GOVERNMENT TECHNOLOGY/Instant messaging

Once the province of the teen and college set, Instant Messaging (IM) has transitioned from “cool tool” to business essential. More than 20 million people worldwide use IM for work-related tasks, according to Framingham, Mass.-based International Data.

In the government sector, the Federal Emergency Management Agency uses IM to bridge communications gaps among federal, state and local emergency relief workers. And the Washington, D.C.-based Police Executive Research Forum (PERF), an organization of police executives from the largest city, county and state law enforcement agencies, has installed IM throughout its nationwide network.

In many cases, however, IM use has been driven by end users and not by managers. Only about 26 percent of organizations use enterprise-grade IM systems. In contrast, 74 percent rely on consumer products or have allowed users to download IM software and operate it from within a firewall. That can create security problems because viruses can gain entry to a network through the IM system, bypassing authentication systems.

Most IM systems on the market use peer-to-peer (P2P) technology. Once conversations start, discussions are conducted directly between users. Such a client-centric architecture eliminates an administrator’s ability to control conversations in process and to capture the history of the conversation as it takes place. Anyone with an IM address, therefore, has the potential to share sensitive data and bypass any audit capabilities of the organization.

Instant messaging carries a high liability potential, particularly in heavily regulated industries such as government and health care. The Health Insurance Portability and Accountability Act (HIPAA), for example, is a particular menace to the uncontrolled use of IM. Undocumented communications regarding a patient could occur without the health care organization’s knowledge, leading to a breach of HIPAA’s access requirements. Such violations could invoke heavy fines.

User authentication is another common weakness. Public IM systems do not validate the authenticity of users. Also, attention must be paid to archiving. Public IM systems do not capture the transcripts of conversations. That could have serious repercussions in law enforcement, security, health care and other organizations that communicate sensitive information.

Additionally, the file sharing features of most IM systems expose internal systems to attack. Virtually all IM software allows for file transfers that bypass virus-checking software. That exposes networks to serious threats.

Government agencies should establish policies for IM use and adopt systems that are designed for government use. While cost and functionality are important concerns, security should be the paramount consideration.

During the selection, IT managers should be aware that not every system is as secure as vendors might say. The best approach is to specify a server-based system and avoid tools that are client-based. That narrows down the field to Sametime, Yahoo Corporate Messenger, Collabrix and Hub Communicator by Wired Red. For best results, evaluate IM products against the criteria mentioned earlier based on the security that exists within the organization.

The author is a Los Angeles-based freelance writer.