Managing the message
- By Maggie Biggs
- Jun 02, 2003
Instant messaging technology is both a boon and a bane for agencies. On the plus side of the ledger, IM provides "presence awareness" that can rapidly link internal and external participants. Dynamic, multiparticipant meetings can be held via IM — and so can one-on-one conversations between employees, customers and business partners. Documents and desktop applications can be shared and files transferred. In short, IM can boost productivity and enhance an agency's collaboration and problem-solving capabilities.
On the negative side of the ledger, IM introduces security risks and the potential for a reduction in productivity. Users can spend working hours carrying on personal conversations. Security leaks can occur when sensitive information is revealed in the course of a chat session or via collaboration or file transfers. IM platforms are also capable of transmitting computer viruses.
Because of the number and seriousness of factors on the negative side of the ledger, many agencies and businesses have chosen not to implement IM or to implement vendor-specific IM solutions, such as IBM Corp.'s Lotus Sametime, for internal use only. However, the benefits of IM are too great to arbitrarily limit its use or simply ban it outright. The question agencies need to answer is, "How can I implement IM in a way that meets regulatory and security requirements?"
A new breed of enterprise IM solutions that can help agencies control and secure messaging is beginning to arrive in the marketplace. These products include security measures, auditing and logging of all activity and, frequently, integration with directory services.
On the server side, some of these enterprise IM solutions have some platform and technology limitations, so careful evaluation is needed. However, on the client side, most of these solutions will work with existing IM clients that you may have on hand or can easily obtain, such as America Online Inc.'s Instant Messenger.
Although enterprise IM solutions are maturing to the point where controlled, secure deployments are possible, the issue of IM protocol interoperability remains a major sticking point that can affect agency rollout plans. Suppose your supplier uses a Microsoft Corp. Network IM client, your customers use Jabber (an open-source IM platform), and you have settled on AOL's Instant Messenger. In some cases, one IM client can talk to another, while in other cases, such as between MSN and AOL clients, communication is not currently possible.
The Internet Engineering Task Force has formed two working groups to address the issue of IM client interoperability. The first, the Session Initiation Protocol working group, is defining standards for chat sessions between clients on different types of servers. The second working group, the Extensible Messaging and Presence Protocol task force, is creating an open IM interoperability standard that is based on Jabber, an open-source IM protocol based on Extensible Markup Language.
Until IM client interoperability issues are addressed, agencies will need to plan carefully and poll business partners and customers to ensure that the enterprise IM solution the agency chooses will allow all authorized parties to communicate, regardless of their client software.
In this comparison, we examine two enterprise IM solutions: Akonix Systems Inc.'s L7 Enterprise 2.0 and FaceTime Communications Inc.'s IM Auditor Enterprise 3.0. The market for solutions that manage and secure IM is expanding; agencies will want to evaluate several of these emerging tools to select the solution that best fits their existing infrastructure and compliance and security policy needs.
For information on more options to consider, see "Tooling up for managed, secure IM" on Page 30.
Both Akonix's L7 and FaceTime's IM Auditor worked as advertised. Once implemented, these IM gateways will allow agencies to closely monitor, secure and control IM activity — both internally and with external participants.
The only real drawback we found is that both of the solutions are limited to the Windows platform and require Microsoft's SQL Server to operate successfully. However, those limitations are not an issue for Windows-centric agencies.
Agencies that have standardized server-side processing on other platforms, such as Unix, and use enterprise databases, such as Oracle Corp.'s 9i or IBM's DB2, will need to purchase Windows and SQL Server licenses. In those cases, the additional licensing may be enough of a drawback that agencies should examine other enterprise IM solutions.
We installed the Akonix L7 solution in under an hour and encountered no difficulties along the way. The software offers two interfaces administrators can use to interact with L7. The first, L7 Enterprise Manager — a Microsoft Management Console plug-in — provides easy access to administrative tools. The second, L7 Enterprise Reporter, enables administrators to quickly generate reports using either built-in templates or custom parameters.
We used L7 Enterprise Manager to establish a number of policy settings. For example, we chose to enable only AOL and ICQ clients, because we needed those to support our test clients, and disabled all the others, including MSN and Yahoo Inc.'s Messenger. We then changed the default policy action to block all communications except those defined by policies.
Setting up new policies was straightforward, thanks to the new policy wizard that allowed us to create a number of rules in short order. We could flag activity or block it and apply policies to everyone or just certain groups, users or IP addresses. We created policies to limit access to some external IM clients and others to check content during certain hours.
