Instant messaging--better safe than sorry

Are the people in your company using AIM, MS Messenger, or other instant messaging programs to help get their work done? If they are--whoa! It's time to think about exactly what's going on here. Because while they zip messages around about accounts, customers, projects--okay, and maybe tips on cheating at Quake, too--they're also running the risk of exposing your networks to viruses and privacy violations.

According to IDC, corporate IM users will jump from nearly 5.5 million in 2000, to over 181 million by 2004. If your company is contributing to that growth, it may also mean that you have major security breaches on your hands. By their very nature, popular public IM services like AIM, MSN Messenger, and Yahoo Messenger, are insecure. One of the biggest IM security issues is privacy violations, for both users and your company. If you use a public service, you have no guarantee that your cleartext messages aren't read at the servers or by someone using a network scanner. And you could also risk having sensitive company information go public. For example, you may also be in charge of a permanent record of all IM communications-and you may not want that at all. A few IM programs, such as ICQ, keep a running log of all messages. Unless you want to end up in hot water the way eFront did when those records were made public, this is one feature you don't want on.

Microsoft IM clients, Microsoft MSN and Windows Messenger, have an additional potential problem. Both IM programs require users to use .NET Passport. Because Passport is meant to be a universal login, employees who use it at home will almost certainly have personal information such as credit card numbers and Web site memberships accessible through the system. Particularly when used in conjunction with Windows Dial-Up Networking, the .NET Passport is crackable, so this could lead to legal headaches if a user's corporate use of Passport lead to their personal information being compromised.

If privacy violations and multiple login security problems aren't enough, IM can also increase your company's vulnerability to viruses. Though these scenarios don't make the headlines like e-mail bugs, IM clients spread computer illnesses, too. Internet Relay Chat (IRC) clients, for example, can get their own worms, such as IRC.Whacked, and such old e-mail favorites like ILOVEYOU. That, it seems, is how the Unversity of Texas at Austin, got many of its cases of ILOVEYOU. The way to handle this, of course, is the same way you do any other prospective viral problem. You keep everything patched, run real-time, anti-viral IM programs on your gateway, such as Elron Software's IM Message Inspector, and run up-to-date viral protection programs on your clients.

But instant messaging on its own isn't all that causes security risk. Related services, such as voice messaging and file transfer, are also potential security holes. For instance, when transferring a file using IM, the transfer process bypasses normal e-mail file virus checkers. For security purposes, you should simply turn off these services.

What's the smartest way to use IM in your company? Establish your own IM service. By keeping your IM services within the corporate firewall and virtual private networks (VPN), you're in charge--not your users, not some third-party firm. Microsoft and Yahoo are both taking their messaging servers corporate. ICQ and IRC have long been available, but both have dismal security records. Other companies, such as Lotus, Jabber, NetLert, and Odigo, already have corporate server products available. If keeping message content private is a major concern, Mercury Prime is working on an encrypted IM system.

To deploy an IM service, you'll need to give the server software its own dedicated servers. Generally speaking, RAM, more so than CPU power, is what you'll need in these servers. All the IM servers work on standard TCP/IP networks, but high-speed networks--Fast Ethernet or better--connections will enable these servers to keep up with traffic demands for users who will expect little, if any, latency. Some of them, such as Jabber, are also compatible with the multiple IM systems. The Windows Jabber Instant Messenger (JIM), for instance, can use gateways to communicate with people using MSN, ICQ, and Yahoo IM clients.

Whether you'll want to do that in the face of security concerns, is another question. That said, Jabber's gateway system makes it potentially more secure against viruses carried by native IM clients. You can also use a VPN-secured extranet with your suppliers or customers to enable secure IMing both inside and outside of your corporate network.

Which IM program is right for you? Only you can answer that after testing them out in pilot projects. My network pick is Jabber. The server is solid, involves open source XML, it's compatible with ICQ, MSN, and Yahoo IM services, and there are clients for Wintel PCs, Macs, Linux boxes, and even Palms.

You may find that your users have already done much of your testing for you. At many companies the IM lines are already humming, helping to get work done more efficiently. Now, it's your turn to make sure that work is done securely.