Are the people in your company using AIM, MS Messenger, or other instant messaging
programs to help get their work done? If they are--whoa! It's time to think about
exactly what's going on here. Because while they zip messages around about accounts,
customers, projects--okay, and maybe tips on cheating at Quake, too--they're also
running the risk of exposing your networks to viruses and privacy violations.
According to IDC, corporate IM users will jump from nearly 5.5 million in 2000,
to over 181 million by 2004. If your company is contributing to that growth,
it may also mean that you have major security breaches on your hands. By their
very nature, popular public IM services like AIM, MSN Messenger, and Yahoo Messenger,
are insecure. One of the biggest IM security issues is privacy violations, for
both users and your company. If you use a public service, you have no guarantee
that your cleartext messages aren't read at the servers or by someone using
a network scanner. And you could also risk having sensitive company information
go public. For example, you may also be in charge of a permanent record of all
IM communications-and you may not want that at all. A few IM programs, such
as ICQ, keep a running log of all messages. Unless you want to end up in hot
water the way eFront
did when those records were made public, this is one feature you don't want
Microsoft IM clients, Microsoft MSN and Windows Messenger, have an additional
potential problem. Both IM programs require users to use .NET Passport. Because
Passport is meant to be a universal login, employees who use it at home will
almost certainly have personal information such as credit card numbers and Web
site memberships accessible through the system. Particularly when used in conjunction
with Windows Dial-Up Networking, the .NET
Passport is crackable, so this could lead to legal headaches if a user's
corporate use of Passport lead to their personal information being compromised.
If privacy violations and multiple login security problems aren't enough, IM
can also increase your company's vulnerability to viruses. Though these scenarios
don't make the headlines like e-mail bugs, IM clients spread computer illnesses,
too. Internet Relay Chat (IRC) clients, for example, can get their own worms,
such as IRC.Whacked, and such old e-mail favorites like ILOVEYOU. That, it seems,
is how the Unversity of Texas at Austin, got many of its cases of ILOVEYOU.
The way to handle this, of course, is the same way you do any other prospective
viral problem. You keep everything patched, run real-time, anti-viral IM programs
on your gateway, such as Elron Software's IM Message Inspector, and run up-to-date
viral protection programs on your clients.
But instant messaging on its own isn't all that causes security risk. Related
services, such as voice messaging and file transfer, are also potential security
holes. For instance, when transferring a file using IM, the transfer process
bypasses normal e-mail file virus checkers. For security purposes, you should
simply turn off these services.
What's the smartest way to use IM in your company? Establish your own IM service.
By keeping your IM services within the corporate firewall and virtual private
networks (VPN), you're in charge--not your users, not some third-party firm.
Microsoft and Yahoo are both taking their messaging servers corporate. ICQ and
IRC have long been available, but both have dismal security records. Other companies,
such as Lotus, Jabber, NetLert, and Odigo, already have corporate server products
available. If keeping message content private is a major concern, Mercury Prime
is working on an encrypted IM system.
To deploy an IM service, you'll need to give the server software its own dedicated
servers. Generally speaking, RAM, more so than CPU power, is what you'll need
in these servers. All the IM servers work on standard TCP/IP networks, but high-speed
networks--Fast Ethernet or better--connections will enable these servers to
keep up with traffic demands for users who will expect little, if any, latency.
Some of them, such as Jabber, are also compatible with the multiple IM systems.
The Windows Jabber Instant Messenger (JIM), for instance, can use gateways to
communicate with people using MSN, ICQ, and Yahoo IM clients.
Whether you'll want to do that in the face of security concerns, is another
question. That said, Jabber's gateway system makes it potentially more secure
against viruses carried by native IM clients. You can also use a VPN-secured
extranet with your suppliers or customers to enable secure IMing both inside
and outside of your corporate network.
Which IM program is right for you? Only you can answer that after testing them
out in pilot projects. My network pick is Jabber. The server is solid, involves
open source XML, it's compatible with ICQ, MSN, and Yahoo IM services, and there
are clients for Wintel PCs, Macs, Linux boxes, and even Palms.
You may find that your users have already done much of your testing for you.
At many companies the IM lines are already humming, helping to get work done
more efficiently. Now, it's your turn to make sure that work is done securely.