Instant messaging security (2005)

When it comes down to selecting a communication system for your organization, instant messaging might not be high on your list.

And it might not be on the list at all if you need secure communications between users at different locations. After all, email can be made secure. It can be encrypted and if you have your own servers, complete copies of all messages can be kept for an essential audit trail – particularly important when dealing with external sources such as customers and suppliers.

But some characteristics of email can cause problems. Messages are only sent to listed individuals, either directly or as copies, and this restricts information to just those recipients. While this is generally desirable, it precludes any chance of establishing the kinds of open discussions that used to occur with the bulletin board systems in use before the internet became today's global network.

Under these earlier systems you could set up discussion groups focused on particular interests, and any member who happened to be online could join in. This was particularly useful in technical forums, where a problem could be discussed by experts in rapid time.

Although the internet provides similar facilities with news groups, these are often subject to misuse, and do not fit business needs, being particularly unsuitable for discussing confidential matters.

Of course, it is possible to set up internal news servers to provide these capabilities, but this is an unappealing option to most people. There have been other ingenious solutions to the problem of providing informal discussion facilities within an organization's network, including specialized web server applications, but these can often lack the simplicity and familiarity of an IM system.

However, an IM system could have many uses within an organization, allowing meetings to take place even when the participants are in different places, replacing conference calls, or as a way of providing technical assistance.

Such a system will need to be able to operate securely if it is to be used outside the safety of the local network, particularly if public servers are used. The standard anti-spam measures used for email systems generally do not work with IM systems, and antivirus software can be blissfully ignorant of the things that can lurk in an IM attachment.

Assuming that these concerns can be addressed, an IM system could be an invaluable addition to networked communications.

The ideal system would provide content filtering, antivirus, anti-spam and blocking options, and would allow access to both private IM systems and to the public services provided by the likes of Yahoo!, Microsoft and AOL.

Some organizations are happy to allow employees to have access to these, but they still need to be able to block offensive or illegal activities from their systems. Under these circumstances, they also need to be able to apply these security features to outgoing transmissions, if only to avoid finding themselves appearing on anti-spam blacklists or even being disconnected by their service provider.

A further headache for system admins can be users installing their own IM software to access public servers. There can be many reasons why users might do this, but these unauthorized clients represent a potential gap in network security.

There are tools available that help to detect and control such software, and a complete IM security solution will need them as well. The secure IM set up allows controlled and secure access to selected services using selected client software while preventing unauthorized access and detecting unauthorized software.

So how did we set about testing these products? Apart from simple function testing, we looked for a number of features that we felt was necessary for good instant messaging security management.

We looked for integration with existing email clients such as Outlook.

We looked for standalone IM clients. Management links to other systems, such as SMS, email and pagers, would be useful for administrators.

Security options would include user authentication and access control, with options to restrict usage to set times and functions.

Integration with antivirus scanners would help to counteract the possibility of infection through file attachments, while anti-spam options would also be desirable.

Content filtering of message text would be a priority in some cases, both for legal and commercial reasons, while the ability to archive and audit all instant messaging conversations would certainly be a requirement in many situations.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.