Granted, there are programs that allow trading of encrypted messages among different corporate sites if you have a VPN (WiredRed Software's e/pop and Jabber's Messenger, for example). Your users can also chat securely with people at sites that use messaging products based on SIP (Session Initiation Protocol) and SIMPLE (SIP for Instant Messaging and Presence Leveraging Extensions), such as IBM Lotus Sametime. But either way, you still haven't made it safe for users to exchange instant messages with AOL, MSN, or Yahoo, which do not use encryption at their end.
No matter how secure your internal IM, letting users talk to the unencrypted public networks means messages are being sent over the Internet and can be intercepted, read, and exploited. Most end users are unaware that seemingly benign business information can put their companies at risk, whether the information is as "innocent" as the name of the janitor or the type of mail server running, both of which can lead to attack by social engineering. Yet instant messages between your employees and outsiders may contain material with much more obvious liabilities -- especially when employees believe their communications are secure.
The public IM networks have plans to encrypt their traffic, but none has delivered as yet. Even the first version of AOL's AIM Enterprise Gateway doesn't have end-to-end encryption. Only one product we've come across has a partial solution for encrypting conversations over the public networks: IM-Age Software's IM-Policy Manager, which adds a management layer to public IM clients. Outgoing IMs request that public IM users download and install a small application to enable encryption at both ends. If the outside party declines, the insider can continue or discontinue the conversation as a matter of choice, policy, or IT enforcement.
If you want to know how many of your employees are already using unencrypted IM networks, download Akonix Rogue Aware, and see for yourself. The free monitoring tool exposes hidden IM traffic and shows usage statistics, but to enforce your policy, your IT department will need IM-Policy Manager, which can restrict employees from using public messengers.
Most companies have rogue public IM clients all over the place, whether they know it or not. While there are good reasons for employees to talk to customers and business partners over public networks, companies shouldn't have unsupervised communications flying around. This may already be required by regulation, in the case of the healthcare and finance industries, but even if it isn't, it's corporate suicide to make privileged information so vulnerable.
Audit trail vs. real security
Of all the supposedly secure solutions for messaging with AOL, MSN, and Yahoo, most of them only address audit trail compliance--not real security. If the product logs all messages and does everything necessary for SEC or HIPAA compliance, the company calls its product secure. In the real world, that won't cut it.
Of the IM security products listed in our chart, only one, IM-Policy Manager, encrypts traffic with the public networks from end to end. But so many enterprises want IM that even stalwart IBM Lotus has a contract with AOL to connect the Lotus client to the AIM network. Users can see who's available on both networks, but the traffic from each is kept separate. Bottom line, employees are still sending unencrypted messages to the world at large--a high risk for leaking information. But if you insist on taking your chances by cobbling together public IM networks, you might try Akonix L7, which offers extremely granular controls for granting permissions and filtering content.
Like IBM Lotus, FaceTime has a contract with AOL. While many third-party vendors are in talks with the public IMs, FaceTime, which built the core technology of AOL's AIM Enterprise Gateway, has agreements to connect enterprises with both the AOL and MSN networks. FaceTime says its agreements protect it against the possibility of the public networks pulling the plug on third-party services. It's rumored that one of the big three networks has already changed its protocol since publishing its specs. If a public network adds encryption, unlicensed client-side solutions could stop working. But licensed or not, even FaceTime won't have end-to-end encryption with AOL until AOL releases its enterprise client with encryption in the first quarter of 2003. In the meantime, products such as Bantu's Messenger, FaceTime, and IM-Age's IM-Policy Manager warn users that they are in an unsecured session.
The encryption question
If you choose to keep all your IMs within the corporate firewall, you need to decide whether to encrypt at the desktop or at the server, or both. The argument stems from whether it's more dangerous to send clear text to the server, or to have employees playing with encryption schemes in the client. Companies in regulated industries have to decrypt their messages at some point in order to keep records of them in plain text. As such, encryption may be necessary before and after the recording step. Enterprise Instant Messenger (EIM) from e-Vantage Solutions encrypts at both the desktop and the server, as does WiredRed's e/pop. Breaking the mold, Bantu's encryption for its internal network happens at the desktop, but the client is any browser with a Java Virtual Machine. The applet never downloads to the client machine, but runs in a Java sandbox, where it can't reach local controls and doesn't leave code residue, which could be used to defeat the encryption.
Of all 10 products in our chart, perhaps the most exciting is Ikimbo's Agenda, which alerts groups of people to problems, and offers helpful information. For example, if a plant runs out of cocoa for its cakes, a pre-selected group--including the cocoa vendor--are brought together by the same IM window containing relevant documents and procedures. Having a plan for a potential crisis may not be unique, but instantly delivering relevant information to the concerned parties is.
To make sure such a crisis remains confidential, Agenda works on top of existing enterprise IMs such as Sametime or Jabber.
And the program won't send your company's cake recipe to the users' buddy lists.
Check out Sonork. www.sonork.com it is designed for prof. IM.