Use of Skype

The subject of Skype came up again. We’ve taken a pretty hard line against the use of this software on the corporate network and for good reason too in my opinion. Questions around fundamentals such as confidentiality, issues around protocols, and risks from malware have led to a policy banning it’s use. However, use of Skype is becoming quite common within a increasing number of businesses and inevitably the policy gets questioned when customers and vendors request to have Skype based conversations.

I’ve not softened my stance against using the software within the corporate network (we offer plenty of alternative messenging and VOIP services) but have allowed it to be installed on laptops on a per-need basis so long as it’s use is strictly off-piste, that desktop anti-malware controls are in place, and that users are made aware of relevant risks.

Of course, that still leaves the potential risk of a malware infected laptop being plugged back into the network One of my colleagues stated that he would not allow the machines used to be brought back onto the network even with AV. I think the risk is manageable so long as there’s close supervision but it has become an emotive subject of discussion and I know that some believe my opinion on the matter to be rather too flippant.

It comes down to business requirements. We need to be a business enabler and not a block. There is a request to make use of some banned software for a good business reason and I’ve prescribed, what I believe to be, suitable controls that allow that to happen whilst also ensuring that stakeholders are aware of what the risks are.

I’ll be interested to find out what others are doing.

There’s a couple of blogs and articles that I found interesting on the subject of Skype and general VOIP security:

From Skype: http://share.skype.com/sites/security/

A VOIP security blog: http://voipsecurityblog.typepad.com/marks_voip_security_blog/

Recently discovered Skype security glitch: http://nanocrew.net/2007/01/19/skype-security-fud/

Skype based Trojan: http://securitywatch.eweek.com/exploits_and_attacks/trojan_spreading_via_skype.html

Last word from Bruce Schneier’s blog: http://www.schneier.com/blog/archives/2006/08/skype_call_trac.html

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

One of the main reasons corporations should resist using Skype to perform business is the loss of control they have over that business relationship. As you create an online identity asset (good will), the asset does not belong to the organization or individual but rather Skype. The Skype terms of use are not "Corporate Friendly". What happens if that employee leaves the organization or becomes disgruntled? On the other hand, the most compelling business reason to use Skype is not cost savings but rather direct access to the Skype User community/cloud. I'm very surprised that Skype/eBay or some other vendor has not created a "Corporate Friendly" secure Skype messaging gateway. I have a napkin with marketecture design if anyone is interested ;)
Cancel
Bryan - "As you create an online identity asset (good will), the asset does not belong to the organization or individual but rather Skype." Brilliant as always! Concerning risk and paranoia: Skype is somewhat different from other IMs, yes. To me, the biggest strikes against corporate Skype use is the relative inability to prevent bandwidth utilization. But fundamentally, as a vector for malware, or an avenue for data leakage, I don't see Skype as any more "risky" than email or an Internet browser. But I have to agree with you, Stuart. Freaking out over "potential" risks isn't Risk Management.
Cancel
(we offer plenty of alternative messenging and VOIP services) The problem with this as a response is that, if your contact, client or supplier group uses Skype as a primary means of communication, then all the alternative VoIP solutions in the world won't prevent you being excluded from the conversation. Now, if Skype would interoperate a little more freely with other protocols (like the Windows Live Messenger flavour of IP, or even the Jabber VoIP version) then you could pick and chose the client that made most sense for your security policy. Unfortunatly, that's not the case, and Skype is swiftly becoming ubiquitious. Is there a case for corporates (such as Reed) approaching Skype directly to try and resolve the concerns?
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close