Some advices for boosting IM security

* Adopt a user policy for instant messaging. Your employees need to know whether you view instant messaging as an appropriate vehicle to communicate with customers or business partners. Any policy should contain at least general guidelines for its use. -- Julie Lancaster, director of marketing, Visualware Inc., Turlock, Calif.

* Integrate IM into your existing corporate directory. This is very important, as the corporate directory is the lifeblood of "who's who" in an enterprise. Requiring a third party to maintain a list of your employees creates an opportunity for a security breach. -- Brian White, senior product manager for presence and instant messaging, and Kevin McLellan, marketing manager for workplace collaboration products, IBM's Lotus Software Group, Cambridge, Mass.

* Integrate your IM application with the internal personnel system as a way to securely register IM names. This is an easy way to capture identities and manage changes in users' IM screen names while maintaining a record of their previous conversations under their old screen names. -- Tommy Wright, vice president and manager of information systems development, FTN Financial, Memphis

* An ounce of prevention is worth a pound of cure. Keep your IM client and server software patched. There is simply no substitute to maintaining the patch levels of your IM software and ensuring that you are protected against known vulnerabilities. -- Andre Yee, chief technology officer, NFR Security Inc., Rockville, Md.

* Be aware of virus infections and related security risks. Most IM services allow you to transfer files with your messages. IM file attachments carrying viruses penetrate firewalls more easily than e-mail attachments. Instant messages that carry viruses will run and dip into a firewall until they find an opening. If you collaborate on documents for your business, file transfer is important. It's wise to learn more about the quality of your own firewall protection to decide whether or not to restrict transferring files through IM.-- Julie Lancaster, Visualware

* Be your own host. Host your own IM server if possible. That will allow you to ensure that the server is secured, as opposed to using a general public server for which you have no control. -- Andre Yee, NFR Security

* To work in real time with those outside your own company, it is vital to connect to that company's secured users. The new SIP/SIMPLE standard for IM interoperability provides that capability without requiring both parties to leave their secure IM to jump onto an unsecured public network. -- Brian White and Kevin McLell, Lotus Software Group

* Be original. Avoid using the same password for IM as you would for other authenticated means of communication. This ensures that if the IM password is compromised, it doesn't lead to a breach of other communication mechanisms. -- Andre Yee, NFR Security

* Be aware that instant messages can be saved. You may think IM is great because you can let your guard down; make bold statements; chastise a boss, employee or co-worker; and have it all wiped away from the record when you are done. What's often forgotten is that one of the parties to your conversation can copy and paste the entire chat onto a notepad or Word document, and some IM services allow you to archive entire messages. -- Julie Lancaster, Visualware

* Handle with care. Reject content from unknown sources. As you would with e-mail, avoid opening files or accessing links sent to you from unknown contacts. -- Andre Yee, NFR Security

* Don't use instant messaging to communicate confidential or sensitive information. If your company is in the business of providing professional advice regarding stocks, finances, medicine or law, it's not smart to do so through instant messaging. IM is better suited to quick information about project status, meeting times or a person's whereabouts.-- Julie Lancaster, Visualware Inc.

* Mum's the word. Regard IM as a nonconfidential communication channel. Users should be strongly advised against communicating proprietary and sensitive information over IM.-- Andre Yee, NFR Security


Source: Computerworld