From its beginnings in the early 1990s, instant messaging
(IM) has developed into a powerful business tool, giving internet
users access to a simple presence facility, as well as acting as a
linchpin for online conferencing, whiteboarding and other powerful
IP-based communications,writes Rolf von Roessing,
international vice-president atISACAand
senior external advisor at KPMG Germany.
Whilst extensible data and the latest Web 2.0 technologies at
the heart of today's IM-based applications are viewed by many as a
security risk, the importance of IM in terms of business efficiency
and the ability to harness real-time communications for the benefit
of the staff concerned, must never be overlooked.
This places IM technology firmly in the must-have IT category,
right up there with traditional voice communications.
Any security technology that is developed for IM applications
must, therefore, be easy to use and, ideally, be as unobtrusive as
possible.
Technologies such as a group policy certificate - issued by an
IM public key infrastructure policy system - as well as a local IM
secure PKI proxy technology can be added to the messaging mix.
By including data that defines the group members, references to
other groups, security controls and relevant data such as allowed
algorithms, IT managers can create a secure underlay, across which
an IM system can operate in a highly secure manner.
Risk analysis as a mindset
Before a security underlay for a secure IM system can be
constructed, there is a need for careful planning.
Careful planning of IT security solutions - especially with
must-have technologies such as IM - is all about conducting an
effective risk analysis.
When conducting the risk analysis, care should be taken not to
in any way affect the user-friendliness and business efficiency of
the IM technology being planned.
There are a large number of client-side security systems that
can be used to create an effective security underlay for IM usage
in an organisation, allowing staff to reach full IM efficiency
without their being constrained by the technology in any way.
Creating an efficient set of IM security guidelines
IT staff should also work with staff to develop a flexible set
of guidelines and best practice rules for the use of IM.
Great care should be taken to balance the security needs of the
organisation with the business efficiencies that IM can
engender.
It is simply not appropriate to create a rigid set of rules
within which IM usage is "allowed".
All types of IM communications should be permitted and then the
underlying IT security required to support the communications
system should be developed.
Read more expert advice from the Computer Weekly Security Think
Tank >>