Despite these additional headaches, a 2004 poll by the research firm META Group, finds a variety IM benefits including: faster response and problem resolution, instant customer support, reduction in e-mail traffic, enhanced multitasking, better perception of coworker availability, improved collaboration and better communication with remote employees.

Research conducted by The Radicati Group, Inc., a technology and market research firm based in Palo Alto, Calif. and London, UK shows that instant messaging (IM) is in use by approximately 30 percent of US organizations.

What’s more, a December 2005 Nielson/NetRatings study of instant message utilization shows that nearly 39 percent of all U.S. IM traffic originates from the workplace.

Masha Khmartseva, a messaging analyst with the Radicati Group, believes in the majority of cases, "IM typically enters the workplace as a tool for personal communication. Workers use it to communicate with family and friends. Adoption is viral," she says. "Coworkers adopt IM to schedule lunch with each other, pass messages during conference calls or simply as a way to improve communication – especially on time sensitive issues." Growing consumer use of IM on cell phones, PDAs and other devices also drives workplace adoption of IM.

Khmartseva says these tools will accelerate workplace adoption by 26 percent each year for the next four years.

Security First

Yet, for all the obvious benefits, unsanctioned CIM adoption creates very real security and compliance risks for IT departments. These risks are punctuated when IT organizations do not secure their perimeters against the unique threats associated with instant messaging clients. Without the right IM security solution in place, organizations that spend hundreds of thousands of dollars protecting e-mail and information networks leave a back door open to a host of security threats including:

• External Threats and Viruses- Unsecured instant messaging opens a direct channel for IM virus and worm attacks, Trojan horses, malware and IM spam.
• Internal Content Security and Intellectual Property Breaches- Insufficient IM security and policy controls expose organizations to increased IT risks like data and network corruption and increased risks including lost intellectual property and exposure of proprietary information.

According to the IMlogic Threat Center, a Symantec-owned but vendor led consortium that provides global threat detection and protection for instant messaging, four of the top 10 most damaging Internet threats in 2004 used IM and P2P (peer to peer) as a vector for infection. As instant messaging adoption increases (both IT sanctioned and non-sanctioned use), new worm and virus infections are most often sent via file transfers that bypass traditional antivirus security gateways. IM attacks push URLs to malicious code hosted on the Internet which is then downloaded and executed on local machines. AOL, MSN and Yahoo all have announced flaws where buffer overflows or boundary condition errors have been exploited to spread viruses, worms or in some cases even distributed denial-of-service (DDoS) attacks.

Most IT organizations use traditional gateway antivirus to protect corporate networks from inbound e-mail attacks, but very few have adequate protection for defending against complex blended threats which propagate malicious code via IM. The rapid proliferation of IM threats makes it difficult for traditional reactive security approaches to keep pace. Increasingly destructive IM threats put even more pressure on the IT department and are all the more reason why specialized, proactive IM threat protections are needed.

The extent of the security threat from unsanctioned IM should not be under estimated. A January 2006 analysis by the IMlogic Threat Center showed that IM security threats increased by 826 percent in December 2005 versus December 2004. IM security challenges become even more complex when the organization is impacted by HR, legal or regulatory compliance issues such as Health Insurance Portability and Accountability Act (HIPAA).

CIM vs. EIM

When evaluating IM threat protections, it may seem the solution is to simply block IM usage all together. In fact, that’s what 32 percent of organizations do. These organizations either block IM at the firewall or prohibit its use via policy, says Michael Osterman, founder of Osterman Research, a Seattle-based market research company focused on the messaging market. According to Osterman, the difficulty of the manual blocking approach is that it is hard to continually adjust firewall rules to adapt to the rapidly changing consumer-grade instant messaging (CIM) environment. For that reason, most IT managers understand the importance of settling on an enterprise-grade IM (EIM) standard. The reality, says Osterman, is that only 26 percent of organizations that use or allow IM have settled on one or more EIM products as a standard.

Yet, today’s enterprise IM products offer a lot of advantages over using a public IM network by itself. Some products manage the use of public IMs, while others offer a proprietary solution. Comparing CIM with EIM is similar to comparing consumer e-mail service, such as Microsoft’s Hotmail, and an enterprise e-mail service such as Microsoft’s Outlook. In contrast to CIM, secure EIM products are wholly the property of the organization and wholly under the control of the organization’s IT infrastructure.