The L7 Enterprise Manager also enables user account management and directory synchronization, tools we had no trouble using. We were also able to set authentication parameters, such as disabling anonymous access.
The system can alert administrators by e-mail if inappropriate activity is taking place. L7 can monitor, log and store both IM and peer-to-peer activity, including content. Sessions and conversations can be monitored in real time and blocked, if warranted.
This precise level of control opens the door to overmanagement of user activity. However, if IM policies are clearly and openly communicated to all participants, the likelihood of inappropriate usage and the potential for micromanagement are reduced.
Akonix has included integrated antivirus support in L7 using Network Associates Inc.'s McAfee engine. Whenever users send or receive files, the files are scanned for viruses. We tried using IM to send contaminated files, but L7 and McAfee did not let them through. The ability to keep virus definitions and the L7 product itself up-to-date is integrated into the console, and the update processes functioned just fine during our tests.
The L7 solution also includes something called Enforcer, which validates connections to make certain they are legitimate. If a user tries to get around L7, the Enforcer blocks the connection and the user is not able to connect.
The Akonix solution can support up to 20,000 concurrent IM conversations per gateway. Agencies with quite a bit of IM activity during the workday may need to factor in the costs of additional L7 gateways. L7 can also be integrated with Check Point Software Technologies Ltd.'s FireWall-1 and Microsoft's Internet Security and Acceleration Server.
Using the L7 Enterprise Reporter, we next created a series of reports to analyze the activity of our test users. The built-in report templates made it a snap to examine activity according to policy, user and IM service type, either as summaries or in more detailed form. We also found it easy to create our own report templates to generate custom reports.
FaceTime IM Auditor
Like the Akonix solution, FaceTime IM Auditor also proved easy to install and set up. Although IM Auditor requires Microsoft's SQL Server (as does Akonix), the FaceTime solution is implemented using Java technology that is deployed on the Apache Group's Jakarta platform.
FaceTime has done a good job of integrating Jakarta into IM Auditor — so good that administrators may not even realize that they are running a solution deployed on that platform.
With this type of setup, IM Auditor is easily accessible via a Web browser. We had no trouble accessing IM Auditor either on local systems or remotely, noting that with browser-based access, roaming administrators can easily reach IM Auditor no matter where they are in the agency or enterprise. We also found that IM Auditor access worked flawlessly regardless of whether we were using Microsoft's Internet Explorer, Opera Software ASA's Opera, Mozilla or a number of other browsers.
Given IM Auditor's architecture, expansion to multiple platforms would seem straightforward as long as additional database options were supported.
Once logged onto IM Auditor, we found tools to administer the server, users and directory integration. We began by configuring a warning message that would advise users that their activity was being monitored. And we set up e-mail alerts so we could be notified of inappropriate activity right away.
We configured IM Auditor to support Lotus Sametime and AOL Instant Messenger clients within our test environment so that our internal Sametime clients could talk to external AOL clients. IM Auditor also supports MSN, Yahoo, Microsoft Exchange and Reuters IM clients.
IM Auditor easily integrated with our Lotus Domino Directory. The FaceTime solution also supports directory services integration with Sun Microsystems Inc.'s ONE Directory Server and with Microsoft's Active Directory.
Setting user- and group-level IM usage policies was easy. We could choose which users and groups we wished to audit and which would remain unmonitored. We prevented some groups from being able to IM each other and we disabled some users from being able to IM at all.
As with Akonix, we were able to view messaging activity in IM Auditor in real time. IM Auditor segments user activity by type of service, so we could quickly view the level of Sametime use as well as AOL client activity.
FaceTime supports the construction of roles within IM Auditor; we liked that supervisory users could search IM conversations if needed. Authorized users also have the ability to view reports about their own activity.
We were able to view a number of built-in reports in IM Auditor, too. We could quickly glance at the daily summary report or examine more detailed reports of conversations that included a particular staff member.
Creating the reports was straightforward and the documentation provided plenty of detail — administrators, managers and users alike will find the going easy.
Unlike with Akonix, we could not find a way to integrate virus protection within the IM Auditor interface. However, most IM clients do provide a virus scan option. When implementing IM Auditor, you should check that this virus scanning option is enabled to prevent virus outbreaks via IM file transfers.
Checking It Out
Both Akonix and FaceTime have done a good job of helping agencies implement IM in a controlled and secure manner. Akonix goes a little further in reporting capabilities than FaceTime, while FaceTime, with its browser-based deployment, is more easily accessible. Agencies investigating managed IM solutions will definitely want to take a look at both of these products.
Biggs is a software engineer and freelance writer based in Northern California. She has more than 15 years of business and IT experience.