|
Application
In full bloom: Enterprise Instant Messaging
The need for control accompanied by security concerns and
compliance issues have driven the evolution of Instant Messaging into Enterprise
Instant Messaging. Kumar Dawada reports on this emerging communication
medium.
 Instant
messaging (IM) is poised to undergo a transformation. From personal software,
it is fast becoming a rival to e-mail for corporate communication. We examine
the security and compliance issues faced by companies that have or plan to deploy
IM, the protocol issues hampering its standardisation, and the reasons why it
is popular.
The case for IM
Two factors have contributed to the immense popularity of
IM. The first, as the term itself suggests, is instant communication. Second,
compared to typing which necessitates effort, IM encourages short, sweet and
to-the-point communication—the norm for business communications.
That said, even a phone enables instant communication. So why use IM? Telephony
has been around for ages, and lends a personal touch to any communication. From
the tone of the voice, users can gauge the mood of the person at the other end
and steer the conversation accordingly. Sceptics argue that conversing through
IM takes effort. Also, like e-mail, it removes the need for face-to-face interaction
between people, so in the long run contributes to isolating the user.
IM permits conferencing. Today, audio conferencing via phone is common. Where
IM clients score is that you can share files through them. The distinctive feature
of IM is the ‘presence’ status of the user. When a user logs into
the IM server through a PC or cell phone, he becomes available. He can reflect
his willingness to communicate through IM settings like ‘away,’ ‘do
not disturb,’ ‘occupied’ or ‘be right back.’ The presence
aspect of IM allows a user to effectively control his availability for communication.
|
Mirablis, a company founded
by four Israeli programmers, gets the credit for pioneering instant messaging.
In November 1996 it introduced ICQ (I seek you), a free instant messaging
utility that anyone could download and use. The client software resides
on the user’s computer. It communicates with an ICQ server whenever
the client software is running and the user is online. Anyone having the
client software could instantly communicate with other users on the ICQ
network.
In 1997, AOL introduced
AIM (AOL Instant Messenger). It allowed the AOL members to talk to non-members
as well. It soon replaced ICQ as the leading IM software. In 1998, AOL
bought Mirablis and became the dominant player in IM.
In the early IM software,
each word typed was immediately echoed at the recipient’s end. The
action of deleting a word or editing
a spelling mistake could be seen. In modern IM software, the user receives
messages one line or paragraph at a time. As the popularity of IM grew,
major vendors entered the market with products such as Microsoft MSN Messenger,
Yahoo Messenger and Google Talk. MSN Messenger is the fastest-growing
IM now because the MSN Messenger client is part of the Windows XP operating
system. Yahoo Messenger also has a large user base.
|
Public IM is risky
Meta Group, an industry analyst, anticipates that IM users in the enterprise
will increase from the 20 million of 2003 to 95 million by 2007. IDC, another
industry analyst, expects the enterprise instant messaging (EIM) market to grow
from $315 million in 2005 to $736 million in 2009.
However, the majority of corporates and organisations are still using public
IM services and networks such as AIM, MSN Messenger, Yahoo Messenger and Google
Talk. The use of public IM networks can result in security, management and compliance
issues for large organisations. The lack of effective management and control
mechanisms makes these enterprises vulnerable to threats like viruses, worms,
spyware, leakage of confidential information, violations of policy or regulations,
eavesdropping and identity theft.
This scenario can be prevented or rectified in two ways. The first is to take
the drastic step of blocking all public IM applications. The second (and preferred)
method is to control and manage the use of IM.
Controlling IM
"EIM gives us better control over what files are being exchanged,
who is speaking to whom, and who is a part of the network"
- Unni Krishnan T M
CTO
Solution and Technology team Shopper’s Stop
|
IM can be controlled in two ways. Companies relying on public
IM can implement an IM management application from the likes of IMlogic, FaceTime
and Akonix. They manage and control the use of public IM by providing administration,
directory mapping, logging, archiving, anti-virus, anti-spam and other features.
The alternative lies in a company using an EIM. Unni Krishnan T M, CTO, Solution
and Technology team, Shopper’s Stop, feels that corporates will opt for
EIM on security grounds. “It gives us better control over what files are
being exchanged, who is speaking to whom, and who is a part of the network,”
he says.
The shift to EIM is also taking place on account of compliance issues. Kalyan
Sridhar, Lotus Software Group, IBM India, feels that unauthorised access to
conversations, no encryption, lack of information audit trails and historical
records of important business conversations are the major security and compliance
issues.
Today, most verticals have to comply with regulations in some form or the
other. This is especially true of organisations in the BFSI and healthcare verticals;
all their correspondence, including electronic communications like e-mail and
IM, have to be recorded and stored for auditing purposes for several years.
These regulations are defined in legal instruments such as the Securities and
Exchange Commission (SEC) 17a-3, 17a-4, Sarbanes-Oxley Act (SOX), National Association
of Securities Dealers (NASD) 3010 and 3110, Gramm Leach Bliley Act and Health
Insurance Portability and Accountability Act (HIPAA).
EIM software provides for IM archival wherein information exchanged during an
instant messaging session, conference or poll is captured. Unni Krishnan feels
that the need for IM archival will be strongly felt in the BPO sector where
companies are catering to US-based clients.
What EIM brings
EIM is hosted on servers that belong to an organisation and are within its network.
They therefore permit secure communication and discussion. Data like sales figures
and contact details of employees don’t go beyond the corporate network.
The technology provides for varied levels of control, management and logging.
Centralised management, identity authentication, integration with directory
services, session logging and archiving, detection reports, usage reports as
well as compatibility with third-party products like anti-virus and anti-IM
spam software are common features on EIM systems.
