Lock IT Down: Taking control of IM services

A guide to selecting the appropriate instant messaging software for your organization

A lot has been written recently about the value, or lack thereof, of using instant messaging in a corporate environment. While these are relevant topics for discussion, the fact is that IM is used in almost every corporate environment—management just may not know about it.

Our purpose here is not to debate whether IM use should be allowed in the enterprise. Instead, we'll discuss the instant messaging environments that are available and the security and privacy implications involved in using them, and we'll examine the issue of selecting public or private IM services.

Standards are critical
When employees walk into a job at a new company, it's unlikely that they head for the office of the IT director and demand the software they want to use on the desktop. Instead, they probably go to their new office, turn on their computer, and begin working with a standard set of software applications supported by the IT department and carefully chosen to maximize business productivity. Why should instant messaging software be any different?

The answer is simple. It shouldn’t. Software is chosen based on the needs of the business. Part of that analysis includes making sure that the software is secure and has a reasonable business use. Instant messaging brings security risks, so it is important that IM software be put through the same selection process as any other piece of desktop software.

What standards can be put in place on corporate desktops? The most common pieces of IM software in use are AOL Instant Messenger, MSN Messenger, and Yahoo Messenger, each of which runs its own proprietary networks and protocols. However, other solutions are also available. Software packages such as Trillian encompass all of the above packages and more, with a single interface for the user.

Security is paramount
Selecting a companywide IM package requires a careful study of the security of the various services that the IM software makes use of. Business productivity issues notwithstanding, security is the single most important aspect of choosing an IM package.

How can your IT department evaluate the security of one of the potential IM products and take appropriate precautions with the selected package or packages? For the publicly available IM clients, AOL, MSN, and Yahoo, security is not up to par with private services yet. For example, these services do not provide high levels of encryption for the data that is being passed back and forth, which can be intercepted since the messages generally pass through a central server.

Furthermore, these public IM packages can be used as a vehicle to introduce malicious software, such as viruses, into the enterprise via their “direct connect” features. Unfortunately, disabling specific features of an IM client can be difficult across an entire enterprise. Therefore, if public IM clients are to be rolled out as part of a standard installation, company policies outlining strict and specific enforcement of limits must accompany them.

Public IM with encryption
Trillian 0.71 now supports 128-bit encryption. However, keep in mind that this feature works only between two Trillian 0.71 (or above) clients, and it currently supports only the AIM and ICQ protocols.

Selecting a private IM solution
While security issues abound, there is little doubt that instant messaging can play a role in improving internal communication for a company, especially when it comes to making use of chat rooms. Rather than convening participants in a single location, everyone can join a specific chat room and discuss an issue. This allows a company to reap significant cost savings, especially if it means saving in conference calls and the expense of traveling from other cities.

With these potential benefits in mind, the next step is choosing a solution. I highly encourage the use of an internal or private instant messaging solution for business communication, as it is much less likely to be the victim of eavesdropping and can be more easily secured since it is not controlled by a third party. One possibility for a private IM server is Microsoft Exchange 2000, which is already in use by many organizations. Exchange 2000 can act as an instant messaging server (and a chat server), which allows for internal control of an IM solution.

While talking about security and Exchange in the same article is not common these days, Exchange instant messaging makes use of an internal home server, which, as stated above, is more secure than a public medium because it is generally located behind the company firewall.

Microsoft’s Exchange IM implementation runs as an ISAPI extension to Internet Information Server using the Rendezvous Protocol (RVP). It also uses a typical URL to send messages back and forth, which allows Exchange instant messaging servers in different locations to communicate with each other.

Getting an Exchange IM server up and running is not simply a matter a flipping a switch in the Exchange configuration console. It requires some careful preparation and involves multiple steps. In addition to the Exchange 2000 setup, there are DNS issues to resolve and client software that needs to be deployed.

However, this can be a blessing in disguise because it forces the IT department to think through the services involved in deploying IM and raises consciousness about where security and performance problems could arise in the future. In addition, Exchange allows for granular administration of the users related to IM so that an organization can allow it for just those people who need it. Watch for upcoming articles on implementing IM on Exchange 2000.

Instant messaging is here to stay. In many cases, it can be used to increase productivity and reduce meeting costs. In all cases, the IT group in an organization should be charged with choosing an IM standard to maintain control over the desktop computing environment. To assist in this effort, an organization can roll out its own instant messaging server, such as Exchange 2000, which will most effectively protect confidential information and control the use of the IM services within the organization.

How do you feel about corporate IM?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.


Editor's Picks

Free Newsletters, In your Inbox