Business users make it clear that IM security can no longer mean simply "turning off" IM — sometimes by just saying so, and sometimes through attempts to subvert blocking technology.
"A lot of people who are trying to get around IM blocking will use things like proxy avoidance to do that," says Devin Redmond, director of the security products group for Websense. "As we’ve been spending time with customers, it has been coming up more and more. We’ve seen a transition from turning IM off to ‘Ok, how do I better administer it, get better visibility into it?’"
Employees, from the board room to the mail room, are increasingly demanding the real-time communication capabilities of IM, forcing IT security pros to come up with plans that include IM in the infrastructure, agrees Diana Kelley, vice president and service director with security and risk management strategies service, The Burton Group.
"I have heard, ‘Look, this is real, this is business, and we’ve got to do something with this,’" she says. "This isn’t just people making plans for lunch."
While the convenience of instant messaging is a hit with users, organizations face security, compliance and risk issues, because, over the past several years, IM has increasingly become the vector of choice for malicious hackers to deliver payloads and conduct fraudulent activity.
"We continue to see an uptick in unique attacks using the IM networks to drop malicious code, viruses, spyware, worms and trojans onto people’s desktops," says Don Montgomery, vice president of marketing, Akonix, which develops security and compliance products for IM. "We think that the continued increase is due to the use of instant messaging at work and the increased criminal intent we’re seeing in the hackers themselves."
As criminal gangs use the vector to make cash, the number of attacks are not only increasing, but so is the effectiveness of those attacks. In most cases, the attacks are shifting from purely IM to blended threats, says Jose Nazario, senior security and software engineer for Arbor Networks.
"What occurred in 2006, and now in 2007, is less the pure instant messaging worm. Instead we’re seeing it used as a core component in many bots and related software," he says.
But, while IM is often compared to email, its real-time nature presents security challenges not faced in email.
"IM worms can propagate much faster than traditional network worms," Nazario says. "They are faster than email worms because the transfer time of messages is so much faster and you have that built-in buddy list which acts as a hit list."
Ken Dunham, director, rapid response team of VeriSign’s iDefense Labs, agrees with this assessment, but discounts the sense of alarm. "We need to recognize that instant messaging threats are real," he says. "We see them out there, but it’s not the number one concern that our enterprises are facing."
Even so, it isn’t the straight IT security risks that truly trouble business leaders when sanctioning the use of IM. The real problem is controlling what’s being said and keeping track of those conversations for the auditors and lawyers.
"There’s already an acceptance that you have to take the appropriate security measures when you do deploy it, but what we’re seeing is that concerns are much more about the business risks as opposed to security threats," says Steve Yin, vice president, sales & marketing, St. Bernard Software.
Issues of enforcing acceptable-use policies, tracking conversations and blocking outbound passage of valuable intellectual property can really complicate official deployment of IM. Add to that the requirements for communication storage within numerous regulations and laws and it can soon turn into a headache.
"We’re starting to see a shift in buyer sentiment — I won’t say away from security, security continues to grow — but in the desire or the need to integrate instant messaging into the electronic message store for compliance and for knowledge management," Akonix’s Montgomery says.
A specific catalyst was the change to the Federal Rules of Civil Procedure, Montgomery says. The enactment, in December 2006, makes instant messages discoverable evidence in the courts.
"I can tell you that our website began to see a pretty significant uptick in the number of hits through the middle of November and into December when the IT publications started to publish reports that said, ‘Hey, you guys, you’ve got to check out all of your messaging and all of your electronic communication to be sure its discoverable in the event of a legal action," he says.
Tackling IM risks
Even though many enterprises are utilizing corporate messaging solutions, which give added controls and security, many analysts, including Diana Kelley at The Burton Group, say that organizations still need third-party security and compliance solutions to fully address IM risk.
"If you want to have the kind of corporate security that most of the customers that I talk to are asking for with IM, you do need to have a product to help, whether you use public IM or the corporate solutions," Kelley says.
Even then, however, organizations can’t rely on the technology to solve all their problems. She explains that developing an airtight enforcement policy for the technology sets the foundation for a healthy IM environment.
"The policy is really the most important thing for companies to decide on and to message out to their users," she says. "I talked to some people that implemented the reporting and were monitoring conversations and it was very clear to them that the people using IM were not using it the way they were using email. You know email was their more formal channel, and they knew they were being monitored. So as soon as the company said, ‘Hey, you’re being monitored,’ that sort of chatter went down."
— Ericka Chickowski