Content

IM security tools (2004)

Over recent years, instant messaging (IM) has enjoyed a huge growth in popularity which has seen use of the communications technology become endemic both on domestic home PCs and in most corporate workplaces. Whether above board or used without official approval, the reality is that a vast number of employees have adopted IM services as their principal day-to-day means of communication.

This explosive growth in IM places many firms on the horns of a dilemma: enterprises are beginning to realize the value of introducing IM as an efficient business tool facilitating legitimate communication, but at the same time realize that its growing use has profound and serious security issues.

Corporations have clamped down on phone usage and, as a result, email usage to prevent employees abusing the communications technologies for personal use – possibly risking security breaches or legal problems for their employers. It is now inevitable that IM has become the next communication tool to fall under Big Brother's control.

Subject to employees' contracts, enterprises are legally allowed to monitor usage of communications over their own equipment and networks, and where sensitive information is likely to be discussed, they probably do, adopting the "loose lips sink ships" approach to monitoring. To some degree, this has prompted the growth of IM services such as ICQ as covert methods of communication between employees and their contacts outside work.

Most IM offerings adopted by consumers were designed with scalability, rather than security, in mind. What's more, most freely available programs lack encryption, but also provide the user with methods of bypassing the security of their corporate network, making control of the tools a nightmare for administrators. Second, all insecure IM systems make an ideal breeding ground for rapidly spreading worms and viruses.

The most popular implementations of IM – such as Microsoft's MSN Messenger, AOL's AIM, and Yahoo! Messenger – are obviously not options for controlled corporate implementation, at least in their consumer forms. Enterprise versions of all three are available, but the growing market has also seen a number of rival offerings promising tight security come to market. These products seek to address issues such as encryption and easier management but, surprisingly, few IM software suites on the market today actually feature virus scanning as a part of their security arsenal.

The scant, ineffectual security protection built into popular IM services has resulted in many firms taking the decision to block real-time messaging traffic entirely on their networks. However, many firms recognize the value of the technology as an immediate and effective communications medium and have demanded ways to retain the benefits of IM while protecting themselves against the not insubstantial risks. But this raises the question of how to implement a secure messaging suite for legitimate use on the network.

Messaging has proved to be faster and more efficient than email, but more worryingly, it has evolved into a rapid method of sharing files as well. Nevertheless, research from analyst IDC forecasts that more than half of the 506 million IM users online by 2006 will be corporates, with even Fortune 100 companies waking up to the fact that adopting the technology has the potential to improve their corporate communications and boost productivity.

While the importance of IT security cannot be overstated, it is not the only factor that needs to be considered when planning IM policies. Legislation coming through in the U.S. says that financial services, healthcare and other sectors must capture and store all electronic communications – for record-keeping purposes. This is another reason why products like the ones reviewed here are a key element in the arsenal of network administrators charged with the responsibility of managing and securing IM deployments.

While some companies will actively encourage the use of IM in their organizations as a means of providing cheap and fast communication, others operating in more sensitive sectors will need to ban the communications technology entirely due to security and legal worries. For most enterprises, however, it is likely that a draconian blanket ban strategy towards IM would be counterproductive and, as a result, they will need to deploy security products that provide them with mature, well-managed IM deployments.

We have taken a good look at some of the leading products on the market today that are designed to tackle the problem of IM security, and they vary in both their approach to the problem and the breadth of their functionality. From the rack-mountable appliance to the hosted service, to the simple software-based solution, we have covered them all. It is crucial to do so, as no two organizations have the same communications needs.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.