Instant Messaging Is Here to Stay: Deal With It!

Talking Points

  • Most businesses have found that IM is too useful and pervasive to stop. Some see it as the entry point for implementing a new era of collaboration tools.
  • But you must manage IM, especially if your company must comply with a growing list of regulations and records-retention mandates.
  • Businesses are using consumer and enterprise IM offerings. But the industry needs to resolve the issue of Enter city or point of interest...interoperability among the various products.

Like the first wave of PCs in the 1980s, instant messaging arrived in the dead of night. IT departments woke up one day and realized something had changed. And that change has sometimes been wrenching, with enterprises going through denial, anger, depression, bargaining, and finally acceptance.

Not long ago, almost all his IM client calls centered on how to stop it, says Gartner analyst Lou Latham. Slowly, enterprises realized employees weren't using IM just to talk to their friends and families and, in fact, there really was some business benefit in the technology, Latham says. That inaugurated what he calls the "era of benign neglect."

IT grudgingly accepted the presence of IM and tried, briefly, to ignore that IM left a gaping hole in the corporate firewall, was an entry point for viruses and other forms of malware, and was a conduit for performance-robbing audio, video and image files. "IT began to try to find ways to shut down IM or to control it without shutting it down, and they found that the tools they needed to do one or the other were identical," Latham says.

However, IM must be managed, particularly given the records-retention mandates imposed by a growing list of regulations. Today, multiple flavors of (usually) mutually incompatible public IM services compete with each other, as enterprise IM products, all of which often end up operating side by side in unconnected islands. Meanwhile, other vendors have introduced tools such as IM gateways to secure and manage public IM while ensuring archiving and retention requirements. Examples of IM gateways include Akonix's L7 Enterprise, IMlogic's IM Director, and FaceTime's IM Auditor.

Bullet-proofing IM
Tools to manage IM have been the salvation of Beth Cannon, chief technology officer at Thomas Weisel Partners LLC, a San Francisco-based merchant bank. Like many others, Cannon says, her company tried for a while to ban IM. Subsequently, after it installed IM Auditor in the summer of 2001 to provide logging and archiving, Weisel adopted a "live and let live" policy, she says.

Today, the company's employees use IM from MSN, Yahoo!, AOL, and Instant Bloomberg. "We allow it because we have...customers who request we communicate with them via IM versus phone or e-mail for certain activities," she explains. "FaceTime allows us to log and monitor IM communications to comply with regulatory rules." FaceTime also lets Cannon turn off file-sharing. FaceTime's new RTShield (an appliance) will allow Weisel to turn off unauthorized IM and peer-to-peer activities, further reducing risks to security and compliance.

Cannon says her primary compliance threshold is provided by SEC 17a4, and NASD 3110. "The IM auditor, along with RTShield, allows us to use IM and log and archive the communications," she says. FaceTime sends all conversations to Weisel's e-mail archive system to be kept on WORM media for at least three years. In addition, Cannon says her company is looking at OmniPod--an IM-related collaboration tool--for persistent chat, and Microsoft's LCS Live Communication Server may be used internally in the future.

A key capability gateway products such as FaceTime offer is routing messages between employees on the internal corporate network (peer-to-peer), which enhances security, rather than via a public IM server. A proxy server, which stands between the IM clients on both sides of the firewall, scans for viruses and filters content.

Gartner's Latham says gateway products focus on these three things:

Security. Although they can block everything, the trick with IM is that "while the fancy IM functions use high-numbered ports, the basic text usually goes through port 80, which you can't really control, so you have to identify data types."

Thus, he says, "these products are basically sniffers." That way, they can provide policy management and content filtering. For example, they can block profanity or monitor and control the use of trademarks or the exposure of trade secrets.

Identity management. "One of the most annoying things about IM is that there is no easy way to find out who surferdood124 really is," Latham notes. However, IM management tools can hook into LDAP databases and provide a meaningful e-mail ID so you have some idea of whom you are talking to.

