Most organisations have a handle on their email, regarding it as an essential component of doing business and monitoring it closely for security issues. However, email has dominated discussions around the security of enterprise communications to such an extent that new forms of electronic communication, such as instant messaging (IM), in particular, have fallen through the cracks.
Nick Sears, vice president of IM security company FaceTime, believes IM applications represent a gaping hole in enterprise security when installed by users and allowed to run rogue though the business, spreading malware, leaking data and slowing vital systems.
“The IM world has proliferated over the last few years,” he says. “There are over 1,000 apps in this space; proprietary real-time communication apps with their own protocols, providing file-transfer capability, IP telephony apps, even desktop-sharing through your firewall.”
According to Sears, users are introducing a wide variety of these into the enterprise environment in an effort to circumvent existing blocking policies.
“It’s a much wider issue than people realise,” warns Sears. “A lot of companies think it’s under control. They have a firewall, a proxy… people expect these solutions to provide protection. But it’s absolutely true that right now your users are using IM or peer-to-peer networks to send information out of company – information that would be stopped by email.”
In a recent survey by FaceTime, 50% of users admitted that they use real-time communications applications to send information out of company that wouldn’t go through email channels.”
Sears describes a company with several thousand users and a senior security director who was confident no such applications were running on his turf.
“We ran our monitoring appliance for three weeks and found 25,000 IM conversations with external sources, and 20GB of peer-to-peer traffic that used BitTorrent [peer-to-peer file sharing], Skype [Internet telephony] and apps like Tor and Hopster that are used to bypass proxies. We also found someone whose PC
had been remote-controlled 11 times by GoToMyPC without their knowledge. They had a web proxy platform, firewall, and security platform from leading vendors, and the traffic got through all that infrastructure.”
Securing that landscape is challenging, because – unlike email – IM programs have no standard protocol. “Email has a pretty well-designed standard in SMTP. You don’t have to think about what email program the other person is using. But there’s no ‘IMTP’, which means it’s very difficult for vendors to provide consistent controls and security policy across such a wide range of apps.” The security implications of such an environment are considerable, especially for markets such as finance, health and government that deal in hyper-sensitive data. But every company has to consider the ramifications a poorly conceived IM strategy has on compliance.
“The younger generation is growing up with real-time communications,” he says, “and some organisations are realising that you’ve got to have real-time communication apps if you want to attract the best talent. That’s an absolute fact.”