In-Depth

IM Security: E-mail’s Poor Cousin

Despite the popularity of instant messaging (IM), many organizations don’t regard the communications channel as an enterprise security risk.

Despite the popularity of instant messaging (IM), many organizations evidently don’t regard the communications channel as an enterprise security risk.

Witness a recent poll of over 100 organizations conducted by security software vendor Akonix Systems Inc., which found only 11 percent of companies employ some type of IM “hygiene” system—controls against IM-borne spam, viruses, and other malware. By contrast, 73 percent of organizations do employ e-mail hygiene controls.

Based on those survey results, Don Montgomery, vice president of marketing at Akonix, says most companies “have barely begun to address the rapidly growing threat of virus, worm, or malicious code attack through employee use of instant messaging.” That’s in spite of IM already being a pervasive business tool. According to IDC Research, worldwide almost 12 billion IMs are sent daily, and IM use continues to grow. Obviously, “the security protection of IM is not keeping up with its adoption,” Montgomery says.

Addressing the IM security problem is easy: use a corporate IM product, or IM security software or hardware that secures and regulates employees’ IM use. Corporate IM software, for example, can encrypt all IM communications so they can’t be intercepted—unlike on public, plain text IM networks—and can also block users from accessing public IM outright, or monitor and archive what they send.

In fact, given the threat to enterprise security from public IM networks, “there is no longer any excuse for not adopting corporate IM,” says Gartner analyst David Mario Smith. Furthermore, “businesses should establish policies for connecting with external parties to ensure public IM services are used for real business purposes.”

Public IM Use Still Dominates

Of course, security experts have been saying those things for years. Yet—as Smith notes—while IM is “a key workplace application in about 70 percent of businesses,” most of those businesses still use public IM services, especially AOL Instant Messenger (AIM) and ICQ.

One reason corporate IM adoption isn’t widespread may simply involve workplace realities. “Even when corporate IM is available, users still tend to use multiple public services to connect with external parties,” he says, perhaps reflecting how different groups of users—even in the same company—prefer different IM products.

Users’ preferences could change, however, thanks to a new trend: “federated access to public IM services,” says Smith. For example, in 2005, Microsoft “established direct federation between its Live Communication Server and public services.”

More recently, IBM announced similar plans: to allow users of its Sametime corporate IM software to access public AIM and Yahoo! Messenger via the SIP (session initiation protocol) and SIMPLE (session initiation protocol for instant messaging and presence leveraging extensions) industry standards. The capabilities debut with Sametime 7.5, due in mid-2006. IBM, without providing further details, also says Sametime will work with Google Talk, Apple iChat on Macintosh OS X version 10.4, and Linux IM services.

One difference between the new Sametime and Live Communication Server will be that while Microsoft charges enterprises $10 per user able to connect to public IM services, IBM will simply build the capability into its multi-protocol Real-Time Collaboration Gateway, a part of Sametime 7.5.

Even so, Gartner expects the cost differences between the two to even out, especially if IBM doesn’t offer built-in IM hygiene services in Sametime 7.5, since interfacing a secure, corporate IM network to public IM networks, requires additional security. “Hygiene services, such as those from IMlogic, FaceTime Communications and Akonix Systems, must be installed before connecting Sametime to public IM services, just as they are for port 25, Simple Mail Transfer Protocol (SMTP) messages,” notes Smith. “The risks are the same.”

Related Articles:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.

Must Read Articles