Best practices for instant messaging security
In this tip, Brien Posey details the steps you can take to protect your organisation from security problems when implementing an instant messaging system.
It never ceases to amaze me how popular instant messaging has become. Even if you decide that instant messaging has no place on your corporate network, chances are your users will take things into their own hands and upload their own instant messaging software. The point is that instant messaging is not going to go away anytime soon.
When properly implemented, instant messaging can be a true asset to the business by making communications easier throughout the organisation. If instant messaging is carelessly implemented, though, it can cause problems with privacy and may expose the organisation to various forms of malware. There are techniques that you can employ to make sure that instant messaging is used in a secure manner in your organisation.
Establish a corporate instant messaging usage policy
If you are serious about instant messaging security, one of the most important things that you can do is to establish an instant messaging usage policy for your users. Such a policy explains to your users in detail how instant messaging should and should not be used.
Even with an instant messaging policy in place, though, it is naive to assume that every user will adhere to the policy that you've established. An instant messaging policy won't stop users from breaking the rules, but it will give you the authority to take action when the rules are broken.
Deploy your own instant messaging server if possible
Even though your instant messaging usage policy makes it clear how instant messaging is to be used, you have to assume for the sake of security that the policy will be completely ignored. With that in mind, my No. 1 recommendation for organisations that are serious about instant messaging security is to deploy your own instant messaging server.
The reason I say this is that the majority of commercial instant messaging applications out there are client/server based. This means that when a user sends an instant message to another user, the message is initially sent to an instant messaging server and is then sent to the recipient.
Now think about the client server architecture from a corporate usage standpoint. If a user wanted to send a message to a user in the next cubical, the message would first have to travel across the Internet, where it could potentially be read by anyone who happens to be eavesdropping. On the other hand, if you have your own instant messaging server, messages from one user to another would never leave your private network. Only messages to outside recipients would ever traverse the Internet.
Of course, although the basic principle of what I just told you is accurate, I have oversimplified things a bit. While the majority of the commercial instant messaging applications use a client server architecture like the one that I described, there are as many different architectures as there are instant messaging products.
A few instant messaging products on the market use a peer-to-peer architecture, and some use a hybrid architecture. For example, one product that I know of initially uses a client server architecture to locate the recipient but then uses a peer-to-peer architecture to communicate with the recipient once the recipient has been located. Other products use a client server architecture for messaging but use a peer-to-peer architecture for file transfers.
My point is that having your own instant messaging server gives you the greatest control over instant messaging security. If deploying your own instant messaging server isn't an option, however, you can and should shop around for an instant messaging application that is built with security in mind. Unless the software uses a true peer-to-peer architecture that allows users in your organisation to communicate directly with one another without the messages having to traverse the Internet, encryption is a must-have feature for the application that you select.
Configure desktop lockdown software to block unauthorised instant messaging software
Whichever instant messaging application you choose, it is important that instant messaging software be controlled by the IT department and not by the end users. I have seen far too many situations over the years in which users' workstations were not locked down properly, and users installed their own instant messaging software.
There are many reasons why it is extremely important to make sure that users cannot install their own instant messaging applications. For starters, the company is responsible for having a license for every piece of software that is installed on its systems. Another reason it is important to prevent users from installing their own instant messaging applications is that some instant messaging clients have been designed to include adware, or other types of Trojans. By installing an instant messaging application, a user could inadvertently expose sensitive information or risk introducing malware into the organisation.
Over the years, I've seen many organisations try to prevent users from using instant messaging applications by trying to block instant messaging at the perimeter firewall. In most cases, though, this technique tends to be ineffective.
Many instant messaging clients are designed to circumvent the corporate firewall. These applications may initially try to communicate with the instant messaging server using a designated port number, but if communications fail, most of these applications will attempt to circumvent the firewall by tunnelling instant messaging traffic through another port. Typically, TCP port 80 (or as I like to call it, the universal pass-through port) is the port number of choice. I have heard of some applications that tunnel instant messaging traffic through SMTP packets, however.
The only way of effectively using a perimeter firewall to block unwanted instant messaging traffic is to do some research and figure out all of the IP addresses used by the various commercial instant messaging applications and then block those addresses.
In addition, I recommend locking down the workstations. Ideally, the workstations should be secure enough that users cannot install unauthorised applications. A company named Bit9 makes an excellent application called Parity that does just that.
Another defence against unwanted instant messaging applications is to use personal firewalls on the desktop machines. Some personal firewalls are able to work at the application layer and can block traffic on a per-application basis, not just by port, as a perimeter firewall does. One example of such a product is Symantec's Desktop Firewall.
Conclusion
As you can see, protecting your organisation against unauthorised instant messaging applications can be a bit tricky. Even so, taking the time to make sure that only approved instant messaging software is used is important if you want to maintain privacy and avoid exposure to malware.