Corporate IM Security: Are You A Sitting Duck?Corporate IM Security: Are You A Sitting Duck?

Two trends are converging on the IM scene to make instant messaging an increasingly risky—and at the same time, increasingly useful—proposition: IT executives have more and more options for federation, and malware is growing in prevalence and sophistication almost daily. What's worse, the very fact of federation promises to increase the amount of malware running over those newly open networks. It's a Catch-22: We want to be able to message people without their having to participate in our companies' closed, proprietary networks. But we also don't want to turn IM into the next e-mail—a valuable communications tool that is slowly but surely falling prey to spammers, hackers, and other online criminals, causing some (though not me—more on that later) to question its usefulness.

On the same day this month, two news items hit the wires that show why instant messaging is getting both more and less useable. On the one hand, AOL announced the launch of its IM Federation Partner Program, which promises to make IM federation more of a reality for more enterprises. On the other hand, a variant of the W32/Kelvir worm shut down the Reuters IM network; it was just the most recent in a spate of IM threats including other worms and viruses, phishing scams and even SpIM (spam on IM—yeah, it has its own name).

Some people believe that federation is the death of IM. Haven't we learned our lesson from e-mail, they ask? These naysayers insist that instant messaging will only remain viable in the enterprise if it's always exchanged on a closed, private, enterprise-controlled network. That will theoretically prevent malware from ever entering the system, and so ensure that instant messaging remains a useable, reliable and safe communications tool.

Trouble is, they're wrong, on two counts. First, no communications tool will go very far if it doesn't let people communicate. The world is an increasingly global place, with more companies opening up their business—and their business information—to partners, customers and suppliers. It's hardly reasonable to suggest that allowing employees to IM only other employees makes sense—in doing so, you're intentionally excluding a large percentage of the people employees need to IM. Federation is not an option, it's a requirement. Indeed, Nemertes' research shows that 70% of IT executives want vendors to focus on interoperability in the near future.

Second, locking down an IM network certainly reduces risk, but it doesn't eliminate it entirely. For one thing, not all employees are innocent IMers—some will inadvertently pass along viruses and worms downloaded from other sources, such as the Web or e-mail. So companies still need to protect against the transfer of malware via IM, as well as protect their intellectual property, and make sure their employees' IM conversations meet all regulatory compliance rules. What's more, not allowing employees to message outsiders may force them to covertly use (unprotected) public systems where they can—and that, of course, increases the risks.

Furthermore, unprotected "private" IM networks would appeal to hackers, who, if they could crack the system, would have virtually unfettered access to users' information and PCs (as no one would be expecting or preventing their presence). Indeed, this is an inherent vulnerability in public IM services right now; naïve users reasonably assume their buddies' screen names are really coming from their buddies, and they are willing to accept messages from new contacts that "appear" to be people they know.

All of which means that companies must secure the IM traffic on their networks, or risk the consequences. Too many IT executives cast a blind eye to the use of instant messaging in their enterprises, hoping that if they ignore it, the problem will go away (or perhaps never even begin). They're wrong, especially as more once-private networks federate with the public services and other enterprise IM systems.

AOL's Enterprise Federation Program, announced last week, is good news for companies that want their employees to be able to message customers, partners and suppliers. It's available to any IM vendors that want to participate (and pay AOL the necessary royalty). For now, four privately-held enterprise IM vendors—Antepo, Jabber, Omnipod, and Parlano—are giving their enterprise customers certificate-based, encrypted access to the AIM and ICQ IM services, via the AOL Federation Gateway. The Gateway works as a translation engine between SIP/SIMPLE, XMPP and AOL's proprietary messaging system. Enterprise users can communicate with people outside their organizations on AOL without having to use an AOL screen name, and without giving up the security and management controls that come with their enterprise IM system. Tests are also in the works to allow independent IM vendors to federate with one another, so that an Antepo user can message a Jabber user, for example.

