Whatever your stance is on IM, like most new technologies that don't have much initial buy-in, IM is here to stay. Instead of fighting the "us against them" battle, it is possible to implement enterprise-wide IM so your users' needs are met. This won't come easy, but if you can wrap your head around what I believe are four critical elements for achieving IM success, you can make it happen.
Ingredient #1: View IM as a business enabler
It seems like new stats come out every day on how IM is encroaching into our workday, but IM is considered a novelty to most of my customers and colleagues. Sure, some of the desktop-caliber IM programs are cool and entertaining -- for home users. With pop-up ads and the latest celebrity hoo-hah aside, the enterprise-caliber IM systems are enabling organizations to improve employee communications, enhance group collaboration and even help reduce long-distance charges and travel costs. These are benefits your executives can't afford to ignore.
Ingredient #2: Treat IM like it's a big deal (it is)
A side effect of the "we don't support that here" stance is just ignoring IM altogether. I can hardly go a week without coming across IT professionals who don't believe IM matters or doesn't really apply to their organization. The problem is that these are the same networks where my network analyzer often shows a significant portion of non-enterprise IM traffic coming from AOL Instant Messenger, Yahoo Messenger and more. People want IM .
You need to educate upper management on IM (the pros and the cons) and see what their stance is. Once they realize what it can be used for, you may just get some money to purchase and implement a neat new technology.
Ingredient #3: Standardize on an enterprise-caliber IM system
I know, an enterprise IM system is yet another thing to support, but it beats the futility of telling everyone they can't use AOL. There are several great IM systems you can deploy, including Jabber, Lotus Sametime, WiredRed, PGPicq and OmniPod. These integrate well with network operating systems and other standards to make them easier to manage and more secure.
If you deploy one of these systems, chances are people will use it and appreciate that you've given them an IM that is actually supported.
Ingredient #4: Use technologies to secure it
Even if you deploy an enterprise IM system, you've still got to worry about other users who don't care about your "policies" and continue to use their own personal IM software. Many of us (including myself) have tried to block those programs at the network perimeter via firewalls and routers as a way of keeping it out. I've yet to see that done effectively and efficiently. The IM software is simply too smart and will do whatever it takes to break through to the other side. You also have to worry about patches, hardening the configurations and more.
The bottom line: You can have all the policies in the world to keep IM under wraps, but if you don't have the right technologies to enforce those policies, it's all for nothing. The only true way to secure IM is to use desktop- or network-based IM security controls, such as those from Akonix Systems, FaceTime Communications and IMLogic.
If you continue to allow desktop-caliber IM software, be sure to push out patches to protect against new vulnerabilities; just don't believe that patches are going to keep that software completely secure. You've also got to somehow, some way, make sure your users have not configured the programs to share local or network drives so that any intellectual property leaving the organization is protected and you are also protected against malware.
Looking at IM from a business perspective, it's hard to deny the benefits it can introduce. Just don't forget to put on your IT hat when it comes time to make the purchasing, implementation and management decisions that come along with it.
Kevin Beaver is founder and principal consultant of Principle Logic LLC, which specializes in information security. He is the co-author of the new book, Hacking For Dummies. He can be reached at email@example.com.