Most CIOs are surrendering to instant messaging usage, realizing that user adoption is happening whether they want it to or not. But it’s not a total surrender. To manage IM usage, CIOs are evaluating new secure enterprise IM options and a new standard designed to make IM technologies compatible with each other. As one IT professional explains, instituting a companywide ban on IM isn’t feasible and security concerns posed by free IM services require attention and quick action.

“We realized we needed to get [instant messaging] under control,” said Andrew Weiner, an IS consultant at a Michigan-headquartered manufacturing company. “There are several security problems with the free IM services that we were told might expose us to legal liabilities. For that reason, and realizing it would be a hard fight trying to institute a companywide ban on IM, we started to look for an IM solution that addressed our security concerns.”

Weiner is in the process of selecting a secure IM solution and investigating how much security protection his organization needs.

“We’d like all messages between internal employees to be encrypted, and we’d like to use existing authentication systems so we don’t have to maintain a separate username and password list just for IM. But we don’t need to archive every session,” he explained. Weiner is leaning toward a managed secure IM service, but is also interested in taking a closer look at what Microsoft is bringing into the market.

The security issues in play
The security problems Weiner and others are facing with the widely used free IM services (AOL Instant Messenger, Microsoft MSN Messenger, and Yahoo IM) are numerous:

  • Lack of encryption support allows all IM messages to be sent in clear text, which means if a hacker eavesdrops on a session the message can be easily read.
  • Lack of user authentication services means anyone can create an account claiming to be anyone else. Ideally, managers would like the ability to create IM user accounts and require that users identify themselves.
  • Lack of automatic archiving of message content affects specific industries such as financial institutions; regulations require that they keep copies of all communication exchanges, including IM sessions.
  • Lack of control in accessing IM systems includes both the ability to include and exclude people in an IM system.

Help has arrived
Starting last year, some companies began turning to new enterprise IM software that promised to thwart the security issues. Lotus Sametime is the most popular application. According to the consultancy Osterman Research, which surveyed 196 IT managers last year, more than 60 percent of enterprises use Sametime.

Sametime, like some other commercial IM offerings, includes management and security features that help address the holes in the free IM service offerings. For instance, Sametime has user authentication services and lets managers control access to the IM system. Also, messages exchanged within the Sametime environment are encrypted.

This year, managers have even more choices. Three of the widely used, free services have announced enterprise versions. While most are in limited distribution, they are expected to be commercially available by 1Q of this year. These products are the Yahoo Messenger Enterprise Edition, AIM (AOL Instant Messenger) Enterprise Gateway, and MSN Messenger Connect Service.

In addition, vendors are coming into the market with new tools designed specifically for IM security and managing IM services.

Some of these products are targeted at vertical markets, for instance, HealthAgent.Net, which combines secure IM with file transfer functions so that doctors and hospital workers can securely collaborate and share information while maintaining patient confidentiality.

One issue solved, another arises
While the new enterprise IM apps may offer secure communications, there’s a caveat attached. You’ll likely encounter interoperability issues when these applications are pulled into the enterprise.

A new standard, the Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE), which was completed by the Internet Engineering Task Force last fall, will likely solve that issue, but not overnight.

The promise of SIMPLE is interoperability between disparate IM systems. In theory, SIMPLE is to IM what the Simple Mail Transfer Protocol (SMTP) was to e-mail.

With SIMPLE, end users of IM software would be able to incorporate users of different, SIMPLE-compliant IM software packages into a messaging session. Additionally, a user of one SIMPLE-compliant IM program would be able to detect when a user of another SIMPLE-compliant IM program was signed into that program.

This is a big issue given that many enterprises plan to share IM capability and services with clients, customers, and other third-party partners.

Naturally, as with any new standard, success will depend on vendor adoption. Recent movements are encouraging. Soon after the SIMPLE standard was finalized, Lotus announced support for SIMPLE in its Sametime product. This was viewed by some as a major endorsement for enterprise IM, given the high percentage of enterprises using Sametime as their company-sanctioned IM platform. In addition, Microsoft supports the SIMPLE protocol in its Windows Messenger included with Windows XP.

But as many industry analysts have noted, mere announcement of support for SIMPLE won’t make interoperability problems go away. Most experts believe it will be two to three years before there is appreciable deployment of SIMPLE-compliant products. Until that time, most IM deployments will have to depend on proprietary IM protocols.

For CIOs, that likely means keeping any sanctioned IM in-house before extending IM services to business partners or customers who may be using different IM systems.