Thursday, October 27, 2005

Security concerns with corporate IM use

This isn't a blogging issue, but it's still interesting enough a question. What are the security implications of using "instant messaging" for corporate use?

There's a meta-question which ties it to blogging ... there's a range of technology being developed on the Internet but is being transitioned to corporate use. When it's out in the public it may have one set of expectations ... e.g. instant messaging is about people cruising for sex partners ... or blogging is about people writing diaries of their observations and experiences. But what's really happened is some capabilities were embedded in software, and those capabilities can be used for other (job-related) activities.

For example ... here's an interesting use of instant messaging: collab.netbeans.org. The idea is that software development is a collaborative joint activity. So why not build a chatroom into the IDE environment? And if you're going to build a software developer oriented chatroom, why not make it deal properly with source code?

Anyway, back to security of corporate instant messaging ...

In my job we (the whole company) were just exposed to corporate training concerning protecting confidential information. Clearly corporations have confidential information that provides a competitive edge. Protecting that edge is important.

So, how might instant messaging be used in a corporate setting?

What if ... first, everybody in the team would be keeping an IM client on their computer desktop all day long. Anybody with a question might pop it out to the others in the team. Anybody with a hairball brainstormy idea might pop it out to others in the team. Anybody wanting to unload frustration over the meeting they just left might ... er ... well, maybe they wouldn't pop that out to their team. Anyway, you get the idea.

The thing is, those uses are going to frequently involve corporate-confidential information. And, additionally chat transcripts could become very important pieces of documentation, and should be preserved somewhere.

But, given that corporate instant messaging use is going to involve company-confidential information, whose instant messaging server are you going to use? And is there a chance that your instant messaging conversations will be tapped by outsiders? Company-confidential information is supposed to remain confidential, which means considering the security of the communication lines you use for discussions.

e.g. It may be real convenient to use existing instant messaging services (e.g. MSN, Yahoo, AOL, etc) and everybody just gets the appropriate client program. But can you trust the confidentiality of those services? Is the communication protocol secure and untappable? Or by using the existing service, would you be revealing your secrets for anybody who knows where to look?

Hence it would be sensible for the company to install its own instant messaging server. At least the server is controlled by the company, and might not leak information to eavesdroppers. That is, assuming the server itself is secure, and assuming that the communications between client and server are untappable.