Case Study: Energy Company Monitors IM

The need to protect its IM users from outside attacks, spam, and regulatory requirements leads Kansas’ largest electric utility to adopt IM monitoring software.

Is your company’s use of instant messaging (IM) secure, and does it meet regulatory requirements?

That’s what Topeka, Kansas-based Westar Energy Inc., the state’s largest electric utility, wanted to know. Given the threat from outside attacks and spam sent over IM (sometimes known as “SPIM”), as well as the need to monitor energy-trading transactions for regulatory reasons, Westar began researching IM monitoring.

Experts say more companies now employ such technology, especially in regulated industries. Even so, many companies still turn a blind eye to IM, despite the security and regulatory risks.

For example, according to a December 2004 study of 300 IT executives conducted by the ePolicy Institute and IM vendor Akonix, 38 percent of organizations still don’t have acceptable-use policies for IM. That’s in spite of widespread enterprise IM use; Osterman Research says over 90 percent of enterprises have IM users. By next year, predicts Forrester Research, IM will be used more than e-mail.

IM isn’t going away, and lack of IM controls opens a company to technical, as well as legal, liabilities. For example, two out of three employees use IM, according to a study conducted last year at 840 companies by the American Management Association and the ePolicy Institute, and how it's used may fall afoul of a company's security or human resources groups. For example, 19 percent said they used IM to send attachments; 9 percent admitted swapping some kind of confidential information over IM; and 6 percent used it to send sexual, romantic, or pornographic content.

Lack of an IM policy can also produce problems during a legal-discovery process. For example, what if an executive logs IM conversations locally, yet the company at large doesn’t? After subpoenaing records, would lawyers have only part of the picture?

Thus, a business can put itself at risk by not having an authoritative record of IM communications. Call this IM’s “basic legal compliance” threat, says Francis Costello, chief marketing officer at Akonix in San Diego. He’s not referring to compliance in the Sarbanes-Oxley sense. Rather, it’s the “risk of discovery, human resources issues, and the risk of disputes. Ask any IT organization if they’re pulling e-mail records for human resources or legal or something. If the company is over 500 people, they are. It’s an unfortunate fact of the litigiousness of the society we live in.” Monitoring, then, can help prevent problems, or at least help diagnose, after the fact, what happened.

Monitoring IM

To implement IM monitoring, experts recommend a three-step approach: understand who uses IM, develop and publicize policies for acceptable use, then implement technology to track, monitor, and enforce acceptable use.

With such advice in mind, before selecting IM monitoring technology, Westar first studied how its employees use IM.

“Instant messaging is used within Westar, and is used externally by some of our energy traders,” notes Randy Meinholdt, the IBM WebSphere Administrator and a software systems engineer for Westar. In addition, he found a total of four IM clients in use: AOL IM, Yahoo, MSN Messenger, and Lotus Sametime.

Previously, IM use hadn’t been either approved or prohibited. So before Westar would decide whether to monitor it, Meinholdt turned to peers for advice. “I spoke with three other energy companies during my evaluation of Akonix,” he notes. “They all had implemented IM-monitoring products.” The company began moving toward monitoring.

On a side note, according to Akonix’s Costello, Westar also had Sarbanes-Oxley regulations in mind when it selected a monitoring product. (Westar declined to discuss regulatory concerns.) “Westar looked at this and thought this was part of the overall information security they needed to put in to be comfortable with it,” he notes.

Eventually, Meinholdt’s short list included products from Akonix, FaceTime, and IMlogic. Comparing the three, “IMlogic seemed to be very similar to Akonix,” while “FaceTime uses an external appliance.” Westar didn’t want to go the appliance route, and was most impressed with Akonix’s responses to their queries, so it adopted its Enforcer product.

“We began using Akonix as a demonstration product on a single server last June,” says Meinholdt, noting that “the basic install was very easy” and overall the company is happy with the product. “There have been issues from time to time on configuration, but Akonix has been very responsive to our needs.” For example, Westar “had a bit of trouble implementing a second backup server at another location,” but Akonix helped solve the problem.

Meinholdt notes that while Enforcer has “very extensive” security features, “we are still learning as we go.” What he especially likes, however, are “the automatic updates for SPIM and malware from Akonix.” Westar also uses Enforcer to block any peer-to-peer activity inside Westar.

The energy company has also officially standardized on the four IM clients its employees already used. “Smaller organizations may standardize on a public IM flavor,” notes Costello. “But what we tend to wind up with is some organizations have a given medium being dominant—where 60, 70, or 80 percent of use happens—but rarely exclusive.”

For the future, Meinhardt has only one major product request. “We would like to see Akonix make the product available on Linux servers.”

Related Articles:

IM Security Still a Concern
http://www.esj.com/Security/article.aspx?EditorialsID=1350

Top IM Security Predictions
http://www.esj.com/Security/article.aspx?EditorialsID=1275

Best Practices: Securing IM Against Attacks
http://www.esj.com/news/article.asp?EditorialsID=1040

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.