Like it or not, users love IM
Just because IM is not a respectable business application doesn’t mean it's not being used. If ignoring it is impossible then securing it is a must.
By Bryan Betts, Techworld | Techworld | Published: 00:00, 15 September 2003
Very few companies have installed instant messaging (IM) software, such as ICQ, AOL Instant Messenger, Yahoo Messenger or MSN Messenger for business use. Yet. in a recent survey, 65 percent of public and private sector respondents admitted to using it. Not only that, but they were using it for personal purposes during working hours.
At the same time go-ahead organisations, in areas such as the finance sector and media, are now seeing valid business uses for IM technology. For example, people can see who else is online and swiftly tap colleagues for advice and information, while support desks can use it to communicate with users.
"The flatter and less hierarchical the organisation is, the more useful IM is," says Steve Mullaney, marketing VP at security specialist Blue Coat Systems, which carried out the IM usage survey. "An interesting thing is the ability to bring in a third party and replay the conversation to date."
All this makes IM a huge problem though, not least because it creates a hole in the organisation's armour through which malware such as viruses can enter and valuable information depart, completely unchecked and unrecorded.
"A lot of industries think they're blocking it at the firewall - but no, you're not," Mullaney says. "IM traffic looks just like Web traffic, so you can block the port but IM software is port-agile and will find another way out."
The personal use of IM can also be a great time-waster: "As an employee you know if you're wasting time talking in the corridor but people don't realise how much time they spend on IM. All of a sudden, 30 minutes have gone by. Plus, it looks to others as if you're working."
However, the big issue for the first business users of IM is compliance, especially in the financial sector. New regulatory legislation requires them to log communications with clients and that means they need to log the brokers' IM conversations too.
The challenge is how to do that, given that existing IM applications are designed to evade network blocks and their traffic is difficult to tie down.
One solution is to use a Web proxy such as Blue Coat's ProxySG device, which can identify and analyse the content of IM traffic. This approach has its limitations though, as it can only act as a proxy for those applications which it understands. If one of those four top IM applications changes, then the proxy server must be updated too.
On the plus side a proxy can also watch for, and block, other known but unwanted traffic. An example is the spyware program Gator, which comes with the KaZaa peer-to-peer (P2P) file-sharing software and reports on your browsing activity.
"We're playing with content, not packets, so we know what applications are in use and can make decisions," Mullaney says. "We can even see what browser people are using and require them to upgrade versions with known security holes."
The bandwidth needs of IM are modest, but related programs such as KaZaA can take up a whole lot more. Mullaney recounts the story of CompUSA, which discovered that 30 percent of its network traffic was P2P filesharing, with all the copyright risks that entailed. Blocking this enabled it to cancel a planned network upgrade.
He adds that bandwidth management appliances, such as Packeteer's traffic shapers, can be a good complement for the ProxySG approach, as can social engineering, because it is often better to control rather than simply block.
"Over time, IM will probably get rolled in as a regular enterprise application," he says. "You won't be able to get rid of the public IM clients though - the IT department may not even know they're there, because they didn't install them.
"ProxySG is flexible and allows the enterprise to deploy its chosen level of security. You could choose not to log everything but do keyword searches instead and send warnings when those keywords are seen.
"Coaching people that certain behaviour is not appropriate will probably take care of 95 percent of the issues. For example, as soon as you tell people certain sites are inappropriate and are being monitored, abuse drops right off."
He advises that anyone concerned about IM usage, or who doesn't believe they have a problem with it, should borrow a device such as ProxySG for evaluation.
"The issue with Internet abuse now isn't porn, it's news, shopping, auctions," he says. "There are limits to what's generally acceptable and the user has to learn those, so you need a level of control and you need to create a safe environment for them - just as you would for your kids."