Instant Messaging Headaches

Keeping tabs on a modern workforce’s diverse communication tools can be a daunting task. Most enterprises struggle not only with email and voice messaging but also with managing faxes, e-faxes, and file attachments. And now instant messaging (IM)—and to a lesser extent, mobile-device texting—is becoming yet another communications medium for IT pros to manage.

IM can be a powerful productivity tool. A 2004 study by the Radicati Group—a technology research firm based in Palo Alto, California—suggested that IM use in the enterprise would increase dramatically from 2004 to 2008, estimating that 45.8 billion instant messages would be exchanged on a daily basis by 2008. A more recent 2007 IM study from Gartner predicted that “by the end of 2011, IM will be the de facto tool for voice, video, and text chat, with 95 percent of workers in leading global organizations using it as their primary interface for real-time communications by 2013.” The Gartner report continued, “The worldwide market for enterprise IM is forecast to grow from $267 million in 2005 to $688 million in 2010.”

All this growth translates to more work for IT pros. But with a good understanding of the risk factors and pain points associated with deploying and managing IM solutions—and a few good products to help with the workload—you can avoid most IM headaches.

Lay the Foundation
As with most complex projects, spending plenty of time in the planning and policy-creation phase can help you avoid painful migraines and career-crippling cost overruns. “You really need to get a handle on the human aspect of [your IM environment] first,” says Don Montgomery, vice president of marketing at Akonix, a provider of email and IM management and security products. “IM can be a productivityenhancing communications medium, but you need to enact—and enforce—policies that will make the system work efficiently. Almost every organization has corporate policies with regards to email usage, and many of those policies are transferable to IM communications.”

Montgomery also suggests that IT pros think carefully about how they plan to integrate IM communications within their infrastructures. “There are companies that have started implementing IM with the assumption that they could automatically use existing firewalls and intrustion detection system (IDS)/ intrustion prevention system (IPS) products to secure their IM channel, but that assumption is incorrect,” says Montgomery. “You might need purpose-specific devices that are created to manage IM in your environment. You can’t assume that an existing email security solution will also cover your IM channel.”

Finally, Montgomery stresses that you should look at IM holistically, as an important part of a communications infrastructure that includes email, e-faxes, digital voice, and potentially VoIP and other technologies. “IM shouldn’t be treated as an island. It should be treated as a vital part of your messaging infrastructure but should also integrate and coexist efficiently with your existing solutions.”

Howard Lev, Symantec’s group product manager for compliance and security management, agrees that getting various groups within an organization to think about IM can sometimes be a challenge. “Sometimes there’s a separation of responsibility that can create problems when it comes to creating an effective IM communications policy,” says Lev. “You have email people, then security people, and then the legal team. All these individuals might be focused on solving tasks in their own areas, but for a digital communications policy to be effective, those people need to break out of their silos, pull the blinders off, and work together.”

The Four IM Pain Points
Montgomery suggests that IT pros keep four potential problem areas in mind when dealing with IM deployment: security, compliance, confidential-data loss, and inappropriate usage. You’ll find vulnerabilities in each of these areas, and you must approach each with the same level of attention that your traditional communication channels receive.

Security. One of the biggest challenges with an IM infrastructure is simply keeping the channel secure. Although email receives the lion’s share of spam, viruses, malware, phishing attempts, and other threats, IM gets its share. “IM is yet another conduit or attack vector for hackers to deliver malicious code [into the enterprise],” says Montgomery. “Many hackers use social engineering to increase the odds that their attacks will be successful.” Attackers can send a user an instant message that appears as if it’s coming from a friend, coworker, or other trusted source, and that message might contain a spoofed link—what Montgomery refers to as a “poison URL”—that can download malicious content to a client PC.

According to Montgomery, the growth of IM security threats has gone through numerous stages, similar to how problems emerged with email. Most initial threats were nuisance threats, or what Montgomery calls “hacker glory”—that is, attacks primarily designed to make the attacker look cool to his or her peers, essentially the digital equivalent of subway graffiti. Over time, those attacks have become more sophisticated and malevolent, presenting an increasing threat to IT pros.

A number of vendors provide IM security solutions designed to protect the IM channel from malicious attacks, including Akonix (A-series appliances), Barracuda Networks (Barracuda IM Firewall), FaceTime Communications (IM Auditor), Sunbelt Software (Counterspy Enterprise), and Symantec (IM Manager and Symantec Mail Security). For a more in-depth list of IM security vendors, check out the sidebar “IM Security Vendors,” and for another vendor’s unique solution to IM security, read the sidebar “Maxwell Smart? Your IM Is Ready.”

