In the last of 6 episodes in the podcast series at “Security Round Table“, there was a great discussion on Instant Messaging security issues. One of the most interesting aspects of the discussion was on whether enterprises would try to completely lock down IM facilities so that people couldn’t use it for personal “unproductive” chatting. The concensus in the panel seemed to be that it would not really be possible, given that, unlike most other technologies that are so expensive that they originate in the enterprise and migrate to the public masses (i.e. cell phones, pagers, etc.), IM started out in the public domain, and is migrating into enterprises. Basically, “It’s much harder to deny a technology to someone who never had it in the first place, than to take it away once they have it.”

There are, of course, security issues aplenty with IM tools, such as Availability (consumption of corporate network bandwidth), Confidentiality (leaking of corporate Intellectual Property), and Integrity (known vulnerabilities that provide vectors for malicious code).
On a personal note (privacy mostly), I used to work in a place where my boss expected people to use AOL Instant Messanger, and to be logged in at all times when they were working…so he could keep an eye on who was at their desk! I have yet to come across anyone else who has seen it used in that way. I saw it as an invasion of privacy, since being logged in and online did not necessarily correspond with a worker’s actively productive times. Mysteriously, my laptop never liked AIM, and often crashed. So, happily, I wasn’t able to keep it installed. When he asked me why I wasn’t using AIM I told him that it crashed my machine. I never really knew if he believed me, or if it affected his opinion of how productive I was. In any event, I think it’s a strange way to keep a leash on your team members.

Anybody care to comment?