Instant Messaging Headaches

Keeping tabs on a modern workforce’s diverse communication tools can be a daunting task. Most enterprises struggle not only with email and voice messaging but also with managing faxes, e-faxes, and file attachments. And now instant messaging (IM)—and to a lesser extent, mobile-device texting—is becoming yet another communications medium for IT pros to manage.

IM can be a powerful productivity tool. A 2004 study by the Radicati Group—a technology research firm based in Palo Alto, California—suggested that IM use in the enterprise would increase dramatically from 2004 to 2008, estimating that 45.8 billion instant messages would be exchanged on a daily basis by 2008. A more recent 2007 IM study from Gartner predicted that “by the end of 2011, IM will be the de facto tool for voice, video, and text chat, with 95 percent of workers in leading global organizations using it as their primary interface for real-time communications by 2013.” The Gartner report continued, “The worldwide market for enterprise IM is forecast to grow from $267 million in 2005 to $688 million in 2010.”

All this growth translates to more work for IT pros. But with a good understanding of the risk factors and pain points associated with deploying and managing IM solutions—and a few good products to help with the workload—you can avoid most IM headaches.

Lay the Foundation
As with most complex projects, spending plenty of time in the planning and policy-creation phase can help you avoid painful migraines and career-crippling cost overruns. “You really need to get a handle on the human aspect of [your IM environment] first,” says Don Montgomery, vice president of marketing at Akonix, a provider of email and IM management and security products. “IM can be a productivityenhancing communications medium, but you need to enact—and enforce—policies that will make the system work efficiently. Almost every organization has corporate policies with regards to email usage, and many of those policies are transferable to IM communications.”

Montgomery also suggests that IT pros think carefully about how they plan to integrate IM communications within their infrastructures. “There are companies that have started implementing IM with the assumption that they could automatically use existing firewalls and intrustion detection system (IDS)/ intrustion prevention system (IPS) products to secure their IM channel, but that assumption is incorrect,” says Montgomery. “You might need purpose-specific devices that are created to manage IM in your environment. You can’t assume that an existing email security solution will also cover your IM channel.”

Finally, Montgomery stresses that you should look at IM holistically, as an important part of a communications infrastructure that includes email, e-faxes, digital voice, and potentially VoIP and other technologies. “IM shouldn’t be treated as an island. It should be treated as a vital part of your messaging infrastructure but should also integrate and coexist efficiently with your existing solutions.”

Howard Lev, Symantec’s group product manager for compliance and security management, agrees that getting various groups within an organization to think about IM can sometimes be a challenge. “Sometimes there’s a separation of responsibility that can create problems when it comes to creating an effective IM communications policy,” says Lev. “You have email people, then security people, and then the legal team. All these individuals might be focused on solving tasks in their own areas, but for a digital communications policy to be effective, those people need to break out of their silos, pull the blinders off, and work together.”

The Four IM Pain Points
Montgomery suggests that IT pros keep four potential problem areas in mind when dealing with IM deployment: security, compliance, confidential-data loss, and inappropriate usage. You’ll find vulnerabilities in each of these areas, and you must approach each with the same level of attention that your traditional communication channels receive.

Security. One of the biggest challenges with an IM infrastructure is simply keeping the channel secure. Although email receives the lion’s share of spam, viruses, malware, phishing attempts, and other threats, IM gets its share. “IM is yet another conduit or attack vector for hackers to deliver malicious code [into the enterprise],” says Montgomery. “Many hackers use social engineering to increase the odds that their attacks will be successful.” Attackers can send a user an instant message that appears as if it’s coming from a friend, coworker, or other trusted source, and that message might contain a spoofed link—what Montgomery refers to as a “poison URL”—that can download malicious content to a client PC.

According to Montgomery, the growth of IM security threats has gone through numerous stages, similar to how problems emerged with email. Most initial threats were nuisance threats, or what Montgomery calls “hacker glory”—that is, attacks primarily designed to make the attacker look cool to his or her peers, essentially the digital equivalent of subway graffiti. Over time, those attacks have become more sophisticated and malevolent, presenting an increasing threat to IT pros.

A number of vendors provide IM security solutions designed to protect the IM channel from malicious attacks, including Akonix (A-series appliances), Barracuda Networks (Barracuda IM Firewall), FaceTime Communications (IM Auditor), Sunbelt Software (Counterspy Enterprise), and Symantec (IM Manager and Symantec Mail Security). For a more in-depth list of IM security vendors, check out the sidebar “IM Security Vendors,” and for another vendor’s unique solution to IM security, read the sidebar “Maxwell Smart? Your IM Is Ready.”

Compliance. Most federal and state laws consider instant messages to be electronic communications, so IT pros must ensure that their IM deployments fully comply with all those laws. Many large companies need to produce IM messages in response to legal e-discovery requests, so the ability to archive and quickly recover specific messages is a must.

Continued on page 2