Boosting IM Security

Management key to enterprise rollout; financial services advised to retain messages

To date, over 100 million people have used free instant messaging (IM) software from companies such as AOL, Microsoft Corp., and Yahoo Inc. But as more organizations continue to adopt IM software, increasing numbers are turning to secure, corporate-aimed products for either messaging itself or monitoring IM conversations.

“Instant messaging is fast becoming a mainstream business application and our research indicates that the number of companies implementing IM will grow at a triple digit rate in 2003,” says Yankee Group analyst Paul Ritter.

With such growth comes an increased need for secure, more easily managed IM. To get that, "companies are increasingly turning to scalable, multi-network IM solutions,” notes Ritter.

Osterman Research Inc. reports that the most-widely-used, commercial (paid) IM software in use is still Lotus Instant Messaging (formerly known as IBM Lotus Sametime). But other companies continue to make inroads with their own secure, corporate IM and/or monitoring software, including Akonix, America Online (its Enterprise AIM Gateway, not its free IM software), FaceTime Communications, divine, Jabber, and WiredRed.

Another company, PistolStar, just released Facet IM Password Security, a tool for ensuring secure Lotus Instant Messaging passwords. Facet adds password expiration and a so-called “three strikes” feature to the user authentication process.

The software also adds multiple features to Lotus Web Conferencing (formerly known as Sametime Meetings), including single-sign on, three-strikes capability, password synchronization, password quality assurance and expiration.

“With the explosion of instant messaging and Web conferencing usage across the enterprise, corporate IT departments need tools for addressing various challenges posed by the enterprise-wide use of these applications,” notes Michael Osterman, president of Osterman Research.

While some organizations choose secure IM for peace of mind, financial services companies are increasingly under the gun to just do it. While the Securities and Exchange Commission (SEC) has not explicitly told financial services organizations to retain IM communication, in June the National Association of Securities Dealers (NASD) told members to retain IM exchanges between brokers and clients for at least three years. If companies did not have the capability to do that, then they should block IMs outright.

"NASD recognizes that instant messaging is becoming increasingly popular as a real-time method of communicating and we want to be clear about our expectations for its use," said Mary L. Schapiro, NASD vice chairman and president of regulatory policy and oversight, in a statement. "Firms have to remember that regardless of the informality of instant messaging, it is still subject to the same requirements as e-mail communications.”

In particular, the SEC requires companies retain copies of physical documents and e-mails between brokers/dealers and clients, as well their internal communications, for not less than three years; two of those in an easily retrievable format. In multiple court cases over the past few years, e-mails—or the inability to produce e-mails—have helped decide the outcome of cases.

NASD rules also require firms to create a “system to supervise the activities” of financial services employees “that is reasonably designed to achieve compliance.”

Related Link:

NASD Advisory http://www.nasdr.com/news/pr2003/release_03_026.html

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.