Monitor instant messaging in a regulated industry?

Q:
What are people doing to secure / monitor instant messaging in a regulated industry (healthcare to be specific)?


A:
Hi ....,

As you have stated, corporate IM is now recognized as an official productivity/collaboration tool, so it is not possible to “ban” IM traffic as it used to be in the past. This is no more different than “don’t use email”. IM needs to be “controlled” For healthcare, public IM is no more different than public web based email services like Gmail/Yahoo/Hotmail. IM can be allowed like e-mail, and I think it is pretty straightforward to adapt the policies...

That being said, I think P2P applications should be banned unless stated otherwise or allowed by corp policies. For HIPAA here are some links: http://www.akonix.com/assets/pdf/HIPAA_support_by_Akonix.pdf http://www.facetime.com/solutions/regulatoryrequirements.aspx

The problem is with the way that the public IM works. Public IM networks and the clients transmit all critical information including EPHI, PII, and SSNs etc on public network as their name make it clearer..... Usually in cleartext format. So instead of banning the usage, IT departments (including the healthcare ones) enable IM with applying appropriate controls...

As long as IM is controlled it is no more dangerous than e-mail.


Here is a classic workflow:
1) Build a corporate (internal) IM environment. Corporate IM servers usually support all public network IM clients like MSN, yahoo, gtalk, AIM, jabber etc…with a great add-on: Corp IM servers
i. Enforce your policies on IM traffic
ii. Log all communication for regulatory/audit reason
iii. Encrypt corp IM traffic
iv. Enforce authentication (usually integration with local user repositories like LDAP, AD etc)
v. Generate reports for metrics, security, audit, regulatory reasons
vi. Keep local traffic local This is very helpful because public IM clients offer none, even the data from one cubicle to another traverses Internet on most public IM networks. Big player are IBM Lotus Sametime, Microsoft Live communications Server, Jabber XCP, and Novell Groupwise...

2) When corporate IM infrastructure is built, then it is possible to “ban” the public IM traffic. Users can still message to all IM network, they will be visible by their peers on AIM, MSN, ICQ etc. but they will be using the corp IM client. All business IM traffic can be encrypted /logged etc. This requires banning of illegitimate IM traffic, uninstall of public IM clients, and dropping the packet at network enforcement points. It is very difficult to stop all IM traffic, but it is possible, I may give more detailed information on blocking IM on http/https connections if that is required

3) Build an IM policy; make it public that what is allowed what is not. Attachments are allowed? Content control is enforced? Data Leakage checks? Keyword rewrites? Make sure that your IM Use policy is managed like any other security policy. For the healthcare follow the data classification policies on what can/cannot be transferred over IM networks.

4) With your policy and infrastructure in place, you can start shopping... There are a lot of vendors as indicated above… Most well known ones are Facetime and Akonix but there are at least 20 vendors out there to enforce controls either over the network or on the desktop. Make sure that you address encrypted traffic and VOIP clients (Skype?) on network based control options.

If you have a specific question please let me know,
cheers,
- yinal