How to secure enterprise instant messaging

According to a 2008 IDC survey, instant messaging is set to overtake email as the preferred form of enterprise communication. IM, however, can be extremely difficult to control if you don't know these security tips.

According to a 2008 survey carried out by IDC Corp., instant messaging (IM) is set to overtake email as the preferred form of business communication by the second half of 2010. The real-time nature of IM makes it a fast and efficient means of collaborating and exchanging documents. Many feel using IM for work leads to more effective and efficient communications, reducing the overhead of telephone or face-to-face meetings when only a brief response is required.

Instant messaging, however, can be disruptive, and the security of IM communications often doesn't keep pace with its adoption, leaving many enterprises vulnerable to attacks and exploits. Although most organisations now have email security products in place, far fewer actively protect themselves from IM-borne threats, let alone control instant messaging use with proper logging, auditing and archiving, or have established formal policies to ensure appropriate activity.

As one of the most widely deployed applications on the Internet, IM has increasingly become the target for attackers with threats ranging from IM-borne viruses, worms, spam over IM (SPIM), malware and phishing attacks. And instant messaging is very difficult to block using conventional security methods, such as port blocking firewalls, because IM clients use port crawling to exploit any open port on the firewall such as HTTP port 80 or FTP port 21.

Also, most IM clients can automatically adjust their settings to connect to the IM server, even if direct access to it is blocked, embedding traffic data within an HTTP request and thereby circumventing any protocol analysis firewall. It can be a struggle to keep firewalls and proxies updated with the constantly evolving proprietary IM protocols, while network performance often suffers as most are not designed to inspect and analyze real-time communication traffic.

Taking control: Enterprise instant messaging systems
Allowing employees to use public IM services means you're essentially outsourcing your instant messaging to a third-party system with which your company has no contract, no guarantee of service and no real control. This is why I favour using enterprise IM systems instead.

With an enterprise IM system, you can control accounts more easily and set policies to govern who can use it, control what the account naming policy will be, which departments can talk to other departments or to people outside the corporate network, and which users or job categories can transfer files. You can also implement end-to-end encryption, strong user authentication, as well as configurable content and URL filters.

Enterprise instant messaging is a growing market, and there are lots of different services and products to choose from depending on your organization's size and requirements. Microsoft's Office Live Communications Server, IBM Lotus Sametime and Jabber Inc.'s XCP are leading EIM platforms. FaceTime Communications Inc. and Akonix Systems Inc. also provide enterprise IM products.

These platforms include encryption as well as filtering features to stop malware entering the internal network and sensitive data leaving it. Disclaimers can be added into conversations, notifying the user that their messages are being monitored. Employees can also be blocked from visiting known problem sites when clicking on links provided during chat sessions. Many products can also integrate access control into an operating system's authentication mechanism like Active Directory.

When considering an IM product, check that it supports the XMPP protocol. Unlike most instant messaging protocols, XMPP is an open standard that allows users to access networks using other protocols. It has become the official IM standard of the U.S. Department of Defense and many large financial institutions. Google adopted XMPP as the basis of its Google Talk service, and most other major instant messaging providers are building bridges to interface with the XMPP networks.

Because nearly all IM-enabled attacks currently spread via user interaction, an acceptable usage policy and an active security awareness program are particularly important and valuable. As with any policy, it is important to keep an eye on the needs of the business when drafting it. The best approach is one that accounts for employees conducting legitimate business-related communication while ensuring any legal and regulatory objectives are met. By all means, base your IM security policy on your email policy, as acceptable usage restrictions will be very similar. There will be additional areas, however, that need to be included. For example, you should address:

  • The sole IM client that the organization will use.
  • Naming conventions for accounts so employees cannot impersonate other staff members.
  • Listings of individual contact information.
  • Who is allowed to use IM (not everyone will need access based on business needs).
  • Whom users are allowed to communicate with.
  • Presence messages.
  • Guidelines covering approved and prohibited IM activities to prevent actions that might compromise security, such as how file transfers are initiated.

It is technically difficult, however, to enforce a policy covering IM without the use of an instant messaging firewall or server. This is why I am in favour of hosting the entire infrastructure within the organisation. An enterprise IM server can help you enforce most of your IM policies and regulatory requirements through traffic analysis and reporting, keyword searches and message archiving.

Looking ahead, many organisations are starting to see a requirement for mobile phone interoperability in their IM requirements. Mobile instant messaging (MIM) is quickly becoming the most used feature for many smartphone users, and in my next article, I will be looking at some of the issues involved in keeping smartphones secure.

Sidebar: Is Blocking IM an Option?
Because it's so difficult to control the use of instant messaging without installing some sort of IM firewall or bringing the service in-house, you might decide to ban the use of instant messaging altogether. Messages and files can be sent quickly and securely between employees at different locations using email. They can be signed and encrypted, and if you have your own mail servers, complete copies of all messages can be kept for an essential audit trail.

Taking this approach would mean your corporate policy would need to be updated and communicated to employees to make them aware of the consequences of installing and using banned IM software. Otherwise, rogue IM users would present a major security risk, as your organization would not have any controls in place to protect against IM threats.

Banning instant messaging completely, however, means you lose out on its undoubted business benefits. Even managers and IT personnel, who are aware of the risks posed by IM, appear to be in favour of its use, noting that the added business performance more than offsets the potential risks.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.


Read more on Security policy and user awareness