Mushrooming IM Adoption Creates IM Security Concerns

With government and corporate users increasingly adopting instant messaging, organizations must avert disaster by making IM security

Once the province of the teen and college set, instant messaging (IM) has successfully transitioned from cool tool to business essential. Over 20 million people worldwide use IM for work-related tasks according to International Data Corp. That figure could soar to 300 million by the end of 2005.

Take the case of the government sector. The Federal Emergency Management Agency, for example, uses IM to bridge communications gaps among federal, state and local emergency relief workers. Every agency in the state of Utah utilizes IM to speed internal communications. And the Police Executive Research Forum (PERF) has installed IM throughout its nationwide network.

"IM gives you much faster access to information," said Ismaila Kane, assistant director of information systems at PERF, a D.C.-based national membership organization of police executives from the largest city, country and state law enforcement agencies. "If a coworker is in Chicago, he can contact me in real time using IM rather than trying to track me down via the phone system."

In the corporate world, too, IM usage is on the rise. A study by Osterman Research reveals that IM currently has a presence in 91 percent of enterprises. The problem is, however, that adoption has been driven by the end user and not top management. Only about 26 percent of companies are utilizing an enterprise-grade IM system; i.e. 74 percent rely on consumer products or have allowed users to download a client and operate it from within the corporate firewall.

"Consumer-grade IM clients and the use of public IM networks can create significant security problems for government organizations and corporations alike by using unauthorized ports in the firewall," said analyst Michael Osterman. "This allows an entry point for viruses or rogue protocols, bypassing enterprise authentication systems."

Security threats can gain access via e-mail, instant messaging, music download sites, peer-to-peer networks and other channels. Most typically, end users begin IM usage in a rogue fashion, with employees downloading AOL Instant Messaging (AIM) and other insecure consumer systems.

"IM is becoming as common as e-mail, but organizations cannot permit their staff to just sign up for AOL or Yahoo! Messenger and be done with it," explains Damon Kovelsky, analyst in the Capital Markets Trading Group at Financial Insights. He outlines a number of inherent weaknesses in the underlying system architecture of IM products such as AIM, IRC, ICQ and MSN Messenger.

The reality is that most IM systems on the market today are peer to peer (P2P); i.e. once the presence status of users is delivered and conversations start, discussions are conducted directly between users and do not pass through servers. P2P issues cannot be solved with a third party add-on program to non-server based IM system such as AOL Corporate Messenger. Such a client-centric architecture eliminates the administrator's ability to control conversations in process, and to capture the history of the conversation as it takes place.

"Applications like MSN Messenger are insecure, and the small print tells you never to transmit credit card or password info over IM," said PERF's Kane. "As information travels as plain text anyone who knows a little about computers can easily steal information."

His organization implemented an Enterprise IM system known as Collabrix by Kenmore, Wash.-based LINQware. According to Kane, Collabrix includes IM, document collaboration and other features within a totally secure environment. It utilizes 128-bit secure Socket Layer (SSL) encryption so that no one can intercept and decipher sensitive messages relayed over IM.

Caring About Sharing

Instant messaging carries a high potential liability, particularly in heavily regulated industries such as government, financial services and health care. The Health Insurance Portability and Accountability Act (HIPAA), for example, constitutes particular menace to the uncontrolled usage of IM. Undocumented communications regarding a patient could occur without the healthcare organization's knowledge leading to an unintentional breach of HIPAA's access requirements. Such violations could invoke heavy fines.

Yet most systems on the market today are open; i.e. if you know a person's IM address you can message them directly. Anyone with an IM address, therefore, has the potential to share sensitive data and bypass any audit capabilities of the organization until after the event has occurred.

"Applications like P2P and IM allow employees to communicate and share files covertly with outside parties," said Mark Glowacki, HIPAA Compliance Manager of the HIPAA Academy. "Because these applications can run without being detected by conventional security appliances like firewalls, security violations are only discovered after the fact."

