Instant help or instant Hell?

From the point of view of security vulnerabilities, although there have been many worms released that specifically target instant messaging systems - among them Bropia.A, which spread through Microsoft's MSN Messenger network in January last year - the damage thus far has been limited. One of the main reasons for that is the lack of interoperability between the different instant messaging systems which has stopped the spread (and impact) of security breaches.

In addition, unlike e-mail instant messaging doesn't have a common standard. However, as the marketplace continues to grow, standardisation and interoperability of the different systems is going to be inevitable, so too the temptation for the less scrupulous to exploit them.

Even without the threat of viruses and worms spread by instant messaging, there's also a security risk from placing a communications medium in the hands of the workforce without controlling, managing, educating and enforcing how it is used. Without any filters in place to monitor what information and files people are attaching to their instant messaging conversations, it becomes easy for employees to give out sensitive or confidential business information.

Given these security risks, the decision needs to be made internally as to whether the company bans instant messaging outright (if the security risks are considered to be too high), or if it should be allowed to operate. If businesses are going to permit employees to make use of instant messaging then everything will focus on employing either a private instant messaging service or a public variant with additional security measures.

The one that helps lower the security risk to acceptable degrees such that the business may still reap the benefits of instant messaging is the one to choose.

Banning instant messaging

For some organisations, the security risk will be too high for instant messaging to be a feasible option. In this case, it is important to let employees know that instant messaging is not allowed in the business, that they should not download any instant messaging applications to their computers and, thereafter, educate them as to why this decision has been made.

There are a number of options IT security managers can use to enforce the ban. Simply blocking at the firewall will not protect the business as instant messaging clients will first attempt to leave on their assigned protocols, and then on port 80 (the standard Internet browsing port). However, security products on the market can now monitor, manage and block such activity. Organisations must deploy this kind of technology if they ban instant messaging, or they'll end up with a security policy which they have no way of enforcing.

If the business has decided that banning instant messaging is not the answer, the next step is to weigh up the differences between public and private instant messaging solutions and decide which best fits the need.

Although widely accessible, public instant messaging - including MSN Messenger - operates outside of any corporate control. If a business decides to allow its use, any employee can chat and send documents to anyone about anything, whether they are inside or outside of the corporate environment. However, there are a number of solutions which can interrogate and control instant messaging content by looking for strings of certain characters, blocking attachments and scanning all attachments for viruses. Using these types of products is a way for businesses to allow the use of public instant messaging systems, and yet still retain control over instant messaging.

Internal or private instant messaging such as Microsoft's Live Communication Server and IBM's Lotus Sametime is another option.

Private instant messaging will not allow instant messages to leave the organisation as all of the communication is internal on the network. The benefit of this is that there's less need to control this type of instant messaging as it becomes a corporate IT tool, just like internal e-mail.

This particular type of instant messaging solution might also be configured to allow gateways to public instant messaging providers (including MSN) if required.

Regulating public use

By providing access to public instant messaging services through a private instant messaging system, the business can regulate the use of public instant messaging from the internal server while at the same time placing restrictions on who is allowed to access external instant messaging providers (and which public instant messaging services may be used). Where businesses allow this to occur, the same level of control then needs to be used for messages that pass from the private to the public domain as are deployed for public instant messaging.

It must be stressed that there is no easy solution. Every business must be guided by the recommendation of its security manager. While it is clear that businesses can no longer afford to bury their heads in the sand when it comes to the use of instant messaging, secure use will only be guaranteed if it is brought back under the control of the security manager and the IT Department. In this way, security risks can be managed with some degree of effectiveness.

If the security manager feels there is a strong enough case for instant messaging to be used within the organisation, a step-by-step approach must be taken so that the best (and most secure) technology is put in place.

Donal Casey is a security consultant at Morse