Collaboration

Instant Messaging risky without internal mechanism

Love it or hate it, users want IM. However, Instant Messaging sites and technologies may pose a communications risk to the sensitivity of company information. Here is a perspective on why to block public services and replace them with internal offerings.

Love it, hate it, use it -- Instant Messaging sites and technologies may pose a communications risk to the sensitivity of company information. Here is a perspective on why to block public services and replace with internal offerings.


Many organizations use instant messaging (IM) for departmental and organizational informal communication. This communication can become a hodgepodge mix of personal and company-related interaction. IM technologies are in a sense a gray area in communications management. For example, most organizations audit and archive e-mail to a certain standard, but IM traffic is not subject to that requirement. IM traffic can go to any number of different Internet sources such as Yahoo!, AOL, MSN, and others, as well as to individuals hosting their own IM servers at home. This makes the task of specifically identifying the traffic a challenge -- beyond the big players -- from a network perspective. IM communication is not as official as e-mail, and it is unclear if it would apply to the same archival requirements from a compliance perspective. What makes this issue worse is that public-service IM communication is not secured over the Internet, can be adware-ridden, and can allow file transfers. Identifying the risks can go on for hours, but allowing unmanaged IM services to the public sites brings up topics of trade secret information, internal communications and announcements being sent to competitors, and basic archival issues and tracking of communication. So what options are available?One approach is to block all traffic at the firewall to the relevant pubic services. This, however, underscores the true benefits of IM technologies for internal company use. I do think IM is a good tool for internal communication, but using it over a public service seems ironic. So, we can focus on managed IM services or internally hosted systems. There are a large number of IM systems that can be hosted internally, and some can even work from groupware products like Microsoft Exchange, which may already be in place within an IT environment and may not require additional purchases. Further, there are plenty of open source mechanisms that can set up internal messaging servers for no cost.

The utopia of IM communication is a mechanism that is internally hosted with traffic archived to the same standards of e-mail and includes interoperability with Internet IM services. One such service is the Sun Java System Instant Messaging offering, which has all the management as well as public gateway communication. The key to reducing this data loss risk is to provide a solution administered by the network team that protects the company's interests yet allows people to do their jobs and use the positive benefits of IM technologies.

How do you approach managing IM traffic in regards to protecting unaudited information leaving your network? Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

5 comments
jeremycobert
jeremycobert

you can easily setup a jabber server and have it centrally manage users,groups whatever. an openfire server can also keep logs of all instant messages for security. FREE,EASY and OpenSource !

aabdullah
aabdullah

An alternative, or better yet, a great interim solution to internally hosting IM services, is standardizing one of the primary IM services, i.e. yahoo, msn, aol for all users; and furthermore blocking any additional services. After fully deploying an internal solution, you can then block all external IM services. Although you don't mitigate all risks with this approach, you can at least reign in threats from multiple IM services. Reading this article has heightened my sense of urgency, regarding internalizing and managing an internal IM solution.

WillSolo
WillSolo

I definitely agree that IM can be a great tool for our employees. Having to deal with HIPAA compliance issues, we moved over to the XMPP/Jabber based Openfire system months ago and so far so good. Using unsecured Internet based IM just wasn't an option anymore. The Jabber server was easy to set up and secure (all communications are encrypted). Archiving is enabled to log all conversations and we have to worry less about their accounts getting hacked or passwords changed and then lost. Also, with a web-facing connection, we are able to set up outside users that need to communicate with our internal users. Again, the most important issues are security and accountability, and it fit the bill...literally...it was free.

Michael Kassner
Michael Kassner

Thanks Rick, One application that is almost always forgotten about is Skype. It has almost the same feature-set as IMs, but isn't really thought of as being one.

b4real
b4real

It is, Michael. I think some of the new Internet products are creating circumventions to policy and I am curious what people are doing to protect in this regard.