Unfortunately, open system problems cannot be solved with a third party add-on software program such as those recommended for use with AOL Corporate Messenger, Yahoo Corporate Messenger and Wired Red's Hub Communicator. The best approach is to deploy a closed system that can still be exposed to key outside customers and vendors, such as Lotus Sametime or Collabrix.

PERF, for instance, utilizes Collabrix to share and edit documents securely online. Instead of absorbing bandwidth and transmitting sensitive information over the Web even if secured, this system permits authorized users to view the screen of the document owner. While they can comment or make changes online, they at no time actually have a copy on their own system. This feature is also available to PERF for use in IT troubleshooting.

"System administrators can contact the user and be given total control of the workstation to resolve difficulties," said Kane. "This feature is also very useful when you want to share documents with colleagues who are scattered around the country."

Another common weakness is user authentication. Public IM systems do not perform any type of user validation to determine the authenticity of a user. This can be resolved either by deploying third party addon software or enterprise IM programs with built-in authentication. Attention must also be paid to archiving. Public IM systems do not offer any mechanism for capturing the transcripts of conversations. Third party tools exist which can capture the conversation at its conclusion. However, conversations that are dropped midstream are lost unless the IM system is served based. This could have serious repercussions in law enforcement, security, healthcare and other organizations that deal in sensitive information.

"With few exceptions, consumer-grade IM clients do not provide a means of recording content of IM conversations," said Osterman. "This is a particularly significant shortcoming for organizations that are required by statute or convention to retain a copy of communications with customers, business partners and others."

To make matters worse, the file sharing features of most IM systems expose internal systems to attack. Virtually all IM software, in fact, allows for file transfers that bypass virus checking software. This exposes networks to serious threats such as the Blaster worm which took down more than one million computers in its first 24 hours. Kane stresses that it is vital to have anti-virus protection that closes the door on file-borne viruses.

"IM is a risky business if done insecurely within a large organization," he said. "Only when you add integrated enterpriseclass security features does it have real value."

But while security is a primary concern, Kane points out that IM contains many features to boost productivity. The Collabrix In/Out Board, for instance, is used widely in PERF to enable employees to know if their peers have gone away on business, and more importantly, how to contact them. If someone is at a conference, for example, the In/Out Board shows that fact. By clicking a link, associates view the best methods to reach the person.

"The In/Out Board enables us to be more organized and not lose touch with each other," said Kane. "This saves time in asking around about a particular person, or when you need to find a document in a hurry from someone who isn't immediately around."

Ready or Not

Like wireless before it, IM is coming (or has already arrived) whether government agencies and corporations are ready for it or not. The best approach, therefore, is to take control of its usage by establishing policies for its usage and adopting an IM system that is designed for the corporate world.

There are a variety of IM choices out there. The best advice is to ignore consumer-based systems and adopt an enterprise class system. While cost and functionality are important concerns, security should be given paramount importance. VoIP and video messaging may sound like excellent bells and whistles, but no purchasing decision should be made based on those functions alone.

During the selection process, especially, be aware that not every system is as secure as it might be represented. Sametime and Microsoft Live Communication Server, for example, have a weakness when dealing with outside agencies and partners. These tools can't be used by outsiders without granting domain rights.

Similarly, other IM systems are hosted on banks of public servers, daisy-chained together. If one of the servers in the chain goes down, users on all servers passed that point are not visible. Many of the public systems go down weekly. These systems were not designed with the kind of fault-tolerance or redundancy that enterprises demand.

The best approach is to specify a serverbased system, and strictly avoid tools that are client-based. That narrows the field down to Sametime, Yahoo Corporate Messenger, Collabrix and Hub Communicator by Wired Red. For best results, carefully evaluate these products against the criteria above based on the security environment that exists within the organization.

Drew Robb

Drew Robb is a Los Angeles-based writer specializing in technology and engineering issues.

Copyright Publications & Communications, Inc. Oct 2004
Provided by ProQuest Information and Learning Company. All rights Reserved