: Security, Control And Compliance

Melanie Turek

IM vendors are refining pliance breaches. Indeed, only about one third of their solutions for protecting companies report using secure, manageable enter- prise IM (EIM), and among those, two-thirds still networks and meeting allow their employees to also use (unprotected) regulatory requirements. public IM (PIM) services such as AOL’s AIM and Microsoft’s MSN. here’s no doubt about it: Instant messaging On the other hand, some IT executives are so (IM) is a fact of life in the enterprise. More worried about the risks of IM, they ban it alto- than three-quarters of IT executives report gether—indeed, Nemertes saw the use of IM in T that employees in their companies use IM the enterprise decrease between 2004 and 2005, on the job, and countless vendors—from small as more companies clamped down on the threats start-ups to large enterprise stalwarts—are making by disallowing the use of instant messaging, peri- it easier for companies to deploy a single IM client od. It’s hardly an effective strategy—throwing the or service across the organization. baby out with the bathwater—especially these Instant messaging has the potential to change days, as more and more knowledge workers the way people work, especially in this increas- expect to be able to message not just co-workers, ingly virtual workplace. With more than 90 per- but partners, customers and suppliers, too. cent of employees working away from headquar- Instead, companies should develop a clear IM ters, and up to two-thirds working in a location strategy that includes deploying a secure enter- separate from their managers’, employees need a prise IM client; applying the necessary security way to get in touch quickly and easily—right and management controls for compliance purpos- when they need to. The presence capability that es; and enabling interoperability with other EIM powers instant messaging assures users that they and PIM services. can contact their co-workers or partners whenever those people are available, speeding information Security: Start Here delivery and ultimately boosting productivity (no The first order of business is security—protecting more phone tag, no more endless email threads). enterprise networks and infrastructure from virus- What’s more, vendors are branching out with es, and end users from spam, spyware and other their IM clients, enabling industry- and job-spe- malware that comes along with unprotected IM. cific capabilities (such as trade orders or contact Several vendors, from small startups (Antepo, center support), as well as productivity enhance- Bantu, Omnipod, WiredRed, and others) to large ments (for instance, Microsoft embedding its enterprise players (Microsoft, IBM Lotus), have Communicator IM client into the rest of its Office deployed a variety of security tools and features as applications, for one-click messaging capabilities part of their enterprise IM products. These closed within a Word or Excel document). systems may not be a threat if you keep them But IM is also a potentially risky technology, behind the firewall and use them only with your opening up enterprises to threats from viruses, employees. But many companies are wary even of spam and other malware, much the way email their EIM systems—users don’t have to be inten- does today. It also requires that rules and policies tionally malicious to cause havoc—and want to Melanie Turek, be set and maintained to ensure compliance with protect them from threat. Nemertes senior vice regulations. Even more important, of course, is protecting president and founding The big difference is that while most IT execu- any public IM services in use in the enterprise, as partner, covers tives are not only aware of the risks posed by it’s on these consumer-oriented, completely open collaboration and email, but also take action against them, too few systems that most threats arise. Some EIM ven- virtual workplace tools are protecting their networks from IM-borne dors extend a basic level of security to PIMs, but for Nemertes. threats, or their companies from IM-related com- for the best protection many companies deploy

32 BUSINESS COMMUNICATIONS REVIEW / JUNE 2006 Use BCR’s Acronym Directory at www.bcr.com/bcrmag software from one of the three so-called IM gate- and ultimately delivering a product that works way players, which have traditionally enabled with email and IM. This trend is especially good enterprises to add security and control to public news for IT executives, who want integrated mes- and private IM: Akonix, FaceTime and IMlogic saging-management solutions for which they can (now owned by Symantec). set universal policies and controls. Interestingly, much of the news in recent months has centered on product trends also Compliance: Messaging Matters emerging in the email world: appliances, real-time Another key issue for IT executives when it comes monitoring and all-in-one solutions. to IM is compliance. Just as more companies are For instance, Akonix recently released a of archiving email for compliance purpos- IM security and compliance hardware appliances, es, many will need to do the same with IMs— all-in-one solutions optimized for instant messag- whether because those, too, are regulated, or ing security and management for up to tens of because they see doing so as part of a larger best- thousands of users. The appliances are Akonix L7 practices effort or hedge against legal discovery Enterprise v5.1 and Akonix L7 Enforcer v5.1 (the requests. latter product is designed to detect and block the Many IT executives say they aren’t sure how unauthorized use of IM and peer-to-peer file shar- the regulations by which they’re governed affect ing applications). The appliances are powered by messaging—very often, they’re waiting for the AkOS, a hardened operating system developed by case law to define the parameters of the issue. Akonix for real-time messaging environments. Indeed, it can be difficult to assess whether certain Akonix also recently announced its new L7 IM rules apply to email and IM, and to what extent. Sentry application, which can be added to each Sarbanes-Oxley (SOX), for instance, doesn’t user’s buddy list upon login. When the IM Sentry mention messaging. But SEC rule 17a-4 requires receives a message con- financial companies to taining an unknown retain, monitor and URL, it alerts the IT analyze electronic administrator and communications. puts the URL on a list HIPAA (the Health of disallowed Web Only fifty percent of Insurance Portability addresses, preventing companies include messaging and Accountability any further propaga- Act) allows doctors tion of the message. as part of their and other health care Any future IM traffic compliance efforts providers to commu- containing the URL is nicate with patients then automatically via email so long as blocked. they use reasonable Another trend is and appropriate safe- the real-time monitoring guards to “ensure the of viruses and other threats. IMlogic’s Real-Time confidentiality, integrity and availability” of any Threat Protection System (RTTPS) was developed health information transmitted electronically, and to predict and combat “zero-day” attacks on IM “protect against any reasonably anticipated networks. Integrated with IMlogic IM Manager threats” to the security of such data. And govern- and the IMlogic Threat Center, RTTPS creates a ment agencies tasked with sharing information global, networked community to exchange threat with the public are often required to keep email detection information and block IM security messages (and other official correspondence) attacks, before anti-virus signature file updates are seemingly forever. available. RTTPS automatically detects and quar- When asked, 90 percent of IT executives say antines suspicious or dangerous enterprise IM they consider email and IM messages to be corpo- traffic. Similarly, the Akonix Security Center pro- rate information. On the other hand, only 50 per- vides the latest information about worms, viruses cent of companies include messaging as part of and other vulnerabilities that are targeting IM and their compliance efforts—and then, very often, P2P networks. they only include email and not IM. Finally, general security vendors are getting What’s more, many IT executives say they pur- into the IM game. For instance, early this year posely don’t “officially” deploy IM so that they Symantec acquired IMlogic. Symantec and aren’t legally responsible for managing it. “By IMlogic partnered in the past: Enterprise Vault, matter of policy we consider email to be corporate Symantec’s email and content archiving product, data, because we provide that system,” said the has been integrated with IMlogic’s IM Manager director of IT at a mid-size consulting firm. “We since 2002. Now the companies will expand on have been required to produce email information, that relationship, integrating IMlogic’s threat but we don’t officially use IM, and policy is, it detection and remediation capabilities into isn’t supposed to be used for corporate informa- Symantec’s early warning and response system, tion.”

