Secure IM software proliferates

The market for secure, business-grade instant messaging software is picking up steam, with several start-ups now offering packages that automatically encrypt real-time chat sessions between users. However, these packages do not yet offer secure communications with users of popular consumer-oriented IM systems from AOL Time Warner Inc., Microsoft Corp. and others.

Among the new entrants into the corporate IM software market is JabCast, which in December shipped the JabCast Secure Realtime Communications client/server software suite to trial customers including several law firms. JabCast SRC provides end-to-end encryption of instant messages without a noticeable time lag, company officials say.

JabCast faces a slew of rivals including Bantu, divine Software, Ikimbo and Jabber that are all angling for a share of the rapidly growing corporate IM market.

The number of corporate IM users will increase tenfold in the next four years, according to International Data Corp. IDC pegs the number of global corporate IM users at 18.4 million this year and predicts that figure will grow to 229.2 million in 2005. IDC asserts that the amount of money companies pay for IM will grow from US$133 million to US$1.1 billion over the same time frame.

“We’re very bullish on corporate IM,” says Robert Mahowald, senior analyst for IDC’s Collaborative Computing group. “About 70 per cent of companies have employees that use consumer IM services, and (network executives) are becoming much more aware of the challenges of consumer IM services including security.”

Mahowald says consumer IM services create well-documented security problems in corporate networks, including the ability for an intruder to drop a worm behind a firewall. He also says the use of consumer IM services in the workplace prevent the capture of important information into knowledge management systems. By migrating to business-grade IM systems, companies can solve these problems and take advantage of the integration of IM and presence information into other applications, such as CRM, ERP and voice over IP.

“We’re seeing more (network executives) saying they’re going to go ahead and spend the money especially as IM gets linked via presence detection to other networks,” he says.

Interest in a secure IM system from one of its corporate customers is what prompted biometric ID card manufacturer SyntheSys Secure Technologies Inc. to create JabCast and launch a new company to market it. The customer asked SyntheSys to migrate the Jabber open source IM technology from Linux to Windows and to beef up its security.

“Our customer had a problem where somebody from their IT department was snooping on instant messages between the personnel department and CEO of the company about layoffs,” says William Tabor, a principal technologist at JabCast. “They came to us and asked if we could make the technology secure.”

The end result – JabCast SRC – runs on Linux, Unix, Windows NT/2000 and Compaq OpenVMS. JabCast is a client/server software system that encrypts messages at the client. The server software maintains a database of messages for administrative purposes, but the messages are encrypted there to prevent unauthorized access.

“The keys are generated at the server and given to the client, so the end user doesn’t even know they’re doing encryption,'” Tabor says.

With JabCast, users can send unencrypted instant messages to users of AOL, MSN, Yahoo Inc. and ICQ Inc. IM systems.

Pricing for JabCast starts at US$5,000 for a server and 100-user license.

Rival Bantu is further along with its corporate sales, having shipped secure IM systems to the U.S. Army, Science Applications International Corp. and Johns Hopkins University, among others.

Bantu uses a lightweight Java applet to perform encryption using its own patent-pending technology, but it also supports Secure Sockets Layer.

“All the functionality and all the security is on that applet,” explains Larry Schlang, Bantu’s president and CEO. “That means there is no client software to install, maintain or upgrade. And it works across different devices, including Windows, Mac, Linux, Unix and wireless.”

With Bantu, users can send unencrypted instant messages to users of MSN, Yahoo and ICQ IM systems. Bantu also can be integrated into existing corporate directory, authentication and logon platforms.

Available as either enterprise software or a hosted service, Bantu costs less than US$5 per user per month.

Bantu’s applet approach was attractive to Johns Hopkins University, which needed an IM system that would work on different kinds of desktop systems without requiring much technical support.

“We were looking for central management,” says Ross McKenzie, director of information systems at Johns Hopkins University. “We wanted to have one IM product that everybody could be trained on and understand.”

McKenzie says Bantu’s IM service is the most popular feature of the university’s Web portal, which launched in August. About 1,500 people use Bantu’s service, racking up about 60,000 IM minutes per month. Most of these users don’t realize that their chat sessions are encrypted, McKenzie says.

“We were looking for central management over security but that was before 9/11,” McKenzie says. “Since then, everybody in higher-ed has gotten incredibly security conscious. Who would have thought that public health researchers had to worry about things like anthrax? We’ve got Bantu’s encryption turned on end-to-end.”