Instant headaches
Writing in progress, version 0.1: what could you do to allow, but control, the use of public IM in a corporate environment.
Instant Messaging is a constant challenge to security officers at corporate headquarters ( I know, I 've been there). The use of IM is very appealing to certain groups of users on a network, due to the direct interaction and presence signalling. It gives a warm feeling solidarity, knowing that your palls are also working late or seeing that your study friend comes on line late, after last nights beers. Most young professionals have spent a lot of their study time interacting using all kind of IM-services. Why stop when they start their corporate carreer? And there is even some business reason of interacting using IM. Especially if you work in an off-shore project: a dutch developper with a heavy dutch accent trying to interact with an his colleague in Bangalore with a heavy indian accent. So why are these security officers so nervous?
Threats to the use of Instant Messaging
IM provides a channel for several security threats for a company. Of course we are aware of the viruses spreading over IM-file transfer and that's why we have a anti virus program running (100% up-to-date and never disabled, isn't it?) and why the corporate firewalls block the ports for IM-filetransfer. But the IM-clients used have a histrory of critical vulnerabilities and are a tool for the public IM service to make a revenue (ever wondered how?. The number of threats to IM has been increased with 50% in the first two months in 2005 (according to IMLogic) of which several required immediate action (Kelvir, Bropia and Bizex). Further more there is a problem with identities: are you sure your chat partner is the one he says he is? And is it OK to provide him the information you do? What is the status of instant messages and how are they archived? My opinion for the loss of time spent by employees chatting with their friends is that enough and meaningfull work will help to minimize this. The last problem with IM for corporate use I mention here is the dependency of an external service. What about availability and confidentiality of this services? An analyses of the issues of the use of Skype in an enterprise has been published by Dennis Bergström
Enterprice IM services
The solution is, of course, to implement a enterprise service for IM and separate this from the public services. If a company decides that instant messaging is there to stay, this is the obviuos approach. It solves a lot of security problems, like the identity problem, when integrated with the corporate directory, the confidentiality problems and the virus problems (almost). This is the solution for organisations with a large and relatively closed user group. Well known solutions are Microsoft's Live Communication Service, IBM's Lotus Sametime and Jabber
Keep control of public services
Implementing an enterprise IM solution is not always the complete story, especially if your workstations are not locked down. Blocking IM-services on the perimeter can be done for certain services, but is not a complete solution. Port 80, meant for surfing the web, is more and more used for tunneling to external services. IM-clients try several ways to get round filtering devices. E.g. Skype has implemented supernodes and uses port 80 and 443 to implement presence services. An alternative approach to blocking services or providing corporate services is to channel the use of public services.Organisations who decide to tolerate the use of some public IM-services must implement measures to control the situation.
1. Create a policy
It should be clear to the users on your network what is acceptable behaviour regarding IM and what is not. A policy helps you to make explicit what your organisation demands of the users and of the measures. The policy is very specific to the organization. A required element of the policy are rules of conduct, indicating what information may be used to register and what not, making clear that IM-communication is in no way formal and should not be used as such, file transfers are not allowed. You could also indicate which IM-services are allowed an which are not. If you decide to tolerate public IM services, you do not need to allow them all. In order to keep control of things, you can choose one or two services and keep the rest blocked. Also consider what to do with paid services attached to some public and free services. Does your organization reimburse the cost?
A policy is often used to forbid things, but why not provide guidelines on installing and registering the services you allow. This could help to avoid user information shattered across the net and help protect the privacy of your users. E.g. registering for Skype is possible with a minimum of user info, but the client invites to provide all work and private contact details. Some users provide this info, not aware that it is available to everyone who is searching for it. Check this information also on your childrens installation of Skype.
A tip to find your organization's users of Skype is to let them register with the fictive e-mail address of skype@your-domain.com. E-mail addresses are not shown, but you can search for contacts with a specific e-mail address.
2. asses the risk (and the budget)
3. decide on measures
4. Monitor and evaluate
5. Goto 1 or 3