Greynet Apps Are Worth Watching
How many pirated movies are being downloaded over your corporate T3 while you read this? Employees are not usually allowed to use file sharing applications like BitTorrent at work, but policies laid down by managers or the IT department have a way of being ignored if they get in the way of how users want to use "their" office computers. The rules may have been put in place for legal, security or compliance purposes, but as far as many users are concerned, they are seen as inconvenient but easy to side step.
There is some evidence to back this up. A survey carried out for FaceTime, a CA-based supplier of solutions to combat this type of network abuse, found that work use of what the company refers to as greynet applications — instant messaging, peer to peer file sharing and other programs which the IT department is not aware of and has not officially sanctioned— rose from 78 percent in 2005 to 83 percent in 2006.
Peer to peer software is a real menace for many organizations because it can use up spectacularly large amounts of bandwidth, and, due to the way peer to peer systems work, employees who are downloading a film may also be unwittingly uploading it elsewhere. Not only are employees using corporate resources to infringe copyright, but by uploading it they are also making it available for others: a potentially much graver offense. Since all of this could conceivably be traced back to the corporate IP address block, this is very bad news indeed from a legal standpoint.
But even in a company where employees are not spending there time downloading illegal copies of Shrek or Pirates of the Caribbean, there are usually other seemingly innocuous greynet applications in use. The most common of these are instant messaging (IM) clients.
To the employee, downloading a Yahoo!, MSN or AIM IM client onto a PC is not such a big deal: most home PCs come with at least one pre-installed anyway, and if it helps improve productivity by making it easier to speak to colleagues, customers or clients, then surely so much the better.
Of course the reality is not quite so simple. IM clients are potential vectors for viruses and worms, and if they are part of the greynet and the IT department does not know they are in use, then incoming IMs are unlikely to be scanned for malware. Besides, in many industries all IMs need to be archived for compliance purposes – an employee talking to a client over AIM, for example, could completely escape all monitoring and breach compliance procedures and Sarbanes-Oxley measures.
To combat this an increasing number of (usually larger) organizations are installing enterprise based instant messaging systems such as Microsoft's Live Communications Sever, IBM's Lotus Sametime or an open source solution based on the Jabber protocol. These usually have a logging and archiving system built in, and can be set up to enable IMing with colleagues on the same corporate network only, or with a limited number of client or customer networks as wel.
The big question then, is this: does having an enterprise IM system and providing all employees with enterprise IM capabilities make your organization any more secure and less likely to breach compliance regulations? The answer, unfortunately, is a resounding "no."
That's because people are used to using their favorite public IM client, with their own buddy list, to talk with certain groups of people – perhaps friends or family – and the provision of an enterprise based IM system doesn't change that. In fact FaceTime's survey found that in organizations running their own enterprise IM system, the vast majority of users also used a public IM network such as AIM or MSN as well. "Having an enterprise IM system doesn't really change anything – you still need to block "rogue" IM clients," says Peter Firstbrook, a research director at Gartner. "Even if you only allow IM for internal use, you still need some sort of edge appliance."
Firstbrook is referring to IM security and hygiene appliances such as those supplied by FaceTime and CA-based security vendor Akonix, which detect and scan all incoming and outgoing IM messages, as well as detecting and preventing unauthorized peer to peer applications. He argues that for many businesses, the best strategy is to buy an IM appliance for security, archiving and so on, and then adopt a public IM network such as Yahoo! as the corporate IM service. This has the advantage of being a much cheaper solution because public IM network usage and clients are free and the only cost is the IM appliance, which you would need to buy if you implemented an expensive corporate IM solution anyway.
Public IM systems can even be used exclusively for internal corporate use: appliances like Akonix's can be set up so that they intercept IMs and block those bound for outside the corporate network. IMs sent to colleagues within the same enterprise are forwarded by the appliance to their destination so they never leave the corporate network.
What's the point of a corporate IM system at all then? It's a good question, and the answer is by itself, not a lot. It's more expensive than using the public IM networks, and, as we have seen, no more secure. Arguably it's more convenient to use in a corporate context as it can be integrated with internal directories, making it easy to look up the appropriate colleague to talk to, but that in itself hardly justifies the cost.
In fact enterprise IM systems only really come in to their own when they are implemented as part of a larger collaboration suite. Microsoft's Live Communication Server and Communicator client not only enables instant messaging, but integrates with Outlook and the corporate telephony system, so that what starts with an IM to a colleague can be escalated to a phone conversation, then a shared workspace, and even a conference call, all from the Communicator client.
So enterprise IM systems are all about functionality, but not about security. If you are serious about IM security – which you should be – then you need some sort of edge appliance to detect, control and cleanse IM usage, both authorized and unauthorized, and prevent other greynet applications. This remains true regardless of whether you have an enterprise IM system in place. If you want extra productivity features, look at a corporate system, but if you want a cheap way for your users to take advantage of IM without compromising security or compliance regulation, use one of the public networks.
But whatever you decide, don't forget that unless you take specific measures to guard against it, the chances are your users will be IMing their friends behind your back, and probably visiting the Pirate Bay to download the latest movie blockbuster as well.