Meeting legal requirements, such as Sarbanes-Oxley and SEC regulations, which tend to treat IM as a rough equivalent to e-mail and, therefore, subject to retention and archiving requirements. "Where you have a fiduciary responsibility, such as with a bank, if you are talking to customers with IM, you are going to have serious responsibilities for record retention," Latham says. The products archive everything, not just as an open register but the complete text of conversations. "To this day, Microsoft will admit that even with the latest versions of LCS, these proxy tools do a more rigorous records management job," Latham says.

For internal use only
The other part of the IM story is development of IM products with built-in enterprise functionality, known as enterprise instant messaging. The top three public IM vendors--AOL, MSN and Yahoo!--launched, then quietly killed, EIM products after an underwhelming market response. Typically, Latham says, these products would "federate your identity on their server so that you could use that identity for interactions through their service."

That went away because no one was buying, Latham notes. Buyers preferred to implement gateway tools rather than add the cost of an only slightly improved IM. Further, Latham adds, most organizations strongly prefer to keep IM within the internal corporate network. "That is where we are now. Most organizations aren't planning to converse with customers or conduct any kind of e-business. It is strictly an in-house tool," he says.

Using IM internally isn't new, of course. Latham points out that IBM's Sametime has been around for years and boasts 10 to 12 million licenses (though Latham believes only about half are being used). Sametime, along with offerings from Novell, Jabber, Oracle, and others, are getting renewed scrutiny from the enterprise market and are beginning to carve out a small but growing share of the IM universe.

IM Tower of Babel
The IM problem that has so far eluded a solution--in both the consumer and enterprise markets--is interoperability. Today, IM looks like a tower of babel. Consumer IM products generally don't talk with each other, and EIM products are often incompatible. "It's not a standards issue, per se," IDC analyst Robert Mahowald explains.

At issue are the protocols various EIM vendors have adopted, usually XMPP or SIMPLE (the IM version of SIP). "It's a huge problem," Mahowald says. "CIOs and large business users say they won't feel comfortable with large-scale EIM implementations without greater interoperability," he adds. Enterprise products can sometimes talk to each other; Sun and Oracle, for instance, are in the XMPP camp. But Microsoft and IBM are plugging for SIMPLE, while Netware uses neither.

For those determined to move ahead, Mahowald says, Jabber offers a gateway product that lets them talk to each other.

In the consumer market, on the other hand, the giants have jealously guarded their own customers by not allowing their network users to communicate with others. However, Mahowald says there have been a few glimmers of change. For instance, Microsoft has said that when it rolls out LCS for 2005, optional services will allow connections to AOL and Yahoo! users. Still, Mahowald admits, that's not quite the same thing as real network interoperability. Although it may help Microsoft users and customers, "it is bad for the overall market because it sets up a framework where Yahoo! and AOL are paid a fee for access to their service--and there is still no equivalent of SMTP," he says.

Reality is that IM is here
Still, for many organizations, waiting for things to get better isn't an option. IM is here, and they must craft policies and infrastructure that deal with that reality.

The good news is that there are enough options to allow for easy tailoring to fit any budget or desired level of sophistication.

Michael Osterman of Osterman Research, Black Diamond, Wash., says deciding whether to buy an EIM product "is not an either/or choice." EIM has three things that aren't available in consumer IM: secure encryption, namespace control and archival control.

However, Osterman adds, "If you already have a large group of users depending on AOL or Yahoo!, you may not want to cut them off." Instead, adding tools can provide the organization with enterprise-grade functionality on top.

What's more, he adds, it may make more sense for customer-facing businesses to work with consumer-grade IM since it gives users the easiest IM access to the outside."You can always roll out an EIM such as Microsoft LCS, and even then it might make sense to have both, especially if you have good tools to manage the consumer IM," Osterman says.

Sidebar: IM means immediate money for Australian economy
Sidebar: Spam, spam, viruses: over-hyped problems?
Sidebar: One option: The hosted network