Kill IM -- or at least control it
- 03 May, 2007 13:39
Give them an expense account, and you know part of that money goes toward buying dinner for their significant others. Get them a company car, and there's no way that's not being driven for personal use at least some of the time.
It's the same with open instant messaging. Simply allowing any employee to install and use open instant messaging means that personal chats are happening -- no doubt. But worse, some of those chats will be with strangers, and some of those guys will be passing on malware, phishing, viruses, and other kinds of bad bits.
Obvious response: Kill instant messaging. Stop it at the desktop via security and group policies. Stop it at the gateway. Stop it at the firewall. Death to IM. My opinion: This is the best way to go if you can get away with it. If you're running e-mail and a working phone system in a general office environment, IM is a geek-toy luxury. Simple as that.
But there are plenty of sites that won't fit into my neat definition of "general office environment." These folks have latched onto IM for quick contact with telecommuters, remote site contact, and of course, insto-presto Web customer service. Now IM is on your menu like it or not. What to do?
Well, for one, we just described the business case for Microsoft's Office Communications Server (OCS)/Live Communications Server. It's not the only sophisticated instant messaging platform around, but it has all the goodies I want. For one, you can use OCS to manage IM traffic flows, talk to IM clients other than Windows Messenger, and track IM conversations for wrist-slapping or auditing.
But what I really like is that Windows admins who know what they're doing can use Active Directory and OCS to create what amounts to an IM VLAN. This lets admins allow external IM communication for certain users, but then screen that traffic from the rest of the network. So even if the messaging attracts malware, the bad bits are trapped in virtual limbo. Now that's sweet.
Using other technologies, you can also encrypt IM traffic, both to and fro. This is recommended if you're transmitting important data. But while encrypting that traffic would probably work, I can't think of a less attractive way to transmit "important data." For IM, I'd stick to managing, tracking, scanning, and segregating.
But it's a headache to set up and monitor. If you have a decent-sized Windows-savvy IT staff, then it's certainly the way I'd go. But if you're an SMB with limited staff that has a few dozen other things to fill up the working day, then consider dropping the headache into someone else's lap. Companies such as MessageLabs and Verizon, among others, offer secure, managed instant messaging as a hosted service.
This certainly provides many of the internal advantages: security scanning, traffic monitoring, auditing, and usually much better reporting. But you do have to watch out for client compatibility and other issues. Don't glom onto a hosted service that restricts your users to only one client when your customers might be using any kind of client, for example. There are ways around this, so discuss them with the hosting provider before dropping any moola.
Overall, I'm still a big proponent of the "just say no" approach to IM. If you don't need, don't allow it. But because more and more folks do need it, weighing the benefits of something such as OCS in-house or MessageLabs out-of-house are your best options. But you can't ignore it. Ignoring just makes it worse tomorrow.