IM still not secure
|
IM for business:
Introduction Next-generation IM Putting IM to work IM still not secure 1. SCIM Enterprise Server 2. Lotus Sametime 3. Microsoft Exchange Comparison Sample scenario About RMIT Labs |
The safest way to exchange instant messages (IMs) is to stay within the enterprise, never exchanging unencrypted messages outside the firewall. But public IM programs are already being used to send plenty of business traffic beyond corporate walls. Most of that traffic is unfiltered, and almost never encrypted.
Granted, there are programs that allow trading of encrypted messages among different corporate sites if you have a VPN (WiredRed Software’s e/pop and Jabber’s Messenger, for example). Your users can also chat securely with people at sites that use messaging products based on SIP (Session Initiation Protocol) and SIMPLE (SIP for Instant Messaging and Presence Leveraging Extensions), such as IBM Lotus Sametime. But either way, you still haven’t made it safe for users to exchange instant messages with AOL, MSN, or Yahoo, which do not use encryption at their end.
No matter how secure your internal IM, letting users talk to the unencrypted public networks means messages are being sent over the Internet and can be intercepted, read, and exploited. Most end users are unaware that seemingly benign business information can put their companies at risk, whether the information is as “innocent” as the name of the janitor or the type of mail server running, both of which can lead to attack by social engineering. Yet instant messages between your employees and outsiders may contain material with much more obvious liabilities—especially when employees believe their communications are secure.
If you want to know how many of your employees are already using unencrypted IM networks, download Akonix Rogue Aware, and see for yourself. The free monitoring tool exposes hidden IM traffic and shows usage statistics, but to enforce your policy, your IT department will need IM-Policy Manager, which can restrict employees from using public messengers.
If you choose to keep all your IMs within the corporate firewall, you need to decide whether to encrypt at the desktop or at the server, or both. The argument stems from whether it’s more dangerous to send clear text to the server, or to have employees playing with encryption schemes in the client. Companies in regulated industries have to decrypt their messages at some point in order to keep records of them in plain text. As such, encryption may be necessary before and after the recording step.
Jabber is a good solution. Not only is it an open standard, however, you can find many open source and even commercial solutions.
See: http://www.jabber.org.au/