and peer-to-peer hybrid applications, such as Skype. Either way the architecture is similar, entailing one or more appliances or servers inside the firewall to monitor traffic.
Skype is a particular bug-bear for network administrators. It is particularly nimble at getting through firewalls, which makes it hard to detect, since its protocols can change at any time, and, because it is encrypted, it is impossible to archive it in any useful way. Companies such as FaceTime promise to block it using statistical techniques to recognize its usage, and by detecting its "heartbeat" the presence information it sends through the network from time to time to show that it is online.
Logging and archiving messages is not necessarily technically complicated, but clearly it is essential that the storage system is secure, just as any storage system should be.
To secure IM in your enterprise, be sure to set and enforce policies for its use, and check it to remove malware. Compliance procedures may also dictate communication be logged and archived to a secure storage environment. The cost of IM management and control is likely to be of the order of tens of dollars per user per year, but the cost of failing to secure it properly will be much higher.