This article can also be found in the Premium Editorial Download "Information Security magazine: Security Products Readers' Choice Awards 2007."
Download it now to read this article plus other related content.
In the trenches
Taking aim at IM security
Securing IM takes on many forms, from investments in enterprise-class IM clients, to outright prohibition of IM use.
Security pros are grappling with ways to make sure critical corporate data doesn't slip beyond the company firewall through the growing use of instant messaging (IM) clients in the workplace.
Regulatory pressure to archive messages is also forcing enterprises to extend their messaging security investments--limited today to inbound and outbound email--to IM. Some firms are deploying enterprise-class IM clients, others have initiated strict controls and policies to warn employees of unauthorized use, and others are outright banning IM clients.
"We've done our best to educate people in terms of appropriate use of IM clients, but everybody uses their commercial IM product and they use it all over the place," says Chris Ranch, director of network architecture at Affinity Internet. This year the Web and e-commerce vendor plans to introduce its 275 employees to an enterprise messaging system that encrypts and stores IM conversations on company servers.
"IM security is absolutely critical," Ranch says. "We want to gain control without pulling the plug on everybody."
Security pros are looking for products that detect and block spam over IM (spim) as well as phishing attempts, viruses and spyware in messaging traffic. Archiving chat
Jeff Carnahan, a messaging solutions architect at a Midwestern bank, says his company has been in control of its instant messaging security since it deployed IBM Lotus Sametime software in 1999. It started with 4,000 employees using IM, but now the bank's 50,000 employees have access to the IM client strictly for internal communications, he says. It also deployed archival and storage software from FaceTime Communications.
"There's definitely some concern about chat sessions, but the benefit of internal instant communications has been more of an advantage than a disadvantage," Carnahan says.
Disintegrating employee productivity forced Chad Richards, IT director at Riverton, Utah-based Stampin' Up!, a seller of wood-mounted rubber stamps and accessories, to pull the plug on IM use. After reviewing company chat IM logs, Richards says that one of 10 messages were legitimate work-related chats.
"While I see a lot of potential benefits, distractions and difficulties in managing IM far outweigh the benefits," Richards says. "It took a constant policing effort, and it had a negative impact throughout the company."
This was first published in April 2007