Instant message lockdown

Agencies grapple with control issues as users increasingly flock to IM

Few people are flattered when you call them paranoid or controlling. But in information technology circles, these traits are positive. We can thank viruses, hackers and spammers for that.

E-mail has been the path for most of those unwelcome visitors. Experience has shown that controls such as content filtering, user authentication and acceptable-use policies aren't just nice to have, they're essential.

It's no surprise then that agencies are extending their e-mail security blueprint to a fast-growing and increasingly vulnerable application: instant messaging (IM) services.

"E-mail usage policies are usually a good place to start," said Francis Costello, chief technology officer at Akonix Systems, an IM security vendor. "The Securities and Exchange Commission and the Federal Energy Regulatory Commission treat IM as business records just like they would treat e-mail. Some people see IM as something that won't be retained, and that's dangerous."

External IM risks exist, too. Spam over IM, known as spim, is a fact of life, at least on public IM networks. Hackers may commandeer a user's identity in a spoofing attack to coax useful information — personal or proprietary — from someone else in an IM chat. And IM is more prone to malicious code infection. Akonix's in-house monitoring service recently measured a 400 percent increase in worm attacks on IM and peer-to-peer networks between the first and second quarters of 2005.

Government employees use IM in a variety of ways. The easiest way to acquire the software is by downloading America Online's popular Instant Messenger (AIM) software or equivalent products from Yahoo or Microsoft. Although agencies rarely permit employees to use public IM networks at work, many workers do so anyway, experts said.

Many broad enterprise collaboration suites include a combination of IM, e-mail, Web conferencing and document sharing, and usually offer some form of security.

An increasingly popular option is using a dedicated IM security appliance, which also adds management functionality to public IM networks and enterprise suites.

The Energy Department, for example, uses an enterprise suite. DOE uses the Via3 platform from Viack, which delivers videoconferencing, voice over IP and IM for collaborative uses.

"To get started, it sends out an encrypted dialog to a selected user, who can accept or reject that opportunity to IM," said Doug Way, a senior network technician at ASRC Aerospace who works as a DOE contractor. "Confirmation of the user name and password is done on each user's desktop, so there's no way to capture the other user's password."

DOE began working with the platform last summer and has about 40 users in offices in Washington, D.C., West Virginia and Oklahoma.

"The biggest driver — and what makes me the strongest advocate — is that it's very secure, whether it's files, IM dialogue or your voice and video," Way said.

Via3 also allows agencies to enforce policies. The software prevents users from doing anything on their desktop computers that the CIO doesn't approve, Way said.

"They're not going to download AIM — it's verboten," he said. When users connect to DOE's local-area networks or wide-area networks, the department's IT staff can look at what they're doing and block the use of applications.

Additionally, the platform generates reports that can be used with compliance audits or the Federal Information Systems Management Act, Way said.

Array of options

Recent research from Nemertes Group, a New York-based consultant firm, shows that about one-third of enterprise IM users have tapped an enterprise-class IM security solution connected to product suites such as IBM Lotus Sametime and Microsoft Live Communication Server.

Another 14 percent use an IM gateway appliance, such as those made by Akonix, IMlogic and FaceTime Communications.

The rest might use client-specific security, such as AOL AIM Enterprise Gateway, if they use anything at all, said Melanie Turek, a senior vice president at Nemertes. Another subset of users may turn to hosted IM providers, such as Omnipod, an emerging alternative that promises secure operation, encryption and monitoring.

IM's prevalence among government users varies. Turek and IM security vendors suggest that government use may slightly trail enterprise use. Some security vendors say that eight out of 10 companies use IM.

But with telephones, voice mail and e-mail, how essential is IM, asked Jonathan Christensen, FaceTime's CTO.

Anyone who shares information is an excellent IM candidate, he added.

"IM users tend to be in roles where quick information is imperative, and they need parallel communication to back- channel to someone or to have multiple conversations," Christensen said.

Dealing with IM

IT managers might ignore IM traffic moving across their networks at first. Or they might block such traffic with a firewall or issue a widely ignored memo directing people not to use IM.

Even if a department opts to go with a secure IM platform, user authentication still should precede IM conversations, experts say. In some cases, that function is part of the IM security platform, such as with DOE's system. In others, a gateway or a stand-alone system that provides identity management handles authentification.

IM security management also needs to incorporate anti-malware features to protect against virus, worm and phishing attacks. Vendors are becoming aware that they need spyware protection and have begun adding it to IM security management, Turek said. Customers can expect to pay $20 to $25 per seat for most IM security solutions, she added.

Using e-mail security as a template may accelerate IM security implementation, but the analogy is imperfect, Costello said. Unlike e-mail, IM reflects users' presence in real time by denoting varying degrees of availability, such as off-line, busy or working from home.

"IM is consistently shown to be a good use of presence for how we work and, just like e-mail, requires some getting used to," he said. That may require training people how to use IM and what its social conventions are — whether you must reply every time someone sends you an IM, for example, he said.

Clearly, government IT departments are trying to make sure they have all the responses for technical and regulatory issues associated with secure IM operations. Although each user base will have different requirements and constraints, many options exist that address the application that more government users find they can't do without. And the security capabilities embedded in IM applications and platforms will ensure IT managers get to retain their hard-won control-freak status.

Sweeney is a Los Angeles-based freelance writer who has covered IT and networking for more than 20 years. He can be reached at terry@tsweeney.com.

Tips for safer IM

Here are some tips for improving the security of your agency's instant messaging (IM) use:

  • Know your network. That means knowing traffic patterns, traffic types and applications in use. You may have more IM-style traffic than you want to admit. Some vendors offer a free scanning tool to handle this upfront.
  • Standardize your client software. Experts say you're asking for trouble by letting users download anything they want. It's better to block such activity than to compromise sensitive data. Third-party clients on private IM networks can be assessed on a case-by-case basis.
  • Authenticate all users. Maybe that function is embedded in your collaborative applications platform, or maybe you use a separate appliance that includes certificate authority, dual-factor authentication and/or encryption.
  • Ensure compliance capabilities. Double-check the regulations and mandates for data handling and privacy so you can set your solution to generate reports that will be meaningful to auditors and those with congressional oversight.
  • Don't be vague about acceptable use. Make IM usage policies explicit. If your employees use public IM services, tell them that their chats are subject to acceptable-use policies and will be archived. Provide a URL where such policies are detailed. Reinforce acceptable use with user training.
  • Limit your window of vulnerability. If you use IM clients from networks such as America Online, Yahoo, MSN or others, there may be lag times between when those operators announce a vulnerability and when they offer a patch. Some IM security vendors tout their close development ties with the public IM networks. Decide how critical this is for your organization.

Sources: Akonix, Antepo, FaceTime, IBM and Nemertes