Instant messaging policies reduce risk

By Eileen Kennedy, News Writer 18 Jan 2008 | SearchWinIT.com

Digg This!     StumbleUpon     Del.icio.us

One of the first stepping stones to unified communications is instant messaging (IM), a tool that has become ubiquitous but is sometimes overlooked by IT departments. Ignoring IM can cause serious security problems, however. And getting up to speed with security and usage policies now will put communications administrators ahead of the game when they expand into unified communications.

A recent Burton Group study, "Instant Messaging Security: It's Not Just Idle Chatter," said corporate use of IM is on the verge of explosive growth. According to the Radicati Group, IM messages between businesses grew by roughly 25% from 2005 to 2006, from 1.4 billion to 1.9 billion. That number is projected to skyrocket in the next two years, jumping to 4.3 billion IM messages by 2008.

For more info: Visit our resources page on unifed communications security.

Despite the steep increase in IM use, few corporations have usage policies in place, said Diana Kelley, a lead security analyst at Burton Group, a research and consulting firm based in Midvale, Utah. The reason that IT managers have not paid much attention to the consumer-turned-business tool is because they are not quite sure how many employees are using it or what types of corporate and customer information are being transmitted on it, she said.

Whether IT shops are managing a Windows or open source platform, Kelley said, the problem is the same: how to control instant messaging applications that are proliferating in enterprises. "The use of IM has been fairly organic in organizations, particularly in those companies that haven't really made a decision about whether employees should use it or not," Kelley said.

The first step for companies is to have a formal policy addressing IM specifically -- even if it is an outright ban, she said. For companies interested in enforcing a ban of the communications tool, there are products available that block unapproved applications, like IM, for its employees.

For others that want to allow IM while having some control over its use and security, a policy should be written to reflect who can use it, for what purposes and for what kinds of data, Kelley said.

The policy should also include whether file attachments are allowed. Worms and viruses, such as Bropia, Kelvir and MyDoom, have been launched specifically to breach IM tools.

Another consideration that relates to compliance is how to archive conversations and for how long. And finally, companies must decide how the policy will be enforced, Kelley said.

Securing IM can be part of a larger network or messaging initiative, Kelley said. Other steps to safeguard IM can include:

• Authentication: Multi-factor identity authentication should be provided.
• Access control: User information can be linked to directory stores like Active Directory to enforce user policies.
• Content control and keyword filtering: By using content filters and setting up keywords or other content blocks, IT shops can keep important data from leaving the network. An example of prohibited data might be Social Security numbers.
• Malware and URL filtering: In addition to content-based policy checks, many systems can check for malware signatures, like IM-specific worms, and prevent spam from getting through.
• Encryption: IM is not often encrypted, but policies that enforce encryption for certain data can be in place, with encryption happening gateway to gateway, server to server or client to client.

The bottom line is that without an IM-specific policy in place, companies put themselves at risk, Kelley said. "Real business is being conducted over instant messaging. Organizations that use instant messaging for business must protect and control this critical communication channel," she said.

Tags: Unified Communications Security,  Presence and Real-Time Communications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Unified Communications Security Mobile IP networks: An overview Mobile unified communications (UC) cheat sheet Unified communications security ignored and misunderstood Security concerns for migrating from open source VoIP to UC Security in a SIP network: Identifying network attacks SIP network security measures Security solutions for SIP management Presence management and security Complete guide to caller ID spoofing: Safeguarding your resources Security considerations for unified communications Presence and Real-Time Communications Primer: Presence technology in unified communications Presence protocols and best practices Presence and the anywhere office in a UC strategy Presence, IM power mobile UC with or without fixed mobile convergence Video conferencing codec primer Reality Check: Enterprise IM security and social networking security Top 20 unified communications and IP telephony questions and answers 2008 Presence: The heart of unified communications Workers demand the flexibility of unified communications in the cloud Is unified communications presence good enough?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary instant messaging  (SearchUnifiedCommunications.com) presence leveraging  (SearchUnifiedCommunications.com) real-time communications  (SearchUnifiedCommunications.com) real-time communications dashboard  (SearchUnifiedCommunications.com) rich presence technology (RPT)  (SearchUnifiedCommunications.com) Web conferencing  (SearchUnifiedCommunications.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary