Plug IM's Security Gaps

When you say the words instant messaging and security to many IT executives, you might as well be referring to oil and water. Some CIOs have simply banned the use of this collaboration tool in their companies, citing it as a gaping hole through which viruses, hackers and corporate spies can enter and out of which company secrets, libelous statements and unaudited communications can flow.

These naysayers have a point -- Gartner Inc. in Stamford, Conn., has identified IM as one of the top 11 security issues for 2003. "IM, by its very nature, punches a hole in the firewall, and that opens up the possibility of inviting in a dangerous worm," says Douglas Schweitzer, a Gartner analyst.

The problem is, IM originated as a free download for consumers and wasn't designed with corporate security in mind. Instant messages bypass virus scanners, and users can inadvertently download files containing malicious code. And because of IM's casual nature, users may be less than professional in their communications. Meanwhile, these messages go uncaptured by any corporate database, making them unauditable.

But officially sanctioned or not, IM use is nearly unstoppable -- and in some instances, it's a critical business tool. Last year, there were 80 million IM users in the U.S., and 25 million of those were business users, according to The Yankee Group in Boston. Fortunately, there are ways to plug many IM security gaps. Here are some tips on how to tame the wild world of IM:

  • Keep IM within the firewall. Some companies, such as Terra Nova Trading LLC in Chicago, want their employees to have IM -- just not over the public network. So Kevin Ott, vice president of technology at the brokerage, installed an IM system called E/pop from WiredRed Software Corp. in San Diego.

    E/pop and similar systems, such as IBM Lotus Software Group's Sametime, Jabber Inc.'s Messenger and even America Online Inc.'s Enterprise AIM, route instant messages locally, so they never traverse the public network.

    These systems also offer audit and reporting capabilities, as well as features such as virus scanning, directory integration with other e-mail systems, message encryption and user authentication. "It's a completely closed system, and we can audit the transcripts and put them in a database," Ott says.

  • Install a gateway product. Other companies, such as brokerage firm Craig-Hallum Capital Group LLC in Minneapolis, rely on IM to communicate with business partners. That's why it turned to an IM gateway product from FaceTime Communications Inc. in Foster City, Calif. Other gateway vendors include Akonix Systems Inc., IMlogic Inc. and AOL.

    These systems can either route instant messages on the internal corporate network for employee-to-employee communications or interface with consumer IM clients to send messages to outside parties over the Internet.

    However, a proxy server sits between the IM clients on both sides of the firewall and scans for viruses, filters content, periodically attaches disclaimers to messages and sends all messages to a database for archiving.

    These systems also allow IT to block file transfers, authenticate users and control who's allowed to use IM. Some gateway products allow IM conversations to be monitored in real time and even interrupt those that break corporate policies. More common, however, is after-the-fact monitoring. "We do a postreview, because IM conversations are supposed to happen in real time," says John Threadgill, managing director of IT at Morgan Keegan & Co. in Memphis. "The system checks for keywords, and if one appears, the IM is flagged and a manager is notified."

  • Filter content for sensitive keywords. Health care companies might block or flag messages with sensitive patient information, whereas financial firms look for phrases like "guaranteed return." All companies might disallow certain number patterns, such as those of Social Security numbers.

  • Encrypt messages. Even with a gateway product, there is still a vulnerability: "What happens to the message when it's out on the Internet?" asks IDC analyst Robert Mahowald. Consumer IM systems store instant messages on their servers in clear text, which anyone, including hackers, can read.

    Encryption is one way to bridge this security gap, although very few companies actually use it because of its complexity and the fact that many products work only if both parties use the same encryption software. Another approach, offered by AOL and VeriSign Inc., is to certify instant messages sent to partners. However, Mahowald says, "it's a payment level on top of paying for the IM client and server."

  • Hammer home your IM policy. After closing what gaps you can with technology, the best safety net is to educate users on IM's security holes. One way to do this with an IM gateway is to have the system send periodic reminders of IM policies.

    At The Weather Channel Interactive Inc. in Atlanta, which uses Akonix's L7 system, salespeople who use consumer IM systems get a daily pop-up reminder, says John Penrod, a network architect there. "We want them to keep in mind that we're not preventing them from putting a dollar mark into an IM but that it would be preferable for them to think about whether that communication should be done in a more secure way," he says.

Here are a few more common practices that companies with IM gateway products employ to batten down the IM hatches:

  • Block file transfers. Many companies, such as Craig-Hallum Capital Group and Morgan Keegan, block all file-sharing capabilities for users of consumer IM. At The Weather Channel, "we haven't decided yet," says John Penrod, network architect. "We might restrict it completely, but we might virus-scan them and check them for exploits." Even if you don't use an IM gateway, says Douglas Schweitzer, an Internet security specialist, you can turn off the file-sharing option on AOL's consumer AIM. "File sharing should never be used in a corporate setting," Schweitzer says.

  • Control who can use IM and who can talk to whom. "Not everyone has a business need to use IM," Penrod says. The company's system from San Diego-based Akonix blocks IM messages sent by unauthorized users. At Morgan Keegan, "all IM traffic goes through the FaceTime server, and if we haven't set somebody up in the server, the message won't go through," says John Threadgill, managing director. Threadgill also restricts who within the company can IM with whom to meet U.S. Securities and Exchange Commission regulations.

  • Put a lock on your PCs. Many people leave their IM sessions running all day long. At Morgan Keegan, PCs log off automatically after 30 minutes, which ensures that this doesn't happen.

Brandel is a Computerworld contributing writer in Grand Rapids, Mich. Contact her at

Special Report

Tips From Security Experts

Stories in this report:


Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon