IM boom brings security concerns

Instant messaging (IM) has made significant inroads to the enterprise, but using public IM applications may open up security holes in the network.

By 2007, it will be considered strange if a company is not using some form of instant messaging (IM) technology.

That's a far cry from a few years back, when IM was still somewhat mysterious and many enterprises did not allow its use for fear of plummeting productivity and information leaks. But as 2006 marks the year IM breaks into the workplace, network managers have new security concerns, such as worms, viruses and leaks of sensitive information. Many products are now on the market, however, that curb IM-related threats, allowing network managers and operators to quell IM hassles before they start.

"It's not just worms and viruses anymore, it's spyware, rootkits and keyloggers getting in through public IM."
 Frank Cabri
 Marketing Vice President  FaceTime Communications
According to Nemertes Research principal analyst and program director Irwin Lazar, a recent study found that between 2005 and 2006, IM use in the enterprise has "exploded."

In a 2005 survey, Nemertes found that 76% of medium and large companies use some form of IM. Gartner Inc., in a similar study, found that 65% of employees use IM in the workplace. Gartner also suggests that public IM usage in the enterprise will be ubiquitous by 2008.

"This number will clearly rise as the IM-savvy next generation enters the workforce," Gartner analyst Peter Firstbrook wrote in a report. "IM is recognized as a fast way to get co-workers' attention, rapidly resolve issues/questions, and save telecommunications costs. However, uncontrolled IM usage, as with uncontrolled email, is a recipe for disaster for organizations."

But Firstbrook's report cautions that IM, like email, is becoming a channel for viruses and other malicious software. IM lacks encryption for sensitive information and bypasses corporate email-oriented content inspection filters. Also, the lack of a permanent record of communications is a compliance risk and productivity hazard.

And a large number of enterprise IM users are still relying on public IM applications such as AIM, MSN, Google and Yahoo, instead of using enterprise-class IM such as Jabber, Microsoft's Live Communication Server, or IBM's Sometime.

Lazar said using public IM can be a security threat. It can introduce worms, viruses and other malware into the network. On the other side of the coin, IT has very little control over public IM usage, meaning it is highly probable that an end user could send out sensitive data or corporate information via an IM session and never be caught.

"That's been a real fear because there's no control over the application," he said. "You don't know what [users] are sending."

Michael Osterman, president of Black Diamond, Wash.-based Osterman Research, said that between 2004 and 2005 the number of viruses, worms and other malware associated with IM grew between 1,600% and 2,200%.

The spreading of a worm or virus is a major concern, but Osterman contends that IT managers should not be so worried about what's coming in as about what's going out. He said consumer IM clients aren't encrypted and sessions are not conducted behind a firewall. There is no auditing or logging, and public IM lacks "name space control," meaning that when someone leaves a company, he can retain his IM name, giving the appearance that he's still associated with that company.

Osterman said that many IT managers understand IM-related issues, but securing IM is not a top priority just yet.

"IM today is where email was around 1995," he said. "A lot of IT departments haven't flagged it as a concern. If you don't control IM use … there's a potential for loss of IP."

The 2005 Nemertes survey found that 58% of corporate IM users are using an enterprise-class model, while the rest use consumer or public services. Of all IM users polled, however, 62% said they find that security is absolutely critical, while 26% considered security important.

Recently, though, the market has been flooded with IM hygiene products to help manage and secure IM sessions, both on public and enterprise-class IM applications.

Lazar said some products can make IM sessions go through a proxy where they can be logged and monitored. Some even block users from attaching and sending files.

Products from Akonix Systems, Blue Coat Systems, CipherTrust, FaceTime Communications, IM-Age Software, IMlogic and Microsoft are designed to protect overall IM hygiene and ensure security.

Frank Cabri, vice president of marketing for FaceTime, also noted the clear trend in enterprise IM adoption. FaceTime, which makes IMAuditor, an IM security tool, has methods to protect both the use of public IM and the use of enterprise IM applications.

More on instant messaging
IM too critical a business app to ban 

September sees surge in IM threats
"Security concerns extend into both the enterprise and public IM worlds," Cabri said, noting that recent research found that the use of public IM increased 2,000% between 2004 and 2005. With more than 40 public IM clients available, that can create an interesting challenge for IT.

"It's complex," Cabri said. "It's not just worms and viruses anymore, it's spyware, rootkits and keyloggers getting in through public IM."

And as IM becomes as commonplace as email, enterprises need to be concerned and to regain some control over the IM clients that end users select. Public IM is easy to download and unsanctioned, but it also has a solid business use, according to Cabri. Enterprises must now weigh the potential security threats against the business case.

"It's not any one thing that's going to solve the problem," he said.

Cabri suggests that IT set up some kind of acceptable-use policy outlining IM behaviors, and though that written policy is necessary, it may not be sufficient.

FaceTime, which last week rolled out the latest version of IMAuditor, 8.0, helps enforce those policies, Cabri said. It can create a pop-up warning when an end user is breaking the acceptable-use policy by scanning for keywords or file attachments in IM sessions in real time, ensuring that nothing sensitive gets out.

IMAuditor also protects from inbound IM threats based on behavior. For example, if it notices more than three messages sent by a single user's IM client in one second, that user is quarantined, because a worm or virus could be propagating. IT can also allow only certain IM clients and log sessions, and perform various other security and monitoring functions.

Chris Berry, information security manager at Lam Research, a Fremont, Calif.-based semiconductor company, said he deployed IMAuditor about a year ago as part of a directory services and messaging platform upgrade. Berry said that the deployment, though still in the testing phase, helps keep internal IM communications on the up-and-up.

"We wanted to make sure we had a monitoring and prevention system" Berry said, in order to keep tabs on IM sessions and make sure that users follow corporate acceptable-use and communications policies.

Lam Research is looking at using internal IM to enhance mobility and communications. Still, Berry said, he doesn't plan on allowing IM sessions outside corporate walls any time soon. He said Lam Research has a policy against end users downloading public or consumer IM clients and monitors at the gateway to ensure it is not being used.

"We are concerned with it, but we have that risk mitigated," he said, adding that Lam Research's IM deployment is part of a staggered rollout plan.

Osterman suggests that companies that are concerned with IM use first install some sort of free sniffer software to get a better idea of how frequently IM is being used within company walls. Then, the company must determine how it wants to use IM -- whether it wants IM sessions to remain internal or reach outside office walls. That will help guide whether employees should continue using public IM or whether an enterprise-class solution would be preferable.

Osterman's most recent IM tracking survey found that roughly 93% of North American organizations use IM in some capacity, and roughly 34% of corporate email users use IM. But by 2009, he said, nearly 100% of North American companies will have employees who use IM.

"IM is definitely here to stay," Osterman said. "It's showing growth that's fairly significant."

This article originally appeared on

Read more on IT risk management