Compliance. Most federal and state laws consider instant messages to be electronic communications, so IT pros must ensure that their IM deployments fully comply with all those laws. Many large companies need to produce IM messages in response to legal e-discovery requests, so the ability to archive and quickly recover specific messages is a must.

Continued on page 2

“The majority of our customers are really concerned about IM compliance issues,” says Lev. “They want to be able to capture all their IM messages, log them, and easily search an archive database when they get an e-discovery request. They also need to ensure that their IM communications comply with a host of federal and state regulations concerning email usage, including Sarbanes-Oxley and HIPAA.” Symantec sells an Information Foundation Bundle that offers the ability to archive IM traffic through Symantec Enterprise Vault, the company’s email-archiving and -retention tool.

A host of rules and regulations govern electronic communications. IT managers and CIOs—especially at large enterprises— would be well advised to be on a first-name basis with corporate counsel and their finance executives. “All these regulations can require a lot of different things, including retaining the content of those messages. IM is an electronics communication medium, and the company that provides that service to its employees bears the liability,” says Montgomery. That liability can even extend to personal IM accounts that employees use at work. “The [IM provider] isn’t relevant, but the role of the person and the nature of the communication is.”

Montgomery points to a number of regulatory bodies—ranging from financial services (Financial Industry Regulatory Authority—FINRA), the energy industry (Federal Energy Regulatory Commission— FERC, North American Electric Reliability Corporation—NERC), and general oversight by the Securities and Exchange Commission (SEC) for large companies—that can affect the way you manage and archive instant messages. The moral of the story is clear: IM is a vital part of a communications infrastructure, and you must operate it in compliance with the same rules and regulations that govern other digital communications methods.

Vendors that can help you ensure that your IM channel complies with required regulations include Akonix (L7 Enterprise Suite), FaceTime Communications (IM Auditor), and Symantec (Symantec Mail Security, Information Foundation Bundle/Enterprise Vault, and Vontu Data Loss Prevention).

Confidential-data loss. What about securing IM from inadvertent data loss by careless employees? IM was primarily driven into the workplace by employees using their personal IM accounts, which often weren’t managed or secured by corporate IT departments. That situation has changed over the past few years, but ensuring that employees follow company guidelines can still be a significant challenge. “With IM, businesses have created another means for employees to communicate outside the company, which means you have another way to lose confidential information,” says Montgomery. “Many companies in technology industries compete in their respective markets on the strength of their patents and intellectual properties, so keeping that information secure is vitally important. It’s easy to send a video clip or detailed drawing of a new product via IM.”

Symantec makes several products that help keep tabs on vital company information, including Vontu Data Loss Prevention. It includes two modules: Network Monitor, which can track information within your organization, as well as who it’s sent to, and Vontu Network Prevent, a product that can prevent sensitive information from leaving an organization. Akonix provides its L7 Enterprise Suite, and FaceTime’s IM Auditor can help keep tabs on IM traffic.

Inappropriate usage. A final, often overlooked potential IM pain point for IT pros is employees’ inappropriate IM usage. Because some users believe IM traffic isn’t tracked or monitored as closely as email messages are, they often use IM for inappropriate purposes. “A recent study revealed that 31 percent of employees are harassed by other employees at work over IM,” says Montgomery. “When you consider that some IT researchers believe that some 50 million workplaces use IM, that translates into some 15 million lawsuits just waiting to happen. Again, the company provides the IM communication, so the company bears liability for the content of that IM communication.”

Content that should raise red flags includes hostile, offensive, and harassing content and the “seven words you can’t say on TV” (popularized by the late George Carlin), as well as other inappropriate material. Products that can help you screen your IM traffic for inappropriate usage include Akonix’ L7 Enterprise Suite and FaceTime Communications’ IM Auditor.

No More Headaches?
As IM becomes a more integral part of the enterprise communications infrastructure, some of these IM pain points will be alleviated. That said, new communications technologies will undoubtedly emerge, and the stalwart IT pro will be called upon to deploy, manage, and secure any new communications channel. But as this discussion has revealed, an IT pro armed with the right planning, a toolbox of good products, and a willingness to embrace change will be well positioned to face the challenge.