Home » Data Protection » Network Security

How to Evaluate and Use Enterprise Instant Messaging Security Tools

As popular as instant messaging has become, most enterprises have neither policy nor technology in place for securing IM. Here's expert advice for getting the message.

Authorization. Since many organizations don't allow all users to access IM networks, the ability to detect IM traffic and allow only authorized users and groups to communicate on approved IM clients and networks is needed, Firstbrook says.

Compliance. A key requirement for early adopters is the workflow and reporting capabilities necessary for compliances with regulations, according to Firstbrook.
Security. A core capability is threat filtering and implementation of security-driven policy. Leading vendors also provide a central repository of information about IM vulnerability, current exploits and the overall threat environment.

Manageability. IM security vendors provide a centralized point of management, consolidating policy, monitoring and reporting for disparate IM networks and clients, Firstbrook says. For instance, many companies disenable file attachments and neuter embedded URLs.

Key Strategies
It's important to focus on the threats posed by phishing, malware and blended attacks, since IM is particularly susceptible to social engineering tricks. IM users are not as suspicious about embedded URLs and file attachments as their e-mail brethren, especially because attackers can infiltrate IM buddy lists, making it appear as though the fraudulent message originated from an IM contact. In addition, IM's real-time nature causes malware to spread rapidly.

However, a growing number of companies are also interested in finding a tool that tracks, audits and even blocks certain IM conversations, to avoid leakage of intellectual property, enforce acceptable-use policies and comply with regulations and legal restrictions. This became a larger issue in December 2006 when the Federal Rules of Civil Procedure made IMs discoverable evidence in court.

At the Screen Actors Guild Producers Pension and Health Plans division, for instance, assistant CIO Kevin Donnellan worries about protecting the private health information of the organization's membership, which includes some high-profile actors. Three years ago, however, he had no idea who was using IM within the organization, let alone what types of information they were sending around. To comply with HIPAA regulations, Donnellan implemented IMlogic [before it was acquired by Symantec] and used the granular controls to authorize IM use only to users who could prove they had a business need for it. "Maybe we're a little old-school, but we don't give IM to every staff member who comes on board," Donnellan says. "We have a regulatory responsibility to protect patient information."

Appliance or Hosted Service?
Companies can choose between implementing server-based software, an appliance-based solution, a hosted platform or a hybrid approach. According to IDC (a sister company to CSO's publisher), the messaging security market will more than double from $2 billion in 2006 to $4.8 billion in 2011. Among the components of the market—software, appliance and hosted services—IDC predicts hosted services will be the fastest-growing.