EIM’s RoI is intangible. It can increase staff productivity, provide better
control and management of corporate communication, and follow security and compliance-related
policies. It prevents unauthorised IM connections with the outside world, and
creates a standardised profile of IM use within an enterprise by providing insights
into bandwidth abuse, source and destination IP addresses, and port abuse.
EIM solutions on the scene today include those provided by heavyweight vendors—IBM
Lotus Domino, Microsoft Live Communication Server 2005, Novell Groupwise 7,
and Sun Java System Instant Messaging.
| Authentication |
A common mechanism is to check the user ID against
directory services such as Microsoft’s Active Directory or Novell’s Directory
Services. Here a user supplies the same username and password that he uses
to access the network for EIM. |
| Security |
Secure sign-on, digital signatures and encryption.
Anti-virus, anti-IM spam and anti-spyware detection software. |
| Comprehensive logging |
Centralised logging to a database that can be queried
using SQL is desirable. Even text log files help. |
| Features |
Centralised administration of user lists, the ability
to send messages to entire groups of users at a time, advanced scheduling
and notification capabilities, Web conferencing including video conferencing
and VoIP, drag and drop file transfer. |
| Alerts |
Inform users of important messages and information
on other devices based on customisable rules. |
| Polling |
Surveys or polls via IM. |
| IM archiving |
While public IM clients let you save conversations
on a PC’s hard disk, that’s not much used in a large enterprise with hundreds
or thousands of desktops. It’s necessary to have centralised capture and
archival of IM conversations on the server, with support for keyword search
and retrieval of message transcripts and integration with third-party archiving
applications. |
| News channels |
Users should be able to access company announcements,
project updates, event notices, Web links and attached files. |
| System requirements |
A dedicated server is needed to support the EIM application.
Broadly look at having specs that are similar to those of your corporate
e-mail server(s). |
The snag’s in the protocol
Yet IM has a long way to go. A significant drawback is the lack of a single
standard protocol. There have been attempts to create a standard for IM. The
standards used currently include IETF’s (Internet Engineering Task Force)
SIP (Session Initiation Protocol) and its subset called SIMPLE (SIP for IM and
Presence Leverage), PRIM (Presence and IM protocol) and the open XML-based XMPP
(Extensible Messaging and Presence Protocol), commonly known as Jabber.
Numerous attempts to create a single standard by public IM providers (such as
AOL, Microsoft and Yahoo) have failed as each vendor has opted to use its own
proprietary protocol so as to prevent poaching of its substantial user base.
In June 2004, AOL and Yahoo announced that they were backing out of the EIM
market. AOL decided to end the sale of AIM Enterprise Gateway, while Yahoo announced
that it was stopping the sales of its Business Manager IM service. In July 2004,
Microsoft stated that its Live Communication Server 2005 would include gateway
connectivity to AOL and Yahoo’s IM networks.
In October 2005, Microsoft and Yahoo announced an inter-operability pact which
allowed their IM users to talk to one another using the SIP/SIMPLE standard.
Then in December, AOL and Google announced a strategic partnership deal whereby
Google Talk users will be able to talk with AIM and ICQ users if they have an
identity at AOL.
| Product |
Features |
Price |
| IBM Lotus Domino |
Instant messaging, calendaring
and scheduling capabilities. Monitors domain, presents probable causes,
offers possible solutions and displays correlated events.
Predictive analysis tools
help administrators predict growth and sizing requirements. Policy-based
administration, security APIs and anti-spam features help ensure compliance
and security.
|
Messaging Express $96 per user (up to
1,000 users), Collaboration Express $133 per user (up to 1,000 users), Utility
Server Express $2,500 per CPU (up to 4 CPUs) |
| Microsoft Live Communication Server (LCS) 2005 |
EIM and integrated presence solution featuring peer-to-peer
audio, video, application-sharing and data collaboration, connectivity to
MSN, AOL and Yahoo public IM service providers, integration with Microsoft
Office programs, application sharing, desktop sharing (remote assistance),and
point-to-point file transfer. |
LCS 2005 Client Access Licence $31 per device or
per user, LCS 2005 Standard Edition $787 per server, LCS 2005 Enterprise
Edition $3,154 per server |
| Novell Groupwise 7 |
E-mail with status and retraction; rules-based messaging
and handling; IM task, content and document management. Multi-level spam
filtering, remote synchronising, mailbox backup and archival. |
Full product with 1-user e-licence $130 |
| Sun Java System Instant Messaging 6.1 |
Real-time communication and collaboration application.
Features include presence information, instant messaging, conferences, alerts,
news, polls, file transfers, secure archiving, monitoring, retrieval and
analysis applications for instant messaging content. |
$20 per user for 10,000 to 49,999 users |
Threats on IM radar
As IM’s popularity in corporate circles goes up, the technology faces new
threats in the form of malware. Financial motives rather than a quest for fame
drive today’s blackhat hackers; their usual targets are corporate sites.
Take the case of the worm IM.Treba.AIM that sends a malicious link to known
users listed on an infected machine’s IM application’s buddy list.
It identifies buddies who are online and sends them a message with a note to
look at the content displayed at a particular URL. If the targeted victim clicks
on the link, his system is compromised. The hacker can now attack it, steal
classified data and make the infected system reboot continuously. Such instances
of assaults on instant messaging clients are growing steadily as malware authors
attempt to exploit the vulnerabilities of public and enterprise IM.
Like any technology, IM has its pros and cons. Any enterprise wanting to adapt
it must carefully consider all competing products and conduct a test run before
deploying the product. It must consider unresolved technology issues such as
security, standards and lack of inter-operability between the vendors. It must
review the company’s infrastructure and industry requirements including
security and compliance. All this will go a long way in ensuring that the EIM
fulfils the company’s needs.
kumard@networkmagazineindia.com
|