Enterprise-grade IM products offer protections not found in CIM clients. For example, specialized EIM products from Microsoft (Live Communication Server), Barracuda Networks, Symantec’s IMLogic, Trend Micro and others eliminate the task of adjusting corporate firewall rules because the rules are constantly updated by the IM firewall. These protections remove soft spots from the perimeter and include safeguards that prevent the spread of malicious code. Other tools, such as PGP’s Secure Instant Messaging, automatically secure sessions between AOL Instant Messaging (AIM) users and provides total privacy for sensitive chat sessions.  Additionally, some EIM solutions offer message archiving features.

Sanctioned IM Usage Increasing

According to Christopher Penner, product manager at Barracuda Networks, consumer grade IM is persistent and “very good at finding unauthorized points of entry. It enables just about anyone to connect.” Penner believes the persistence and ease of use is a benefit for consumers but a bane for any organization concerned about security. Since CIM clients are so persistent, they are designed to make connecting easy for consumers. “Unfortunately easy means bypassing the firewall using any means possible,” said Penner. As an example, Penner says that if the default port is blocked at the corporate firewall, some CIM clients will look for other open ports such as 23 (telnet), 20 and 21 (FTP) and 80 (HTTP). “When you bypass normal authentication processes and allow consumer applications into your network without the proper security controls, you create soft spots in your perimeter – these soft points are quickly targeted by hackers, viruses and worms,” said Penner.

The Barracuda Network’s IM Firewall specifically blocks CIM persistence by enabling the administrator to determine which CIM clients will be allowed within the organization. For instance the administrator can shut off certain public IM clients such as AOL or Yahoo globally across the organization, or break it down by department or even user. The firewall also ensures that those users who have a public IM account register their public screen name before allowing outbound communication. This protects against ID spoofing or unauthorized use of the allowed public IM and ensures that the message logs reflect the user’s real name and not their CIM screen name.

Trend Micro’s IM Security for Microsoft Office Live Communications Server (LCS) delivers advanced protection from malicious code and inappropriate IM content. The software product allows for central management and administration and runs with minimal performance impact to LCS. Incident based archives allow quick and easy searches along with instant notification through LCS and comprehensive real-time reporting.

Symantec’s IMlogic Inc., a leader in enterprise software for instant messaging, offers solutions designed to control and secure public and enterprise IM networks. The firm’s products offer solutions for enhanced security, regulatory compliance, management and control along with corporate governance of IM.

Beyond Viruses and Worms

Beyond viruses and worms, non-sanctioned IM activity creates soft spots in the perimeter – especially in the areas of human resources, legal or regulatory compliance, integration and monitoring. All of these soft-spots are addressed by enterprise grade products.

Monitoring: What happens if a staff member uses IM to sexually harass or threaten? IM can be your organization’s face to the world and it is important to protect your organization’s reputation. The enterprise applications listed earlier c provide monitoring through keyword notification. This allows foul language to be flagged or blocked and, in some cases, the incident can be escalated to that person’s manager.

Compliance: IM conversations are business records that must be logged and archived. In regulated industries, if undocumented communications occur that include personally identifiable data, the organization can still be held liable for that breach – and with it the possibility of fines and other liability. Powerful rule-sets provide tremendous flexibility. For example, rules can be defined that prevent analysts from talking with traders. These features are limited only by the imagination of the people that control them.

Integration: Should “starchilddave@yahoo.com” be allowed to represent your organization to the press or to a customer? Or would you prefer that all instant messaging accounts be linked to your Active Directory? Using authentication to prevent anonymous IM screen names allows definition by policy that maps screen names to IM screen names for an additional layer of accountability. Other feature sets include tools that automatically insert disclaimers at the beginning of each IM session. Disclaimers won’t solve HR, legal or regulatory compliance issues but they do distance the views of the individual from the views of the organization.

As IM matures and becomes more widely accepted, organizations are looking for ways to utilize the benefits of IM technology without risking proprietary data or organization liability exposure on consumer IM networks. Enterprise instant messaging solutions coupled with firewalls and other security products allow organizations to offer highly secure and highly available IM services to their users, partners and others.