Thanks to Dan York for calling attention to Skype security once again. It's an issue I've been very outspoken about. Very. Dan points out both the open post from Skype CSO Kurt Sauer, and Irwin Lazar's cogent comments.

I've been outspoken enough about Skype's utter lack of mindfulness to enterprise security concerns, that regular readers can easily anticipate my reaction, but let's take a quick look anyway. This from Sauer:

Deploying Skype in a Windows domain
One of our goals for 2006 was to make it easier for companies to deploy and manage Skype for Windows in a managed environment. I’m happy to say that by the end of 2006, we’d rolled out a native Microsoft Installer (msi) format installer for Skype (you can download it from the Skype for Business website). This should make it far easier to deploy Skype in a Windows domain than using the native Skype installer.

I won't quote any more than that. You go read for yourself. What Sauer says is that Skype wants to make it easier for your employees to implement peer-to-peer technologies on your networks.  Doh! Are we surprised? I hope not.  They want to make it easier than ever for Skype to penetrate your network with port hopping, firewall evasion and undocumented, proprietary encryption.

Sorry Kurt, three strikes. You're out. Out of any network I manage. Count on it!

Irwin raises very sound business concerns that he's hearing - CDR centralization for management, policy enforcement for calls,centralized account management, and support for security proxies. I find I agree with irwin in almost every issue we both choose to write about, but in this case I have to go a step farther. Ok, perhaps a couple of steps.

Before any of those matter, Skype has to become network trustworthy in the business enterprise. Period. Port hopping evasion techniques to get around corporate firewalls are not trustworthy. Undocumented encryption protocols that don't adhere to standards are not trustworthy. And in the enterprise network, peer-to-peer technology is not trustworthy.

Listen up Kurt - Skype has made numerous efforts to shortcut enterprise controls and penetrate the corporate environment. If you really want to win in the business market, you need to address the enterprise concerns. I don't think you really do. I think Skype's making minimal efforts to ingratiate itself in the smaller business segment. I think Skype's dangerous. It will be forbidden by policy and by technology in any network I manage until Skype starts addressing real and tangible concerns...the ones they don't even acknowledge.

Yes, I know many of you will want to comment and tell me how awesome Skype is and why it works great. Don't bother, please. I'm a fan and I use Skype almost daily. If you want to tell me how great it is, please, go spend a year as the security officer in an enterprise network first. Then if you still think Skype is a panacea for telephony and VoIP you want to implement, we can talk. I'll still convince you it's a danger unless Skype makes some major changes during that year.

On the other hand, if your an enterprise CSO in a Fortune 1000, and you've adopted Skype and think it adds more value than risk, I'd like to hear your story. I don't think you exist, but if you do, please drop me an email. We'll chat.  Maybe even do a podcast about it, protecting your identity in whatever way makes you comfortable.


Technorati Tags: Skype, enterprise networks. VoIP security, infosec