Manage Learn to apply best practices and optimize your operations.

Presence management and security

Enterprises implementing presence need to know how to manage their system's security to avoid falling prey to external attacks.

The major concern regarding presence is not whether to deploy it but how your enterprise plans to deploy and integrate the components in a secure manner that will bring the most value. Don Montgomery, VP of communications at Akonix Systems Inc., explained: "Most of the communications cases came from employees bringing them to work, then having IT block it out, only to grudgingly accept them, and then figuring out where productivity could be had."

Younger employees are likely to bring presence to the office with their own personal IM clients like Yahoo! or AOL. If the IT manager does not take proactive steps to set up systems and create policies around these clients, he is likely to end up with so-called greynets, which can lead to information leaks outside the corporation and give malware applications back-door access to the enterprise network.

About 63% of all enterprise users have some form of presence on the desktop, but most of these are public solutions from companies like AOL and Yahoo, according to data from Wainhouse Research. "These things get installed, and IT does not know about it," said Brent Kelly, senior analyst and researcher at Wainhouse. "The issue for public companies is that they may be sharing information they should not be. There are other issues, like harassment, that the company might not want to happen with IM. These services also have the ability to transfer files, and when you transfer them securely, you might also be transferring viruses."

If a company decides to be deliberate with presence, it can provide a more secure infrastructure within the company, set policies, and provide more utility for enterprise employees.

As a result of these concerns, firms like Akonix Systems, Jabber, Isode, FaceTime and Counterpath are rolling out a range of presence-enabled IM systems and gateways to improve the flow of presence information with PBX systems and communications software from Microsoft OCS and IBM Sametime.

For example, more than 2 million business users from heavily regulated industries like finance use Akonix gateways to reduce the spread of malware and establish systems for records retention, security and privacy. Montgomery said that 66% of Akonix's customers are using Microsoft OCS, 20% are using IBM Sametime, and the rest are using Jabber XCP.

Even the major communication vendors are starting to take heed of these concerns. For example, Microsoft OCS takes a comprehensive approach to security, from authentication of users and servers to transport layer security for data/content using encryption. Security features include Active Directory-based user authentication, HTTPS external access, and complete media encryption for secure communications from all endpoints across managed and unmanaged networks with Secure Real-time Transport Protocol (SRTP).

Some of the specific OCS features that address grey network concerns include:

  • The Public Internet Connectivity (PIC) feature enables Office Communicator users to communicate with AOL, Yahoo and Windows Live Messenger (WLM) users.
  • PIC can be enabled/disabled at the per-user level (policies) by OCS administrators.
  • Office Communicator blocks file transfer with AOL/Yahoo/WLM users.
  • Office Communicator will reject any connection attempts from AOL/Yahoo/WLM users that are not already in the user's contact list (unsolicited communications).
  • All communications (including PIC messages to AOL/Yahoo/WLM users) are archived to the Office Communications Server IM archive database.

"After the enterprise rollout, they have to decide which incumbent consumer applications they will embrace and secure, and which ones they will block or discourage employees from using," explained Frank Cabri, vice president of marketing and product management at FaceTime. "They have to look at which consumer applications are adding value and which ones are redundant with the enterprise system. Finally, they will have to educate employees on the policy and supported applications. Ideally, this coaching is done in real time on the network."

Managing system access
Once the presence system is in place, the IT manager needs to figure out what kind of access he is willing to allow outside the corporate network. "The primary concern for the integration of presence functionalities within enterprise and greynet applications is securely managing the registration process and information flow," said Brian Babin, FaceTime's director of product management. "Companies need control over which internal and external users have access to info from the presence system. This requires control over the gateways to public IM."

For example, FaceTime's IMAuditor allows control over the external users that can be on the buddy list of internal users. Once IT has established that the request comes from a legitimate source, they must then establish whether the person requesting access or being granted access by an internal employee should have knowledge of corporate presence. IMA manages this process and monitors who is in communication with employees.

Companies can use the controls built into popular communications systems to set appropriate policies. "Various UC platforms from Microsoft or Lotus Sametime have different levels of control over the gateway out to public IM," Babin noted. "They can set various levels of presence reporting. For example, a user on Microsoft's platform can set three distinct levels of presence reporting. The first level can be very intimate and detailed. At this level, members of a particular team can see virtually all aspects of one's calendar, current status, etc. That same user can also set a company-wide level that shows slightly more general presence info. A person's colleagues could see that a certain time block may be occupied during the day, but cannot see specifically what meeting it is. The final level is for the general public. A person can allow other users outside the company to see only [whether or not] that person is online."

Often, the consumer versions of these applications are designed to require no training, making employee adoption of more robust and complex enterprise systems a challenge. In transitioning employees to an enterprise system, IT can leverage its comfort with consumer applications by allowing some integration between the two systems. For example, allowing an enterprise IM system to interoperate with the consumer networks can let employees stay in touch with their existing contacts. Using consumer-grade networks inside the framework of the enterprise deployment can allow IT to balance security and management with employee adoption. "In terms of social networking applications, FaceTime is in a unique position to help enterprises ensure that company time spent doesn't become wasted time," Cabri said. "It recently announced a major upgrade to its Unified Security Gateway (USG) appliance, which now allows for granular control over the various applications within the major social networking sites, in addition to its traditional IM and Web security. For example, an IT manager can allow Facebook on the network but shut out the 'scrabulous' application."

Controlling presence availability
Even within the corporation, there are concerns that employees will suffer a bombardment of messages and calls from co-workers if they don't take steps to guard their presence. One way around this is for employees to set up a workplace buddy list that provides customized information for different people within the organization. Even though you work in a large company, that doesn't mean you have the same relationship with -- nor want to be equally available to -- all people. You need to be able to build spheres of control, which would allow your core team to see your real presence and everyone else in the company to see your not-so-real presence.

For example, Microsoft OCS includes a "do not disturb" feature that allows users the option to work uninterrupted when needed or, by using access levels, to allow only certain people to interrupt them. Users can also take advantage of the Notes setting in Office Communicator to give people more detailed information on when to interrupt them. Yancey Smith, group product manager, Unified Communications Group at Microsoft, said, "Our software is built around the idea of giving end users control over how, when and why people contact them."

Another concern for business managers is that presence technologies could make it even more tempting for employees to play on company time. "If you have the ability to do real-time communication, there is the temptation to be chatting more with your friends," said Peter Saint-Andre, executive director of the XMPP Foundation. "But this is more of a policy issue than a technology issue per se. If enterprises did not want any kind of conversation between employees, they would have outlawed the water cooler 50 years ago."

Banter may happen in group chat rooms, but this is also the lifeblood of the corporation. No one is in these rooms checking that people are doing business. They may be talking about the Yankees or the Giants. When people talk business, the conversation naturally wanders to other things.

But this kind of control works only when the employee realizes the toll that trying to do too many things at once can take on his productivity. "When you are in 10 different chat rooms, you are not giving full attention to anything at the same time," Saint-Andre noted. "It can be a challenge for people to adjust to these technologies. If you really need to focus on writing an article, you might turn that off or change your presence to 'do not disturb.' This is more a matter of work style."

"We've found that if you treat employees like adults, then they'll act like adults," noted Will Sheward, VP of marketing at Isode. "And a vast majority of employees know that success depends on their productivity and can ration their own IM contacts and non-work conversations quite adequately."

George Lawton is a journalist based near San Francisco. Over the last 15 years, he has written more than 2,000 stories for publications about computers, communications, knowledge management, business, health, and other areas that interest him.

Dig Deeper on Unified Communications Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.