Chapter 16: Instant Messaging Security

Overview

It is the responsibility of the sender to make sure the receiver understands the message.

—Joseph Batten

When the telephone was first introduced, it didn’t take long for pundits of the age to weigh in on its potential for disrupting home and business life. As it turns out, the utility of the telephone and its descendants generally outweighs the interruptions they cause (except when telemarketers call during dinner). Real-time conferencing and collaboration systems pose the same disruptive potential, although paradoxically they can be less intrusive than the telephone. Instant messaging (IM) and real-time collaboration (RTC) have blossomed in popularity over recent years, and continued growth is expected.

However, IM and RTC technologies are much newer than e-mail; accordingly, the products that implement them are less mature, and less attention has been paid to providing the security and assurance features that are often required. In one common example, financial services firms are generally required to archive customer communications, but most IM products (including the Microsoft Exchange 2000 Instant Messaging service) don’t provide any direct way to do this. This shouldn’t stop you from implementing these technologies; in this chapter, I explain the security implications of deploying the Exchange 2000 IM service and the associated clients. Because many organizations use multiple IM systems, I also discuss the process of controlling and monitoring traffic on other IM systems, including those from Yahoo!, America Online (AOL), and MSN.