BUSINESS COMMUNICATIONS REVIEW / JUNE 2006 35 We stress that if they aren’t already, companies tives placed it at the top of their lists. And when should include messaging—email and IM—in asked to rate the importance of interoperability on any compliance discussions and policies they a scale of 1 to 5, with 1 being unimportant and 5 IT executives have. At the very least, any company regulated by being vital, 83 percent of IT executives said it’s HIPAA or SEC rule 17a-4 should use a third-party “vital” and the remaining 17 percent considered it consider archiving tool for email (available from vendors “very important.” interoperability such as C2C, Orchestria and Symantec, through “We have had, for some time, basic interoper- to be vital its Veritas/KVS acquisition) and IM (such as those ability requirements in all our RFPs,” said one available from Akonix, FaceTime or IM Logic), or local government CIO. “We are somewhat in a an enterprise-class IM system that can provide federated enterprise, because we extend interac- those capabilities. tions to other organizations in the state govern- ment and the federal government.” Interoperability: Gateway To The Future Many vendors, including IBM Lotus and One of the biggest drawbacks of real-time com- Microsoft, are delivering interoperability with the munications today is the fact that the different public IM services from AOL, Microsoft and technologies can’t interact with one another out of Yahoo—as well as federated IM between select the box. That doesn’t sit well with IT executives EIM vendors—via business partnerships. This who want to extend IM to users outside their orga- allows users who pay for the service to message nizations. “Having them talk to each other is contacts on other IM systems and services, but essential—not being able to talk to others because only if they opt for the capability—and not all fea- of the business decision [vendors] make is crazy,” tures associated with their IM products will also said one CEO who extends his professional-ser- extend to the other systems. vices company’s IM service to clients. Other companies have turned to hosted ser- Today, standards exist to make such open vices to help them with their interoperability architectures a reality, but they don’t measure needs. “If we have a client and want to put a up—many vendors base their tools on standards secure IM on their system we give them a license they then tweak for maximum performance. And and they can talk to us through IM securely,” said the partnerships and deals in place to enable inter- the CEO of a small professional services firm operability, while a good start, require too much using Omnipod’s hosted IM service. “Clients love forethought on the part of IT executives—as well it.” as more money to pay for it. The most common standards for real-time Conclusion communications are Session Initiation Protocol Instant messaging is already changing the way (SIP) and SIP for Instant Messaging and Presence employees communicate—but it’s also changing Leveraging Extensions (SIMPLE). Most major the way IT executives design and protect their net- telephony and applications vendors, including works. Ignoring the new technology, while tempt- Microsoft, back SIP and SIMPLE. ing for some, isn’t a solution. Instead, companies XMPP is a more open protocol that drives the should look for an enterprise IM product that will Jabber IM client and which is supported by many deliver the security, control and interoperability in the open-source community, who consider it they need to make the most out of this presence- better, more mature and easier to work with. Some driven communications tool applications vendors, such as Oracle, have backed XMPP; others, such as IBM, are openly support- Companies Mentioned In This Article ing it even as they build their own technology on SIP, SIMPLE and/or proprietary standards. Akonix (www.akonix.com) One of the biggest goals for vendors going for- Antepo (www.antepo.com) ward should be to solve this problem. In an ideal AOL (www.aol.com) world, presence would work the way the tele- phone and email do today. Any given presence Bantu (www.bantu.com) server or services could pull presence from a vari- C2C (www.c2c.com) ety of sources, aggregate and clean it, and then FaceTime (www..com) send it out to the desired applications, as well as other presence servers inside and outside the fire- IBM Lotus (www.lotus.com) wall. The applications themselves should be built IMLogic (www.imlogic.com) on open standards, so that they can tap that same Microsoft (www.microsoft.com) presence information, as well as offer IT man- Omnipod (www.omnipod.com) agers relatively easy integration on the back end. Why is this important? Because IT executives Orchestria (www.orchestria.com) say it is. When we asked participants to tell us the Symantec (www.symantec.com) most important issue or feature for collaboration WiredRed (www.wiredred.com) vendors to focus on in the next 12 months, “inter- Yahoo (www.yahoo.com) operability” was critical; 70 percent of IT execu-

36 BUSINESS COMMUNICATIONS REVIEW / JUNE 2006