Case Study: Choosing Hosted Enterprise IM

A financial firm faces regulations for monitoring and retaining IM communications.

Why implement a business-class instant messaging (IM) client?

For Grace Financial Group, a broker-dealer firm in Southampton, NY, doing so was an easy way to satisfy National Association of Securities Dealers (NASD) regulations, which stipulate that financial services firms monitor and retain IM communications between brokers and customers for at least three years, and store a copy of those records offsite.

Simply put, “we have to be compliant,” notes Jonathan Shepland, the company’s managing director of operations and its chief compliance officer. “We have to archive all IM going back and forth.”

Of course, the NASD also allows broker-dealers to block IM instead of monitoring and archiving it, but that wasn’t an option for Grace Financial. Its 25 employees, located in four different offices, rely upon IM for inter-office communications, as well as staying current with customers in the United States and Europe.

So Grace Financial began researching business-grade IM options in 2001, when the NASD first published guidance on IM. Shepland says the company evaluated several hosted IM options, and settled on Professional Online Desktop (POD) from New York City-based Omnipod, in part because it was a local company, and because he didn’t see a big difference between the products on his shortlist.

Grace Financial selected a hosted-IM service for ease of management, and to meet NASD backup requirements. “We have to store the backup at an offsite location,” notes Shepland, and hosting accomplishes that. Furthermore “it’s one less headache to worry about,” and saves the firm from having to hire a full-time IT person to maintain the related servers.

Since rolling out Omnipod software, he reports there have been no problems. “They’re easy to work with, set up, and configure, and the price, relatively speaking—everything was pretty competitive with everything else.”

Today, all of Grace Financial’s IM sessions are archived, and a Web-based POD administrative tool lets Shepland monitor for suspect communications, and also to permit or block SMS (Short Message Service), file sharing, and access to such things as AOL, MSN, and Yahoo public IM networks, and WebEx.

“From a compliance standpoint, the administrative tools are great, because I can go in and put in keywords that will pop up warning bells, so to speak,” he says. “If there are any items going on that we don’t want communication going back and forth on, then I can go into each individual log file for each user, I can pull up by date and by user the chat history, so I can review it.” Even so, “we fortunately haven’t had too many issues.” The biggest use for that functionality, he says, is just to review IM conversations if there’s a problem with a client or order.

One advantage of a hosted-IM service, beyond meeting regulatory and compliance requirements, can be improved IM security. For example, no IM sent over Omnipod is transmitted in the clear, unless it’s to a public IM client. Also, hosted networks can sidestep viruses, since IM viruses often spread by calling the APIs built into public IM clients, to access buddy lists. The virus then copies itself to everyone on the buddy list.

In fact, Omnipod says there’s never been a virus outbreak on its IM network, which is closed, thanks in large part to there being no APIs in its POD software. Beyond APIs, in general, “it’s going to be very hard for a virus to infiltrate a closed network, though it can happen,” notes Gideon Stein, CEO of Omnipod. One vector would be if an Omnipod user clicks on a link in an IM that then downloads a virus—though Omnipod blocks any files attached to public IM from entering its network.

Even if a virus does make it onto the network, however, “it’s going to stop at the first infected user, because there’s no API to be called,” says Stein. Furthermore, he notes, a POD client won’t send an IM without a user’s approval first.

Related Articles:

Case Study: Energy Company Monitors IM
http://esj.com/enterprise/article.aspx?EditorialsID=1409

Regulations, Productivity Spark Enterprise IM Adoption
http://www.esj.com/security/article.aspx?EditorialsID=1069

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.