With the growth of Instant Messaging and peer-to-peer (P2P) technologies, businesses are increasingly facing security and management challenges.
Simply denying service to employees is not the answer, and that IT departments need not fear P2P networks, but instead must embrace these channels as the future of person to person messaging.
The Real-Time Enterprise
Winning in business is about achieving time sensitive communications - getting the right message, to the right people, at the right time - to enable the right business decision. Innovations in technology during the last century, most notably the telephone and latterly email, have played a huge role in this, enabling true international commerce, making the business world a smaller, more accessible place.
However, as email becomes clogged with spam and viruses, and the cost of regular international remains high, technology has again come to the rescue. Instant Messaging (IM) and P2P networking represent the next generation of powerful communication technologies, delivering messaging and content in real-time, while breaking cost barriers and increasing employee productivity.
Growth of IM and P2P
IM is now everywhere. According to International Data Corporation (IDC), the rapid consumer adoption of such networks makes IM the fastest growing communication channel in history. In 2001 the public IM networks; AOL, MSN and Yahoo! accounted for over 100 million users, growing to 400 million by 2004. Indeed, Gartner group predicts that by 2004 60% of real-time communications between any users, by any means, will be driven by IM, while a UK survey by FaceTime in mid-2003, found that over 50% of Investment banks were using IM in their daily business operations.
However, while the growth of IM is widely documented, lesser known P2P applications, such as Kazaa and Morpheus, are also now deeply entrenched inside corporate networks. Studies suggest that P2P applications can be found installed in a massive 77% of organizations with between 10 & 45,000 employees. In firms employing over 500 people, this figure rises to 100%
IM and P2P: The Good, The Bad and The Ugly
The motivation for the adoption of IM in business is the need to communicate and multi-task in real-time. Business users have discovered the value of IM - having virtual conferences, collaborating on projects, augmenting phone conversations and exchanging transaction instructions. IM advocates benefit from reduced telephony costs, more accuracy in communications and faster and more efficient activity in time-sensitive markets.
So while IM is generally accepted as a great step forward, the mention of P2P, on the other hand, conjures images of unauthorised music and video file sharing, coupled with the misuse of network bandwidth. This view, heavily influenced by the media circus surrounding the (old) Napster music channel, ignores the real promise of peer-to-peer technologies - namely the promise of significant efficiencies in authorised content and service delivery, without the need for centralised servers.
While it would be inaccurate to suggest that there are no risks to IM and P2P deployments, properly managed, such risks are very simply negated, and stem from the following points:
- Applications are selected, downloaded and installed by employees without IT involvement - bottom-up technology adoption
- IM and P2P applications are designed to work around existing security mechanisms such as firewalls
- The rapid increase in the installed base of these applications makes them a natural target for exploitation by hackers and virus propagation
- IT organisations have little chance of detecting the presence of these applications, how they are being used and how these applications bypass security mechanisms, including breaching firewalls through random port crawling, intrusion detection systems and perimeter anti-virus scanners
- Organisations have no means of logging and monitoring the content crossing the corporate boundaries by means of IM and P2P. Confidential or inappropriate information could be leaving the company. Illegitimate transfer of copyright material - music, video - onto a corporate network could leave organisations liable to the bodies such as the RIAA (Recording Industry Artists Association) or the MPAA (Motion Picture Association of America)
Having a clear understanding of these technologies and their most common use is the starting point to protecting an organisation and extracting the benefits from appropriate usage. Enterprises must now create a set of best practices and usage policies that act as a framework for the adoption and uptake of these applications.
The Safe Adoption of Disruptive Technologies
Most companies today are struggling to understand if and how they should attempt to prevent or manage the use of IM and P2P applications from with their organisation. Businesses should note that while IM and P2P have all the characteristics of a disruptive technology, such easy to use innovations are initially adopted by progressive individuals organisations, just like the PC, Email and the Internet in their initial incarnations. IM and P2P truly hold the potential for significant benefits to business by lowering the cost of communications and information sharing and increasing productivity.
Experts advocate a four-stage process for the adoption and control of IM and P2P:
Detection: Who is doing what with which applications? It's relatively easy using the right tools to analyse network traffic based on IM and P2P protocols. This can give you a snapshot, or timeline of bandwidth, application behaviour and activity. With an informed understanding of usage - even at a high level - the business can start to take decisions on what constitutes authorised or approved activity.
Protection: Take the decision to only support "authorised usage". A typical organisation might decide to support the following simple policy:
- All users can use Internal IM
- A subset of users can use IM externally - but only if conversations are monitored and controlled
- No users can transfer files using IM or P2P applications
- Ensure that unauthorised activity is blocked completely (at a protocol level - IM and P2P applications port-crawl and user different and often changing IP's for access).
Management: Implement suitable policies for authorised users. For example, it's essential in any organisation to be able to dynamically map IM user or screen names to corporate identities. Should conversations be recorded? Do you need to provide disclaimers or usage terms and conditions within an IM conversation?
Extension: Integrate IM and P2P with other enterprise applications. A simple example might be to leverage the presence indication inherent in IM applications in a corporate directory application. Once businesses are confident about their ability to manage and control IM and P2P behaviour they should start to explore how other processes could be made more productive by the adoption of real-time technologies.
In conclusion, the organisational security risks of IM and P2P deployment, stem not from malicious viruses, unauthorised breaks of copyright or IM's apparent unaccountability. The real problem is much closer to home, and much easier to solve; the lack of awareness of IM and P2P usage within business.
Many organisations simply don't whether IM and P2P are being used, which employees are using them, or indeed how they are being used for. Thankfully, this is a straightforward challenge to solve. By bolting an IM / P2P monitoring product, from specialists such as FaceTime, onto the corporate network, businesses are immediately armed with all this data, and more, and suddenly, the four-stage adoption and management process becomes a walk in the park.
While an over-exercised cliché, many businesses are indeed failing to see the wood from the trees. And once organisations come to understand the reality of IM and P2P, these once threatening communications channels become truly transparent, offering very clear cost and efficiency benefits.
Glyn Baker is Director of Business Development for FaceTime Communications
FaceTime Communications are exhibiting on the E92 Plus stand at Infosecurity Europe 2004 which is Europe's number one IT Security Exhibition. The event brings together professionals interested in IT Security from around the globe with suppliers of security hardware, software and consultancy services. Now in its 9th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27th to the 29th April 2004. www.infosec.co.uk