Once the province of the teen and college set, instant messaging has successfully transitioned from cool tool to business essential.
Once the province of the teen and college set, Instant Messaging (IM) has successfully transitioned from cool tool to business essential. Over 20 million people worldwide use IM for work-related tasks according to International Data Corp. (IDC) of Framingham, Mass. That figure could soar to 300 million by the end of 2005. Take the government sector. The Federal Emergency Management Agency, for example, uses IM to bridge communications gaps among federal, state and local emergency relief workers. Every agency in the state of Utah utilizes IM to speed internal communications. And the Police Executive Research Forum (PERF) has installed IM throughout its nationwide network.
In the corporate world, too, IM usage is on the rise. A study by Osterman Research (Black Diamond, Wash.) reveals that IM currently has a presence in 91 percent of enterprises. The problem is, however, that adoption has been driven by the end user and not top management. Only about 26 percent of are utilizing an enterprise–grade IM system–the rest rely on consumer products, or have allowed users to download a client and operate it from within the corporate firewall. “Consumer-grade IM clients and the use of public IM networks can create significant security problems for government organizations and corporations alike by using unauthorized ports in the firewall,” says analyst Michael Osterman.
“This allows an entry point for viruses or rogue protocols, bypassing enterprise authentication systems.” Security threats can gain access via email, instant messaging, music download sites, peer-to-peer (P2P) networks and other channels. Most end-users begin IM usage in a rogue fashion, with employees downloading AOL Instant Messaging (AIM) and other consumer systems. “IM is becoming as common as e-mail, but organizations cannot permit their staff to just sign up for AOL or Yahoo! Messenger and be done with it,” explains Damon Kovelsky, analyst in the Capital Markets Trading Group at Financial Insights. He outlines a number of inherent weaknesses in the underlying system architecture of IM products. Most IM systems are P2P, so once the presence status of users is delivered and conversations start, discussions are conducted directly between users and do not pass through servers. P2P issues cannot be solved with a third party add-on program to non-server based IM system such as AOL Corporate Messenger. Such a client-centric architecture eliminates the administrator’s ability to control conversations in process, and to capture the history of the conversation as it takes place.
“Applications like MSN Messenger are insecure, and the small print tells you never to transmit credit card or password info over IM,” says PERF’s Kane. “As information travels as plain text, anyone who knows a little about computers can easily steal information.” His organization implemented an Enterprise IM system known as Collabrix, made by Kenmore, Wash.-based LINQware. Collabrix includes IM, document collaboration and other features within a totally secure environment. It uses 128-bit Secure Socket Layer (SSL) encryption so that no one can intercept and decipher sensitive IMs.
Caring about sharing
Instant messaging carries a high potential for liability, particularly in heavily regulated industries such as government, financial services and health care. The Health Insurance Portability and Accountability Act (HIPAA), for example, constitutes particular menace to the uncontrolled usage of IM.
Undocumented communications regarding a patient could occur without the healthcare organization’s knowledge leading to an unintentional breach of HIPAA’s access requirements. Such violations could invoke heavy fines. Yet most systems on the market today are open–if you know a person’s IM address you can message them directly. Anyone with an IM address, therefore, has the potential to share sensitive data and bypass any audit capabilities of the organization until after the event has occurred. The best approach is to deploy a closed system that can still be exposed to key outside customers and vendors, such as Lotus Sametime or Collabrix.
PERF, for instance, uses Collabrix to share and edit documents securely online. Instead of absorbing bandwidth and transmitting sensitive information over the web even if secured, this system permits authorized users to view the screen of the document owner. While they can comment or make changes online, they at no time actually have a copy on their own system. This feature is also available to PERF for use in IT troubleshooting. “System administrators can contact the user and be given total control of the workstation to resolve difficulties,” says Kane. “This feature is also very useful when you want to share documents with colleagues who are scattered around the country.” Another common weakness is user authentication. Public IM systems do not perform any type of user validation to determine the authenticity of a user. This can be resolved either by deploying third party add-on software or enterprise IM programs with built-in authentication. Attention must also be paid to archiving. Public IM systems do not offer any mechanism for capturing the transcripts of conversations. Third-party tools exist which can capture the conversation at its conclusion.
However, conversations that are dropped midstream are lost unless the IM system is served based. This could have serious repercussions in law enforcement, security, healthcare and other organizations that deal in sensitive information. “With few exceptions, consumer-grade IM clients do not provide a means of recording content of IM conversations,” says Osterman. “This is a particularly significant shortcoming for organizations that are required by statute or convention to retain a copy of communications with customers, business partners and others.”
To make matters worse, the file sharing features of most IM systems expose internal systems to attack. Virtually all IM software, in fact, allows for file transfers that bypass virus checking software. This exposes networks to serious threats such as the Blaster worm which took down more than one million computers in its first 24 hours. Kane stresses that it is vital to have anti-virus protection that closes the door on file-borne viruses. “IM is a risky business if done insecurely within a large organization,” he says. “Only when you add integrated enterprise-class security features does it have real value.”
But while security is a primary concern, Kane points out that IM contains many features to boost productivity. The Collabrix In/Out Board, for instance, is used widely in PERF to enable employees to know if their peers have gone away on business, and more importantly, how to contact them. If someone is at a conference, for example, the In/Out Board shows that fact. By clicking a link, associates view the best methods to reach the person. “The In/Out Board enables us to be more organized and not lose touch with each other,” says Kane. “This saves time in asking around about a particular person, or when you need to find a document in a hurry from someone who isn’t immediately around.”
Ready or not
Like wireless before it, IM is coming (or has already arrived) whether government agencies and corporations are ready for it or not. The best approach, therefore, is to take control of its usage by establishing policies for its usage and adopting an IM system that is designed for the corporate world. There are a variety of IM choices out there. The best advice is to ignore consumer-based systems and adopt an enterprise class system. While cost and functionality are important concerns, security should be given paramount importance. VOIP and video messaging may sound like excellent bells and whistles, but no purchasing decision should be made based on those functions alone. During the selection process, especially, be aware that not every system is as secure as it might be represented. Sametime and Microsoft Live Communication Server, for example, have a weakness when dealing with outside agencies and partners. These tools can’t be used by outsiders without granting domain rights. Similarly, other IM systems are hosted on banks of public servers, daisy-chained together.
If one of the servers in the chain goes down, users on all servers passed that point are not visible. Many of the public systems go down weekly. These systems were not designed with the kind of fault-tolerance or redundancy that enterprises demand. The best approach is to specify a server-based system, and strictly avoid tools that are client-based. That narrows the field down to Sametime, Yahoo Corporate Messenger, Collabrix and Hub Communicator by Wired Red. For best results, carefully evaluate these products against the criteria above based on the security environment that exists within the organization.