Instant messaging and presence are two technologies that are rapidly making in-roads into the corporate setting. Yet very few companies have adequately planned for and/or deployed the technology. In fact, most IM installations are ad-hoc in nature, driven not by company strategy, but by user demand. This is a very risky situation, as companies face increasing security threats all around and must set and enforce policies that will provide...
a level of protection against data breaches and compliance regulatory malfeasance. Further, a widening array of clients, particularly mobile IM clients, will cause increasing stress on an IT infrastructure that is already over burdened.
Enterprises must consider the role of IM and presence and make decisions regarding what they should and should not do in providing IM capability to their end users. To accomplish this, they must first explore the key components of IM and presence, evaluate what they deliver and then determine what to deploy and when to deploy it.
Major trends in IM, presence and collaboration
The growth and popularity of IM and presence are primarily about immediacy, especially in a world increasingly interested in instant communication - when email with its delayed response of minutes or hours is not adequate. It is estimated that over 80% of enterprises currently have users employing IM through user-installed applications. As a result, most companies have no clue as to who is using what or what kind of message traffic is taking place.
With the increasing awareness of security and compliance issues, and the need to meet a growing number of more stringent governmental regulations, the majority of companies will migrate from ad-hoc to formalised installations of IM within three years. Enterprise-class IM (e.g., Microsoft Office Live Communications Server, Lotus Sametime, Jabber) is expected to capture 75+% of the enterprise market. Policy-based access control will become mainstream, including monitoring of traffic, encryption of transmission, logging of content and recording and transcripts of individual sessions. Indeed, most corporate-grade email and collaboration suites have already implemented such capabilities as part of the need for companies to meet the requirements of information discovery and retention regulations.
Furthermore, although most corporate systems are geared toward desktop and notebook PC platforms, increasingly available and cost effective smart phone devices will make rapid inroads as corporate IM clients. It is therefore critical that companies start planning today for mobile IM and presence capabilities in order to adequately meet the needs of users and corporate systems.
Why enterprises will adopt IM and presence
Most enterprises are expected to adopt IM and presence for the following reasons:
- The need for immediacy
The critical need for instant communications that simply cannot be adequately met by email with its asynchronous communications model.
- The need to determine whether someone is available
Presence also provides the controller the ability to instantly see if the primary person that needs to take the action is available. Presence provides a significant increase in value to the IM system that IM alone could not provide.
- The need to provide increased levels of collaboration
Availability and instant access can provide a way to optimise communication and to provide a streamlined and more efficient operation.
- The need to extend the real time organisation
Running a business in real time, with the ability to rapidly communicate and take action, are fundamental requirements of modern organisations.
- The cost of entry will drop substantially
The individual cost of adding IM and presence per user will drop substantially over the next two or three years, well below US$50 per user in volume.
- New applications will be created that take maximum advantage of the technologies
Increasingly IM systems will be integrated into other corporate back office systems (e.g., ERP, CRM, SFA, dispatching, trouble ticketing).
- Mission-critical systems
Email in particular will be extended to include IM and presence.
- Security, management and compliance will be integrated into IM systems
IM and presence will be managed and controlled in parallel with policies and procedures used for a variety of other back-office applications.
Although there will likely be many "specialty" needs for companies within various vertical industries, the overwhelming majority will discover the above requirements as a common base from which to start. Most systems will offer APIs to allow customised applications and connections, which will make specialised needs possible to implement in a relatively easy fashion.
Enterprise class IM vs. publicly available systems
There are some very specific differences between freely available IM systems on the Internet and enterprise-class systems. Some of the primary differences include:
- Server and directory services behind the corporate firewall
- Policy enforcement of who can use the system, when, how and with whom they can communicate
- Logging and archiving of all message traffic for regulatory compliance
- Secure, encrypted transmission of all message traffic to prevent interception
- APIs and integration points to allow connection to other corporate systems
Most enterprises should not freely allow use of publicly available, unsecured and uncontrolled IM and presence systems. Most enterprise class systems will provide standards-based approaches to communicating with public and other enterprise class systems, but do it through the corporate server, which can enforce any needed policy. It may not be possible to enforce encryption and security policies with public IM systems.
While enterprise class IM systems are attempting to provide connectivity and/or gateways to the wide variety of the IM systems available, the lack of true industry standards has made this difficult. While some IM systems adhere to industry standard interconnectivity (e.g., SIP/SIMPLE, XMPP, IMPS), many proprietary schemas still exist. However, much like the early days of email, proprietary schemas will eventually be rationalised as user demands increase.
Securing and managing mobile collaboration
There is no question that many companies have an unrealised problem with the exploding numbers of user-deployed IM clients, and that failure to deal with the unauthorised IM clients can lead to potential disaster in the form of escaping confidential information, malicious activities (e.g., spam, viruses, malware) and possible non-compliance with industry regulations. Companies must closely examine and regulate what their users have deployed, and take any needed corrective actions through the use of enterprise-class, industrial quality, secure and manageable IM systems, rather than allowing the chaotic system of user- selected and deployed IM clients to prevail.
An unmanaged IM system is a disaster waiting to happen. Data leakage, malware and other risks are a common occurrence on IM systems. The ability to manage users (e.g., directory information, policies, limiting types of data shared, logging of contacts) is a critical requirement in nearly all companies, but especially those that have to meet specific industry regulations (e.g., financial services, medical, life sciences, retail). Further, the need for users to move from their fixed IM system to their mobile deployment, seamlessly and effortlessly, requires that a company provide a managed IM environment not easily available for public systems. The ability to set and enforce policies for all users on each of their devices is a key component of any enterprise-class IM system. All companies should strive to have a fully protected and managed environment for its IM users to prevent information compromise and the serious ramifications that would bring including:
- Because all company data is discoverable through legal actions and for specific compliance requirements (e.g., SOX, HIPPA), utilise enterprise-class IM systems to log, record and archive for a specified period of time all email and IM communication to have a complete record of all information sent.
- Setting and enforcing a policy of not allowing file transfers.
- Control access to public IM systems to limit malware. Enterprise-class IM systems offer tools to help with limiting access and blocking messages, and may incorporate an ability to add filtering and/or blocking technology from third party providers.
There is no doubt that enterprise-level control systems must be put in place if IM is to be controlled. Policy-driven enforcement of company policy is a prerequisite for nearly all company systems, and IM should be no exception. Further, end-user education as to the proper use of IM and the consequences of disregarding company policy, should be a major initiative of all companies as a way to improve and accelerate security and data protection mechanisms.
IM and presence have an important role to play in the enterprise, but they must be carefully deployed and managed if greatest value for the least risk is to be achieved. Companies should treat IM and presence as a mission-critical system and provide the proper technologies to deploy enterprise-class applications for internal uses, while offering secure bridges to publicly available systems that supplement and enhance their limited protections and consequent potentially high risks. Companies that do not treat IM and presence as strategic, mission- critical systems will quickly find that they have taken on undesirable risks and have not properly taken advantage of an important tool in the battle to improve efficiency and remain competitive.