I caught a couple of light commentaries pointing to this article and I feel compelled to comment because I land firmly on both ends of the spectrum on this issue, making it even more challenging.

Instant messaging and the security pro
Enterprise packages balance security, comm concerns

October 02, 2006 (Computerworld) -- Depending on your point of view, instant messaging (IM) is either the communications tool that saved your company or your career, or the bane of your existence. Users who depend on IM for communicating key business information with associates, business partners and personal contacts generally take the first position. The second is taken by those who worry about company security, compliance, and business productivity.

But whichever point of view you take, you have to agree that instant messaging is a big deal. According to a 2005 Radicati Group study, last year’s IM traffic averaged 13.9 billion instant messages per day, and that’s a big number. IM has a storied history in the business world that is not unlike that of personal computers, which more or less snuck up on IT departments when employees brought them into their business processes without first getting them sanctioned by their companies’ computing authorities.

First, let me say that like my friend Phoneboy, I'm a big fan of IM. I use it for many of the same things Dameon does, and he and I have had many an IM conversation (yet curiously, never met in person even though we live little more than an hour apart).

I use IM to talk to family, friends and colleagues. I talk to people I worked with five years ago. It's a way to keep in touch in realtime - when the I in IM is instant. Therein lies one rub, and an inaccuracy in the article that the CSO side of my personality hates so much.

The article says -

Instant messaging is unique among computer-based messaging systems because it is not based on the sort of store-and-forward message handling mechanism used by e-mail. Rather, it operates in real time by sending a text message immediately to the intended recipient, sort of like a telephone conversation that is text-based rather than voice-based. That’s an advantage in today’s business environment which demands quick responses and fast action.

Are the alarms in your head going off yet? IM sounds instantaneous. It sometimes is. But what messaging service today doesn't allow for sending offline messages to your buddies? And if any still don't have that feature, aren't users beating them up for it? I don't care whether you're a fan of Skype's supernode approach or not, messages have to get stored somewhere for later delivery when the supernode says your buddy is online, but they really aren't. Where do you think those messages go? MSN? Yahoo? They support sending offline messages that get stored somewhere in the Internet when you log off, then get delivered tomorrow when your friend logs on.

In business, the danger is that proprietary business intelligence information just got forwarded to the Internet. As a security manager, I don't trust the Internet. I don't trust MSN. I don't trust Yahoo. And I don't trust Skype. They're at zero risk for their role in carrying my business intelligence, and I cannot trust them. Period. Find me a CISO who says they trust them once they have these facts, and I'll buy you a cigar. A Cuban Monte Cristo. Internet service providers do not have an established trust relationship with corporate business. The represent a risk to corporate intellectual property.

Is there a way around that? Sure. Strong policies within the company that don't permit using these tools for transmitting sensitive business information. Policies are people-oriented, not system controls. Policies only work when the corporate culture of an organization creates a sense of owernship or stewardship for the security and protection of corporate data as an asset across the board with every employee. Every employee from the CEO to the temp staff. A failure to spread this corporate culture anywhere, is a failure everywhere. In other words, corporate cultures and policy enforcement work, but it some ways they're quite fragile. Security managers don't like fragile.

Enterprise solutions from Sametime to Jabber, and yes now Live Communications Server help, by limiting IM to inside the corporate network. But back to the policy and culture issue, if Sametime, for example, doesn't let sales people communicate with customers, are those sales people going to install AIM so they can talk to customers? Or do you restrict admin rights for software installation?

The article goes on to explain how some enterprise tools are beginning to extend with presence and availability information. Great productivity tools. There's huge potential there for the future - if we do it right. And there's potential to create new vulnerabilities and invite new exploits. Microsoft's statement that "Live Communications Server 2005 is part of the Windows Server System, and adheres to the common engineering criteria described in this Windows Server overview" may comfort some. Others may fear the regular "patch Tuesday" ramifications this brings down the road.

Jabber represents even a bigger quandary for some organizations. Powerful, but with many unknowns for a majority of corporate entities.

Other products and minutia are included. I think it's a pretty good article overall.

The most important thing to remember is that security is all about assessing the risk and making decisions. No security plan is perfect and no solution solves every problem. We each have to make decisions about how strict our security policies can be while still supporting the appropriate set of business functions. It's a balancing act every day for security managers who often live on the razor's edge.

Technorati Tags: IM, Instant Messaging, security, infosec, Sametime, Live Communications Server, IBM, Microsoft