Developing instant messaging (IM) security policies

Instant messaging provides clear benefits to corporations, but can be a conduit through which viruses come into and sensitive data goes out of the corporate network. Enterprises need a thorough IM policy and the technical measures to back it up. This tip outlines the factors you should consider when writing an IM policy and the technical measures for enforcing it.

The first step is to clearly state your organization's policy on instant messaging. Here's a set of questions you should consider when defining your organization's IM policy:

  • Is IM use permissible on your network?
  • May users run IM software on systems owned by your organization?
  • Does the organization endorse/require a specific IM platform?
  • Is encryption mandatory?
  • Is IM acceptable for corporate use or for personal communications only?
  • Are there restrictions on the sensitivity of data that may be communicated via IM?
  • Is there a requirement to retain records of IM communication for any period of time?

Once you have a clear policy on IM use, educate your users on policy requirements and their responsibilities.

You can take additional measures to protect instant messaging. Blanket it with layers of protection to ensure you're organization is protected against the viruses, worms and other malicious code that's become prevalent on IM networks. Run a modern antivirus program that includes IM scanning on all workstations, and consider a using network-based content

    Requires Free Membership to View

filter that scans IM traffic for malware.

For more info:
Visit our resources page on unified communications security.

Read other articles on instant messaging (IM) and presence.

You also want to prevent the threat of eavesdropping on your traffic as it traverses public networks. Out of the box, IM software uses public servers hosted by the IM provider, which means all messaging must traverse the public Internet on its way to and from the server. If you think your users might send sensitive messages through IM (accidentally or intentionally), you should strongly consider encrypting that traffic.

Unfortunately, encrypted IM is a relatively immature technology that typically requires a specialized client. One standout in this field is the free Trillian client by Cerulean Studios, which supports multiple IM networks and allows encrypted communications with other Trillian users.

The ultimate option in secure instant messaging is to run your own managed IM server or gateway. This eliminates the threat of outsiders intercepting internal messages as they cross the Internet by keeping the traffic on the local network, and it's actually easier than you might think. Many of these products allow you fine-grained control over the types and destinations of IM traffic on your network. In addition to the commercial products available, you may wish to consider the open-source Jabber IM server project.

About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This article originally appeared on SearchSecurity.

This was first published in January 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.