Best Practices: IM Monitoring

Under pressure from such regulations as HIPAA, the Gramm-Leach-Bliley Act, and Sarbanes-Oxley, companies increasingly have to account for their corporate instant messaging policies. Yet many organizations don’t have rules for IM use.

What’s your organization’s instant messaging (IM) policy? Under pressure from such regulations as HIPAA, the Gramm-Leach-Bliley Act, and even Sarbanes-Oxley, companies increasingly have to account for their corporate instant messaging policies to auditors.

Yet many organizations don’t have rules for IM use.

Such thinking is out of date, say experts, given the potential for damage—whether from insider attacks, or viruses. “As enterprise instant messaging use continues to grow exponentially in the business sector, it is more important than ever for companies to have strict policies and procedures, and effective IM management solutions,” notes Yankee Group analyst Eric Ogren. By not managing IM, organizations run the risks of such things as “IM worms, network viruses, and spam IM,” he notes. Not to mention auditors’ ire.

To discuss best practices for managing and blocking IM use, Security Strategies spoke with Rahul Abhyankar, director of product management for FaceTime, which makes the IM Guardian network appliance and IM Auditor software, among other compliance and policy management tools.

If companies don’t monitor IM, is it safe to assume employees are using it?

Absolutely … it’s all outside IT jurisdiction, so to speak … [so] IT has no knowledge this is happening on their networks. We talked to a large Fortune 500 insurance company recently. After [monitoring], [it found] a combined IM and P2P use of almost 5 GBs of network traffic over a two-week period. Close to 3,000 users were connecting to the IM networks alone … which is a huge amount of usage. So discovering the usage is a key step in forming any policies and seeing [if users comply].

What about retaining copies of every IM; are companies doing this for non-regulatory reasons?

Really, from an IM retention standpoint, regulatory compliance is the biggest driver. Outside of [that] it’s best practices—making sure employees aren’t using IM in an off-color manner, and third, making sure [proprietary information isn’t disclosed]. There have been some situations in the past where product release information is disclosed ahead of time, and that’s not a favorable position for a company to be in. So … it’s the same approach companies are taking toward e-mail—they don’t archive and store every e-mail, but they have the capability to do that. If a company is going public, they have the ability to track all e-mails … and make sure the company doesn’t [get in trouble].

Or, say, in the case of healthcare, the patient’s health information is extremely sensitive information, and to the extent that the companies working in the value chain need to exchange data… [it] has to be protected, and the same applies to IM.

What’s the attitude of many companies toward P2P use today?

We’ve seen tremendous response from customers that want to make sure that their [acceptable use policy] framework … is not compromised [in any way] … and IM auditor [can] block P2P completely.

Why do companies want to block P2P—because of legal concerns or loss of network bandwidth?

Usually it’s a mix of both. Just [recently] I was on a call with a customer. Their sole requirement was they wanted to block all IM and peer to peer. And that’s fine—if companies want to block IM, that’s a requirement we understand and want to support. But when discussing this, it evolved into a [case of] "Well, we want to block peer-to-peer for sure, but for IM we want to see who’s using it … and why." More often with IM, people take [that] approach.

Where do companies stand against the threat of P2P litigation?

The RIAA definitely has taken a very serious stand against this problem, which is totally justified, by the way, because I read … over $2 billion dollars' worth of P2P music and videos are being exchanged and downloaded without any revenue going to the producers of that content. What the RIAA has done is started making sure companies understand the risks and implications of this … [In other words,] because the employee installs a P2P application and downloads a file, since that employee is an agent of the company, the company is liable … I think that has tempered enthusiasm and excitement of using P2P applications. But it’s not a problem that can be solved just by using legal notices. There has to be a follow up from the companies themselves to make sure they’re not exposed to this rogue behavior.

How can organizations block P2P or IM?

Blocking the ports isn’t really an effective approach, because the P2P applications were designed from the ground up to circumvent [that] or to use HTTP port 80, which is always open.

What IM Guardian does is it knows about the protocols the application uses, so it looks at traffic on network, does deep-packet inspection … to see if that protocol exists on the network, and so based on that determination, it enforces blocking [rules]. At FaceTime, we keep track of updates to these applications and protocols, and make sure the product is up to date.

Is keeping track of updates an ongoing game?

Absolutely, because the wave of innovation of these applications is much faster than what we’ve seen before, with respect to e-mail technologies or even what we’ve seen on the Web … So it’s a game of keeping up to date with all the latest innovations.

Related Articles

Rethinking Security/Network Boundaries

Tackling the File-Swapping Threat

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.