Problem solve Get help with specific problems with your technologies, process and projects.

IM ban lifting at financial companies

Many financial services firms block IM, but there are practical ways to secure the popular, real-time communication.

When instant messaging burst onto the scene in the mid '90's, it wasn't long before workers in the financial services sector embraced the freely available, real-time digital communication applications. Faster than email and telephone service, AOL, Yahoo and MSN instant message (IM) windows began popping up on desktops in many leading financial institutions, especially brokerages.

Regulatory compliance enforcement coupled with the reality that these lightning-fast exchanges left no paper trail to defend against insider trading allegations brought about a swift crackdown. Many organizations banned the use of IM applications outright while others limited use to specific employees, platforms, content, etc.

However, Stamford, Conn.-based Gartner Inc. predicts that by 2010, companies will be rolling out unified communications platforms just as they have deployed email servers in the past. "That's increasing the bar for security and compliance officers inside financial services organizations," said Kailash Ambwani, president and CEO of FaceTime Communications, a Belmont, Calif.-based IM security provider.

More on instant messaging
Secure instant messaging in the enterprise

Messaging techniques spawn new security policies

IM has gone through its share of growing pains while transitioning from the consumer to enterprise realm. Some practical approaches to enabling secure real-time communication have emerged as IM has matured into a widely accepted form of communication, including professional solutions, new protocols and improved policies.

Professional solutions
A variety of commercial and open source IM products have become widely available over the last decade, including best-of-breed solutions such as Akonix, FaceTime, and Jabber, IM integration into unified communications platforms from Microsoft (OCS) and IBM (Lotus Sametime), and security-based appliances and applications, such as firewalls and antivirus from vendors like Symantec and Barracuda Networks that monitor and regulate network traffic.

The IM market has generated a number of flexible products that range from adding IM authentication into users' network identities to managing publicly available IM clients on private networks.

Compliance-related capabilities involving message retention, archival and discovery have been integrated to meet the increasingly detailed requirements for existing and emerging regulations.

Virus and hacker attacks have sadly become routine in their use of IM to bypass perimeter security and deliver malicious payloads. Fortunately, commercial IM suppliers as well as security product vendors have responded with adequate enterprise-class protection.

New protocols
Early IM applications like AOL, MSN and Yahoo were all built on SIP (Session Initiation Protocol). Unlike SIP, the Extensible Messaging and Presence Protocol (XMPP) is more interoperable, secure, persistent and achievable, which meets the rigorous demands of the financial services industry.

Geof Lambert, vice president of business development for Conversant, a Boulder, Colo.-based universal communications company, sees the XMPP as another stepping stone to viable solution. "The trend is to privatize IM behind the firewall. So Goldman Sachs can go buy an XMPP server, meaning their XMPP server can talk to another with different levels of authentication, security and archiving," he said.

Better policies
Implementing strong policies is another way financial services firms can control IM use and ensure it doesn't run afoul of regulators.

"If a company can show that they've taken reasonable means to address their policy, monitoring and archives, then they're in the clear," said Ambwani, who related an incident in which a broker from a trading company used IM to trade ahead of market events.

"The company came under SEC scrutiny and a subsequent investigation, but they were able to produce their corporate policy regarding IM as well as transcripts of the conversation. As a result, the individual lost their license, but the company suffered no penalties," he said.

Lambert said he believes the financial services sector is getting a better handle on IM than anyone else, but Ambwani is looking to the future.

"Currently, we have the capacity to control, archive and secure today's IM, but we are thinking about the next set of capabilities, including Web conferencing and VoIP," he said.

About the author:
Sandra Kay Miller is a technical editor for Information Security magazine with 15 years of experience in developing and deploying leading edge technologies throughout the petroleum, manufacturing, luxury resort and software industries, and has been an analyst covering enterprise-class products for 10 years.

Dig Deeper on Enterprise email security and messaging security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.