Enterprise listens to instant messages

IM is rapidly spreading from people's personal lives into their work environment - but it has many security and management implications. We're here to talk you through them
Written by Rupert Goodwins, Contributor

Network architects and system designers are quick to think of services for corporates, but slow to remember that real people, not seats, use the networks. Instant messaging or IM is a case in point: originally a consumer-only Internet chatter tool, it rapidly spread from people's personal lives into their work environment. However, while the cost of deployment of public IM clients such as Microsoft (MSN) Messenger, AOL Instant Messenger (AIM) or Yahoo! Instant Messenger is low and configuration simple, IM has many security and management implications.

The obvious problem is sending messages in clear across public networks, or across a corporate LAN where not all messages should be visible to everyone. IM clients without encryption will be vulnerable to people running sniffer programs tuned to their protocols. Conversely, IM clients can often be set up to use unusual port numbers, making it a good channel for surreptitious communication between employees.

Another problem is that the mainstream free IM products are vulnerable to spamming messages containing links to dangerous places, and many can also receive files -- potentially tunnelling infected or malicious executables through your firewalls and onto your system. Or in reverse, IM has much potential for people moving confidential documents out of a company without being traceable. Finally, public IM systems have no effective user authentication -- and as with any software that can be exposed to the Internet, there are buffer overflow and other vulnerabilities to worry about.

Enterprise IM systems, around 20 of which have appeared over the past year, have different approaches to solving the above issues. Some enterprise IM systems, such as that from Bantu, have no resident clients. Bantu uses a mixture of server hosted services and Java applets to provide encrypted messaging across a wide range of clients. This centralised approach makes it much simpler to provide logging, authentication and quality of service controls. Others use existing tools, such as Reuters Messaging. Currently aimed at the financial community, this uses SSL for encryption and runs on Windows 2000 Server with added messaging components. Still others, including Yahoo's Enterprise Edition, use the same basic client-based technology as their consumer variants but add extra levels of protection and management.

Although IM's main selling point is messaging, it has knock-on effects. One is presence; when a user logs into IM it effectively alerts the network that they're around and provides a path to reach them. Another effect is that extra services naturally cluster around IM, such as voice messaging, videoconferencing, directory look-ups, calendaring and so on. Every enterprise IM system has a different range of options here, as the market is still immature, and the promise of proper open standards to allow network administrators to mix and match data from different applications with IM is largely unfulfilled.

Things are slightly better with the messaging protocols themselves. There are two sets of open standards battling it out with the proprietary systems -- SIP/SIMPLE and XMPP. SIP is the Session Initiation Protocol from the IETF, and provides a way for two agents on a network to establish a connection with each other. SIMPLE, the Sip Instant Messaging and Presence Leveraging Extensions, adds IM functionality around SIP to make a standardised approach to buddy-based IM. XMPP is the Extensible Instant Messaging and Presence Protocol; it does much the same job, but comes from the open source Jabber project and is based around XML. SIP/SIMPLE seems to have a better chance of becoming the one standard, due mostly to industry support from people like IBM and Microsoft, but some companies such as Antepo are hedging their bets and providing servers with support for both protocols. Additionally, most enterprise IM systems allow some degree of communication with standard clients from the big three consumer systems.

Microsoft has released some messaging components for its servers, but a major update is somewhat overdue. The company is dragging its heels over its real-time communications (RTC) server, codenamed Greenwich. A beta did emerge earlier this year, but shortly afterwards the Greenwich team leader hopped ship to Reuters and nobody's talking about release dates yet. Its existing Messenger service has also come under fire, as a number of security lapses in the related Passport identity mechanism has led to Gartner recommending no Passport corporate use until November.

These are early days for corporate IM, even though the consumer side is so widespread -- IDC claims that 70 percent of employees use the technology already. There are many points of differentiation between suppliers, and with competition so intense those looking to install an enterprise-class IM solution should feel comfortable demanding compliance to their management, security and productivity requirements at a price per seat that almost guarantees a return on investment.

Editorial standards