From its beginnings in the early 1990s, instant messaging (IM) has developed into a powerful business tool, giving internet users access to a simple presence facility, as well as acting as a linchpin for online conferencing, whiteboarding and other powerful IP-based communications, writes Rolf von Roessing, international vice-president at ISACA and senior external advisor at KPMG Germany.
Whilst extensible data and the latest Web 2.0 technologies at the heart of today's IM-based applications are viewed by many as a security risk, the importance of IM in terms of business efficiency and the ability to harness real-time communications for the benefit of the staff concerned, must never be overlooked.
This places IM technology firmly in the must-have IT category, right up there with traditional voice communications.
Any security technology that is developed for IM applications must, therefore, be easy to use and, ideally, be as unobtrusive as possible.
Technologies such as a group policy certificate - issued by an IM public key infrastructure policy system - as well as a local IM secure PKI proxy technology can be added to the messaging mix.
By including data that defines the group members, references to other groups, security controls and relevant data such as allowed algorithms, IT managers can create a secure underlay, across which an IM system can operate in a highly secure manner.
Risk analysis as a mindset
Before a security underlay for a secure IM system can be constructed, there is a need for careful planning.
Careful planning of IT security solutions - especially with must-have technologies such as IM - is all about conducting an effective risk analysis.
When conducting the risk analysis, care should be taken not to in any way affect the user-friendliness and business efficiency of the IM technology being planned.
There are a large number of client-side security systems that can be used to create an effective security underlay for IM usage in an organisation, allowing staff to reach full IM efficiency without their being constrained by the technology in any way.
Creating an efficient set of IM security guidelines
IT staff should also work with staff to develop a flexible set of guidelines and best practice rules for the use of IM.
Great care should be taken to balance the security needs of the organisation with the business efficiencies that IM can engender.
It is simply not appropriate to create a rigid set of rules within which IM usage is "allowed".
All types of IM communications should be permitted and then the underlying IT security required to support the communications system should be developed.