According to Stamford, Conn.-based Gartner Inc.'s "Marketscope for Instant Messaging Hygiene 2006" report, published in February, IM has become increasingly popular in business "as a fast way to get co-workers' attention, rapidly resolve issues/questions and save telecommunications costs." Controlling IM usage poses a major challenge for IT administrators, and yet "uncontrolled IM usage, as with uncontrolled email, is a recipe for disaster for organizations," the report states.
While few federal regulations spell out that email archiving requirements also apply to IM, companies should assume it, to be safe, according to Gartner analyst David Smith. The same goes for regulations that penalize companies for allowing sensitive financial or customer-related information to get out, intentionally or not. In recent years, several major investment firms paid fines totaling tens of millions of dollars for IM-related incidents.
Hackers are definitely zeroing in on IM of late. According to Gartner, claims of year-over-year IM threats from malware increased 3,266% from 2004 to 2005. Indeed, IM has advantages over email as a malware vehicle. Hackers can gain the trust of end users by inserting themselves onto a buddy list. And they can target people actively using their machines, ensuring a worm or virus spreads faster.
SMBs are especially vulnerable to malware, according to Gartner, because few of them have installed enterprise-grade IM platforms, such as IBM's Sametime, Jabber Inc.'s Jabber or Microsoft's Live Communications Server. Such products have built-in encryption and other security mechanisms that most public IM services lack.
Instant messaging compliance products can effectively eliminate 90% of IM viruses, by scanning incoming IMs and blocking those with identifiable virus signatures, along with embedded URL hyperlinks and executable file attachments, the Gartner report states.
IM hygiene platforms are priced around $25 per seat, per year, or $15 with volume licensing, plus the cost of a Unix or Windows server, according to Gartner. Gartner expects pricing to fall to approximately $10 per seat this year.
San Diego-based Akonix Systems Inc.'s A1000 IM security appliance starts at $4,995, for 100 seats. IM Manager, from Symantec Corp. acquisition IMlogic, is priced at $40 per seat.
IM archiving costs are minimal if you pick an IM compliance platform that integrates with your existing email archiving system. Email archiving systems start at around $10,000 for a plug-and-play appliance (see the SMB Buying Decisions guide on email archiving).
IM features keep proliferating. Some 40.8% of employees surveyed by Gartner used IM for file transfer; 46.1% for conferencing; 15.2% for picture sharing; 14.7% for voice. This complicates the task of securing and controlling IM-related communications -- as does the rapid proliferation of IM-based malware.
Leading IM hygiene vendors have been aggressively enhancing and expanding their offerings to deal with these challenges. Among recent and planned developments:
- Extension of hygiene platforms to other peer-to-peer media, such as Voice over Internet Protocol. (Most vendors are in the planning stages.)
- Secured links between private IM systems and public IM networks such as AOL Instant Messenger and Yahoo MSN Messenger.
- Secured IM for remote clients. Akonix has introduced an agent that sits on off-site clients and directs all IM through the corporate IM security gateway.
- Plug-and-play IM hygiene appliances targeted at small and medium-sized businesses (SMBs) . Products such as Alpharetta, Ga.-based CipherTrust Inc.'s IronIM and Akonix's A1000 are reasonably priced and easy to set up.
- Better hygiene: Akonix's L7 Enterprise includes a passive "sentry" that gets inserted into a user's buddy list, and watches for IMs containing unknown URLs. When it spots one, it immediately terminates the sender's IM session and places the URL on the disallow list.
Tips and gotchas
Gartner lists the following must-have features for an IM hygiene platform:
- Archiving in a secure, searchable repository, or integration with leading third-party email archiving systems.
- Centralized management, including IM monitoring and enforcement of user authorization and other IM usage policies for both groups and individuals.
- Firewalls that identify and filter out known malware.
- Workflow and reporting capabilities for regulatory compliance.
- Content inspection, including filtering of incoming and outgoing IM for security and privacy breaches, and salacious content.
- Spam over instant messaging protection.
Gartner also recommends:
- IM client standardization. Many employees run multiple clients, making administration and control difficult.
- IM hygiene software should be only one component of an overall strategy that also includes educating end users in IM security practices (for example, not automatically trusting everybody on a buddy list), and regular precautions such as keeping client security software up to date, and deploying personal firewalls.
Expert viewpoint: Michael Osterman, president, Osterman Research
"SMBs definitely need to get serious with IM management. If you're not a hedge fund, or an investment advisor, you don't need to worry much about regulators knocking on your door and wanting all IMs between two employees over the last three years. But if you get sued, for wrongful termination for example, and the employee produces IM exchanges between executives (as evidence of harassment), the court could order discovery. If you can't produce the original IMs, you have no defense and are likely to lose the judgment.
"Totally blocking IM is unlikely to work. Consumer IMs can come in on a port with regular Web traffic. You can't block all ports without blocking viable Web traffic, and end users could use IM anyway.
"Decide what controls you want. For example, you may let employees do IM but not file transfer, which is another avenue for viruses, malware. Or you may allow enterprise-grade IM, but block all consumer IM.
"If you go with an enterprise-grade IM platform, you won't have much concern about hygiene with worms, viruses. Those mainly impact consumer clients. And some enterprise platforms come with archiving. They vary widely in price; $25 to $50 per seat is pretty common. Microsoft offers [Lotus Communications Server] free to Exchange Software Assurance customers."
Elisabeth Horwitt is a contributing writer based in Waban, Mass. Write to her at firstname.lastname@example.org.