Publicly available free IM services (like AOL / AIM , Yahoo, MSN, Google and Skype), which currently are widely used in many large companies, will begin to be blocked from corporate networks and systems as corporate-friendly alternatives come online, and as companies realize they must deal with security and compliance issues. Managed and secure enterprise-grade IM systems implemented behind the firewall will replace the use of public IM systems in 65 percent to 75 percent of enterprises by 2010, although many will offer users secured connectivity to public IM systems.
Many companies have an unrealized problem with the exploding numbers of user-deployed IM clients, and failure to deal with the unauthorized IM clients can lead to potential disaster. That disaster will present itself in the form of escaping confidential information, malicious activities (for example, spam, viruses or malware) and possible non-compliance with industry regulations. Companies must closely examine and regulate what their users have deployed, and to take any needed corrective actions through the use of enterprise-class, industrial quality, secure and manageable IM systems (such as Microsoft Office Live Communications Server, Lotus Sametime and Jabber).
While user access to public IM systems is desirable (just as Internet access is), companies should enforce how such access takes place through protected clients and access gateways. Companies should act now to bring some control into this environment for both the safety of their most important asset-information-and the safety of the user’s devices that might be attacked and compromised. Below are several key areas companies must address.
The need for management
An unmanaged IM system is a disaster waiting to happen. Data leakage, malware and other risks are a common occurrence on IM systems. The ability to manage users (through directory information, policies, limiting types of data shared or logging of contacts, for example) is a critical requirement in nearly all companies, but especially those that have to meet specific industry regulations, for example in financial services, medical, life sciences or retail. The ability to set and enforce policies for all users is a key component of any enterprise-class IM system.
How to Secure and Manage Enterprise IM – Page 2
Can IM be a threat?
The informal nature of IM leads people to say things that, in retrospect, they should not have said. While e-mail has similar risks, e-mail generally is reviewed by the user before the message is sent. IM by its nature usually is not. Companies must log all IM transmissions in case of possible litigation and to have a complete record of all information sent.
Meeting compliance regulations (audit/logging)
Nearly all company data is discoverable through legal actions and for specific compliance requirements (for the Health Insurance Portability and Accountability Act, for example). Therefore, all communications, whether via e-mail or IM, must be logged and recorded, and archived for a specified period of time. Enterprise-class IM systems designed for such compliance must be utilized if companies are to meet the many general governing regulations or regulations specific to their market niche.
Should file transfers be allowed?
It is generally not a good idea to enable file transfers for an IM session, and even more problematic for a mobile IM user. Sensitive data may easily be lost or compromised in this fashion. Setting a policy, and being able to enforce that policy, is a key requirement for any enterprise-class IM system.
Malware is increasingly becoming a staple of public IM systems. Control of IM access to public systems is desirable and enterprise-class IM systems offer tools to help with limiting access and blocking messages, and may incorporate an ability to add filtering and blocking technology or both from third party providers.
Policy driven enforcement is a prerequisite for nearly all company systems, and IM should be no exception. Further, user education as to the proper use of IM and the consequences of disregarding company policy should be implemented as a way to improve and accelerate security and data protection mechanisms.
Meeting user wants versus corporate needs
It is quite common for users to demand capabilities, sometimes without regard for how it might affect the enterprise. Any such requests, particularly from the executive ranks, must be carefully evaluated based on need and level of risk. Companies may allow, but must exert control over such use, by deploying enterprise-class clients and services that offer connectivity to public IM systems, but in a controlled fashion.
Jack Gold is President and founder of J. Gold Associates. He has over 35 years in the computer and electronics industries, and he is a leading authority on mobile, wireless, computing infrastructure and enterprise application strategies. He is a highly regarded expert on computer hardware, software and architecture. He can be reached at [email protected]