Security Analyses for Enterprise Instant Messaging (EIM) Systems

onsumer instant messaging (CIM) services (aka public IM) such as AOL Messenger, Yahoo! Messenger, and MSN Messenger have achieved critical mass appeal and usage as a convenient and informal method of communication supporting real-time messaging and presence awareness.1,2 Unfortunately, these services are highly vulnerable from a security standpoint. Some of these security problems include threats from viruses and worms, Trojan horses, identity theft, impersonation, eavesdropping, data loss, and denial-of-service attacks. The increasing use of instant messaging in the workplace has increased concerns about security related to its use. Recently, AOL and Yahoo! announced that they will be pulling back from their EIM (enterprise instant messaging) businesses because of the concerns that enterprise IT managers have about IM management, including security vulnerabilities.3,4 Additional requirements of corporate instant messaging include protection of internally communicated information from unauthorized disclosure, protection from corporate espionage, governmentmandated logging requirements, etc. To service these additional requirements, many companies have developed enterprise-grade instant messaging software solutions that promise more secure instant messaging environments. These solutions, collectively known as enterprise instant messaging (EIM) solutions, increase security by enabling greater local centralized control and by supporting additional security features such as encryption or digital certificates. This article focuses on security issues related to instant messaging, first examining the threats and available countermeasures present in existing CIM services. These include viruses and worms, Trojan horses, identity theft, impersonation, eavesdropping, data loss, and denial-of-service attacks. This article then examines the variety of EIM solutions available. At present, four architectural models exist for EIM: (1 ) Ga t eway Po l i cy En fo rcemen t , (2) Internally Deployed EIM, (3) a Hybrid Solution, and (4) Managed Centralized EIM. Following this market analysis, the article considers these four classes of solutions in terms of their access control, authentication, messaging sessions supported, message routing, encryption, client software, interoperability with CIM, performance, and points of C M U N I C A T I O N S , N E T W O R K , A N D I N T E R N E T S E C U R I T Y