Columns

Energy company puts juice into monitoring IM

Is your company's use of instant messaging secure? Does it meet regulatory requirements?

That's what Kansas' largest electric utility Westar Energy wanted to know. Although many employees sent and received IM, the company had no official policies regarding its use. Given the threat from outside attacks, spam sent over IM (SPIM), and the need to monitor energy-trading transactions for regulatory reasons, however, Westar began to evaluate IM monitoring tools.

Experts say more orgs now employ such technology, especially in regulated industries. Lack of an IM policy can produce problems during a legal-discovery process. For example, what if an executive logs IM conversations locally, yet the company at large doesn't? Abusiness can put itself at risk by not having an authoritative record of IM communications. Even so, many orgs still turn a blind eye to IM.

Lack of IM controls opens orgs to technical as well as legal liabilities. A study by the American Management Association and the ePolicy Institute, which surveyed 840 companies, found 2 out of 3 employees used IM. How IM was used may fall afoul of most orgs' security or human resources groups. The study found 19 percent of respondents said they used IM to send attachments; 9 percent admitted to swapping some kind of confidential information over IM; and 6 percent used it to send sexual, romantic or pornographic content.

Policing IM
To implement IM monitoring, experts recommend a three-step approach: understand who uses IM, develop and publicize policies for acceptable use, then implement technology to track, monitor and enforce acceptable use.

With this advice in mind, Randy Meinholdt, the IBM WebSphere administrator for Westar, studied how employees used IM. Instant messaging was used within Westar, and it was used externally by energy traders. In addition, he found a total of four IM clients in use: AOL IM, Yahoo, MSN Messenger and Lotus Sametime.

IM use hadn't been prohibited. So before Westar would decide whether to monitor it, Meinholdt turned to peers for advice. "I spoke with three other energy companies during my [product] evaluation," he recalls. "They all had implemented IM monitoring products." As a result, Westar began moving toward adopting an IM monitoring product.

Eventually, Meinholdt's short list included products from Akonix, FaceTime and IMlogic. Comparing the three, he says, "IMlogic seemed to be very similar to Akonix." Face- Time used an external appliance, but Westar didn't want to go the appliance route. The energy company was most impressed with the Akonix Enforcer, especially the supplier's responses to their queries.

"We began using Akonix as a demonstration product on a single server," recalls Meinholdt."The basic install was very easy," he adds. Overall the company is happy with the product.

"There have been issues from time to time on configuration, but Akonix has been very responsive to our needs," he says. "[We] had a bit of trouble implementing a second backup server at another location." Akonix helped solve the problem.

Although the Enforcer offers extensive security features, Meinholdt says, "We are still learning as we go." What he especially likes about the product are the automatic updates for SPIM and malware. In addition to monitoring outside threats, Westar uses Enforcer to block any unsafe peer-to-peer activity inside the company.

Westar has standardized on the four IM clients its employees already use. For the future, Meinhardt has one major product request. "We would like to see Akonix make the product available on Linux servers," he says.

ILLUSTRATION BY COLIN JOHNSON