Instant messaging may pose security risk

Corporations that permit employees to use consumer instant messaging (IM) technologies could be opening up their networks to malicious attacks, users and security experts warn.

Many of the consumer-oriented IM software products, such as Dulles, Va.-based America Online Inc.’s AOL Instant Messenger and Microsoft Corp.’s MSN Messenger, that are widely used within corporate networks weren’t designed for enterprise settings. None of them, for example, have enterprise-class security features such as virus scanning or encryption built-in, say users and analysts.

Most consumer IM systems are designed with a default feature that continuously broadcasts a user’s presence to others outside the corporate network. They also allow unsecured peer-to-peer file downloads. Sensitive information exchanged during an IM session is often stored in unsecured systems.

And every IM window that pops up opens a port in the company’s firewall, meaning some large enterprises have thousands of holes in their firewall every day.

Such issues can seriously undermine a company’s otherwise secure practices, said Josh Turiel, a network administrator at Holyoke Mutual Insurance Co. in Salem, Mass.

This is especially true because, unlike e-mail and other forms of corporate communications, there are few policies that govern the installation or use of IM technologies, said Robert Mahowald, an analyst at International Data Corp. in Framingham, Mass.

“Any hole you open up in your security better be for a darned good reason,” said Turiel. “IM is not a darned good reason.” Turiel has instituted strict policies banning the use of IM within the corporate network at Holyoke Mutual.

Concerns about the security implications of IM technologies are nothing new. But the growing use of consumer IM on corporate networks both sanctioned and unofficial has dramatically heightened the need to address the security issues, Mahowald said.

More than 70 per cent of U.S corporations today have employees who use consumer IM technologies on corporate networks, according to IDC.

“IM has grown and penetrated the workplace so rapidly, the lack of knowledge and data on its use is alarming,” said Ben Trowbridge, CEO of United Messaging Inc., a West Chester, Pa.-based provider of messaging services that last week launched a new secure IM service targeted at corporate users.

“Few CIOs fully understand the security risk and the maverick nature of IM and how it has taken hold in their organizations,” said Trowbridge.

Other vendors, including Bantu Inc. in Washington, Jabber Inc. in Denver and 2Way Corp. in Seattle, offer enterprise IM products that support message encryption, digital certificate support, logging and compliance mechanisms, and storing of message histories. And others, including Microsoft and Sun Microsystems Inc., with its iPlanet venture, have begun offering enterprise-class IM technology as part of their broader messaging and collaboration portfolios.

There are already more than 18.5 million users of such enterprise IM technologies, representing a 180 per cent growth over last year, according to IDC.