For a moment let’s suppose I am the CEO of a multi-million dollar corporation and I send an Instant Message to my General Counsel. He sends me information that should never be seen by the outside world. As vetted peers, my General Counsel and I can chat in encrypted real-time. The communications are neatly logged on my removable USB fob (assume I’m traveling), and on the General Counsel’s laptop hard drive. We have met critical criteria with this exchange. Our IM is protected and therefore not accessible to interception, and we are compliant with both the National Association of Securities Dealers Inc. (NASD) and the Securities Exchange Commission (SEC), which, to paraphrase the rulings, state that Instant Messaging communications must be logged and authenticated; their validity unalterable.
“Government compliance” quickly became the fashionable phrase when Sarbanes-Oxley started holding court over industry. However, for financial institutions and large companies with a presence on the NASDAQ, the realities of NASD Rule 3110, coupled with the SEC’s Rule 176-a-4(b)(4), are of intimate concern. With encrypted IM, a unique key session between the user and the recipient ensures the authenticity of the exchange while providing the valuable log data required by these rulings.
The Secure Instant Messenger (SIM), a product of Ottawa-based Validian Corporation, is poised to change how IM is handled at the enterprise level. The SIM, in conjunction with Validian’s Application Security Infrastructure (ASI), provides high-level security currently unavailable in the usual “over-the-counter IM”. ASI guarantees the delivery of messages and files to the target destination without fear of interception at any point in transit. Bilateral and multilateral exchanges can take place between numerous individuals while at the same time, secured files of varying sizes can be transferred. Logging of IM sessions takes place at the sender and recipient points-of-contact, whether PC-to-PC or PC to portable USB fob. As an extra measure of security, a mobile user using their removable USB device for IM leaves no trace of their session or communications once the USB is removed from the host computer. While this feature may appear anti-forensic in nature, the IM session is logged on both the USB device and on the receiver’s computer, making it ultimately traceable.
Does the world need secure Instant Messaging? The evidence points to “yes”. As Dr. Andre Maisonneuve, President and CEO of Validian, explains, “We created our product in reaction to the changes we are seeing in the IM environment. At this point and time everyone is mobile, and therefore the IM system needs to reach people wherever they happen to be. Corporate networks are growing in complexity and security is increasingly important. To add to this, IT has realized that their efforts to block the use of IM isn’t materializing. In the same sense, IT needs to gain control over the IM technology, preventing open IM systems from allowing viruses and worms into the corporate network. A major change in the IM environment is the requirement for end-user authentication. People want to talk securely and they need to exchange images, documents and files securely. These are the requirements that corporate security professionals are asking of the IM world.”
Public IM systems are notorious for leaving the door open to malevolent actions. Instant Messaging, though well-loved by many for its ease of use, has had a hard time finding favor with those in charge of network security.
“IT wants to be able to implement their own corporate namespace within the IM system. Anyone can call themselves “Blackcrow555′ and it’s not very conducive to a professional namespace. There is a need to have some control over who can send and receive messages via IM, but an even bigger need to encrypt the files that are being sent. File transfers often involve corporate intellectual property, so these files must be encrypted on the interchange.”
There is a need to have an IM system that is easy to implement, as it’s apparent that IT does not have time to oversee all the keys and authorizations as well as authentication. Validian’s SIM system is entirely self-managed with automatic key exchange; the keys are self-contained so that there is no need for a third party authentication authority, even if the system is certificate-based.
“All of the requirements put together make for a very complex IM system that can be installed by a single user in a matter of minutes and in an entire organization in less than half a day,” says Maisonneuve.
Users are authenticated either through Validian’s Domain Controller or a Private Corporate Domain Controller depending on the situation. Through the linkage of the Domain Controller with corporate user databases, IT administrators can oversee the approved user lists and file transfer privileges. However, there is no central server that messages travel through, communication takes place only via peer-to-peer transactions. Before two parties can communicate, the user must be an accepted sender of the message recipient. This is done through the use of an “Allow or Deny” pop-up window. Once users have authenticated themselves and agreed to communicate with one another, their status will be stored on each other’s contact lists for future use.
The SIM client can be download from Validian’s website. Should colleagues at different organizations need to Instant Message one another, they can do so if IT has authorized both Domain Controllers to converse with one another. It can be further drilled down to individual people at different organizations having the permissions to send secure IM. For example, two CFO’s may communicate with one another if both parties use the Validian environment.
To meet the needs of the mobile IM user, Validian was the first to incorporate security and authentication into a removable USB device that provides an immediate, secure Instant-Messaging system. The SIM provides multi-layer security through intense user authentication unique to each customer.
Should that fortified security not meet your needs, Validian has also partnered with Sony to produce its Flash Communicator, an implementation of its SIM that works on compact flash media devices and provides three factor authentication: your fingerprint, your password, and the serial number of both the device and the software. Flash CommunicatorÃ¢â€ž? works on USB flash memory drives, digital camera memory sticks and other compact flash media. It transforms these storage media into secure, interactive communication devices, allowing rich text communication, message exchanges, image and content distribution and file transfer when connected to the Internet.
Validian defines its main focus as the corporate customer whose available resources are in short supply and who have a need to minimize the oversight of complex systems.
“An ideal customer for Validian is a company sensitive to security, one that is well distributed, and who employs mobile users. Virtual corporations, companies with a large, multinational sales force, users that need to have meetings within meetings to discuss strategy; all of these are models of who would use Secure Instant Messaging,” states Maisonneuve.
The SIM also acts as a gatekeeper in that it prevents users from using IM to communicate with unauthorized users outside of the corporation. This can prevent the exchange and transfer of sensitive corporate information with parties who should not have it. Case in point, Instant Messaging was used as a continued source of communication in planning the Enron crimes as it was relatively anonymous, lacked session logging and didn’t archive data.
For corporations using lack of interoperability as their argument for sticking to an open IM system, Maisonneuve counters, “If you want to have an insecure system, you can use just about anyone you prefer. For the corporation that wants to have the capability for their CFO to talk to their CEO without the risk of interception, Secure IM is a necessity. By definition, it cannot be interoperable with private, insecure systems just as Yahoo IM and MSN IM cannot communicate without the use of a third party hardware. There is no compatibility in open IM systems and it isn’t foreseeable in the near future. A company can choose to have secure IM communications or insecure, but not both. A secure IM environment is a gated community. There really is no other way.”
Melisa LaBancz-Bleasdale is a freelance technology writer busily deleting spam while living in the San Francisco Bay Area.