The subject of Skype came up again. We’ve taken a pretty hard line against the use of this software on the corporate network and for good reason too in my opinion. Questions around fundamentals such as confidentiality, issues around protocols, and risks from malware have led to a policy banning it’s use. However, use of Skype is becoming quite common within a increasing number of businesses and inevitably the policy gets questioned when customers and vendors request to have Skype based conversations.
I’ve not softened my stance against using the software within the corporate network (we offer plenty of alternative messenging and VOIP services) but have allowed it to be installed on laptops on a per-need basis so long as it’s use is strictly off-piste, that desktop anti-malware controls are in place, and that users are made aware of relevant risks.
Of course, that still leaves the potential risk of a malware infected laptop being plugged back into the network One of my colleagues stated that he would not allow the machines used to be brought back onto the network even with AV. I think the risk is manageable so long as there’s close supervision but it has become an emotive subject of discussion and I know that some believe my opinion on the matter to be rather too flippant.
It comes down to business requirements. We need to be a business enabler and not a block. There is a request to make use of some banned software for a good business reason and I’ve prescribed, what I believe to be, suitable controls that allow that to happen whilst also ensuring that stakeholders are aware of what the risks are.
I’ll be interested to find out what others are doing.
There’s a couple of blogs and articles that I found interesting on the subject of Skype and general VOIP security:
From Skype: http://share.skype.com/sites/security/
A VOIP security blog: http://voipsecurityblog.typepad.com/marks_voip_security_blog/
Recently discovered Skype security glitch: http://nanocrew.net/2007/01/19/skype-security-fud/
Last word from Bruce Schneier’s blog: http://www.schneier.com/blog/archives/2006/08/skype_call_trac.html