The news follows on the heels of AOL's recent announcement of a direct-federation option for users of FaceTime's IM gateway product, and of course last month's seismic news from Microsoft, which boasts better and deeper federation in Live Communications Server (see last month's "In the Loop" column). The AOL Gateway gives companies more alternatives to using Microsoft's LCS, which essentially provides the same benefits to users (of course, LCS has similar deals with Yahoo and MSN). It also puts another nail in the coffin of the IM gateway vendors (Akonix, FaceTime and IMlogic), whose differentiator has increasingly been the ability to offer interoperability; as that gap closes, so does their ability to add value.

But the news has one critical drawback: As more people swap IM over federated networks, more viruses and other malware will enter those networks—and rampantly infect users' systems. Just last week, a variant of the W32/Kelvir worm shut down the Reuters IM network—that's a private network. Just as open e-mail systems permit the free and open exchange of e-mail malware, so will open IM networks enable the spread of IM threats. (Although it is also true that if no single IM client dominates the landscape, hackers will have a more difficult time creating malware that threatens large populations; in this respect, federated IM could actually decrease the risks, at least from a macro point of view.)

Taking heed, many IM and security vendors are paying attention. Akonix, FaceTime and IMlogic all have their own "threat networks," designed to monitor and warn against impending threats. (Indeed IM security may be one area these vendors can play a long-term role.) Traditional anti-virus/anti-spam vendors are paying attention, too. And the IM services are getting into the act—the newest version of MSN, for instance, blocks certain know IM worms (although it's not foolproof, or ideally designed; recipients are never notified of blocked messages, for instance).

In the end, IM needs to be protected as e-mail is today. In some ways, that should be easier to do—IM is a real-time communications tool, which means that network administrators, whether they work for Joe Company or AOL, should be able to "see" when large numbers of the same IM message are sent or received at once. This could give IM a leg-up on e-mail, which is only now seeing administrators monitor the source of spam and viruses, rather than the recipients.

And while it's a bummer that we have to do this at all, it's hardly an insurmountable task. I, for one, am skeptical of the Chicken Littles who cry that e-mail is falling out of favor thanks to viruses and spam. I use a perfectly good, perfectly ordinary anti-spam filter that does an excellent job of keeping my inbox clean. It's a rare day when a malware message gets through. Sure, I have to eyeball my spam folder once or twice a day to check for legitimate mail accidentally branded as spam, but that's a small price to pay for all the benefits e-mail provides. I'd be happy to do the same on IM.

A bigger problem, frankly, is user education. I continue to be confounded by people who agree to "contribute" money to some local policeman's benevolent fund they've never heard of until they get that late-night phone call, or have their driveway repaved by a fly-by-night operator who shows up on their doorstep only to see cracks appear two days later. And I continue to be confounded by people who click on e-mail attachments from strangers, provide personal information to bogus Web sites, and forward infected messages to friends and family with a hearty click of the mouse.

Spam works because some people, somewhere, buy what the spammers are selling. E-mail viruses are propagated because some people, somewhere, continue to use poor messaging hygiene. Phishing scams work because some people, somewhere, actually give out personal information to complete strangers simply because they asked for it. And that's what needs to stop if IM—and its more mature sibling, e-mail—is to thrive as a corporate communications tools.

Still, companies can do only so much to educate their employees. Until they do (and I'm not holding my breath), they must protect themselves—and that's where IM security software comes in. By all means, take advantage of the federation AOL and Microsoft are increasingly providing; it will make your IM use even more productive. But protect your assets, too. If you don't, there's no complaining when a worm or virus hits.

Sr. Vice President and Founding Partner, Melanie Turek, is a reknowned expert in enterprise application integration software, collaboration technologies, and business intelligence at Nemertes Research. For the past 10 years, Ms. Turek has worked closely with hundreds of senior IT executives across a range of industries. She also has in-depth experience with business-process engineering, project management, and productivity and performance enhancement.