Problem solve Get help with specific problems with your technologies, process and projects.

Developing instant messaging (IM) security policies

Instant messaging (IM) security policies can help prevent security breaches due to IM use. Learn how to write and enforce an IM policy in this tip.

Instant messaging provides clear benefits to corporations, but can be a conduit through which viruses come into and sensitive data goes out of the corporate network. Enterprises need a thorough IM policy and the technical measures to back it up. This tip outlines the factors you should consider when writing an IM policy and the technical measures for enforcing it.

The first step is to clearly state your organization's policy on instant messaging. Here's a set of questions you should consider when defining your organization's IM policy:

  • Is IM use permissible on your network?
  • May users run IM software on systems owned by your organization?
  • Does the organization endorse/require a specific IM platform?
  • Is encryption mandatory?
  • Is IM acceptable for corporate use or for personal communications only?
  • Are there restrictions on the sensitivity of data that may be communicated via IM?
  • Is there a requirement to retain records of IM communication for any period of time?

Once you have a clear policy on IM use, educate your users on policy requirements and their responsibilities.

You can take additional measures to protect instant messaging. Blanket it with layers of protection to ensure you're organization is protected against the viruses, worms and other malicious code that's become prevalent on IM networks. Run a modern antivirus program that includes IM scanning on all workstations, and consider a using network-based content filter that scans IM traffic for malware.

For more info:
Visit our resources page on unified communications security.

Read other articles on instant messaging (IM) and presence.

You also want to prevent the threat of eavesdropping on your traffic as it traverses public networks. Out of the box, IM software uses public servers hosted by the IM provider, which means all messaging must traverse the public Internet on its way to and from the server. If you think your users might send sensitive messages through IM (accidentally or intentionally), you should strongly consider encrypting that traffic.

Unfortunately, encrypted IM is a relatively immature technology that typically requires a specialized client. One standout in this field is the free Trillian client by Cerulean Studios, which supports multiple IM networks and allows encrypted communications with other Trillian users.

The ultimate option in secure instant messaging is to run your own managed IM server or gateway. This eliminates the threat of outsiders intercepting internal messages as they cross the Internet by keeping the traffic on the local network, and it's actually easier than you might think. Many of these products allow you fine-grained control over the types and destinations of IM traffic on your network. In addition to the commercial products available, you may wish to consider the open-source Jabber IM server project.

About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This article originally appeared on SearchSecurity.

Dig Deeper on Unified Communications Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.