Let's Chat

Secure instant messaging programs make their way into the public sector.

by / September 2, 2004
Popular instant messaging programs have quietly sneaked into business and government environments as more people use AOL Instant Messenger, Yahoo Messenger or MSN Messenger to talk with friends and co-workers. These programs are great for communication, but typically lack sufficient security.

This is changing, however, as instant messaging programs with high levels of security are making their way into the government enterprise.

Florida, for instance, is trying the technology for a few reasons. State agencies want to increase work productivity, and the State Technology Office is seeking new ways to communicate securely among security staff, such as information security officers and managers, CIOs and Computer Security Incident Response Teams, according to Mike Russo, Florida's chief information security officer.

The state will use MyFlorida Instant Messaging Solution, an Omnipod product customized for use in Florida. The State Technology Office concluded a pilot to gauge the software's potential for statewide use and is implementing the application in all state agencies.

Previously Florida didn't have a system that efficiently tied its 33 state agencies together, said Omnipod CEO Gideon Stein.

"There was e-mail, there were phone networks, but people didn't know people's e-mail addresses, didn't know their phone numbers," he said. "They needed a system that would tie together those agencies and create a better system for interagency communication."

Stein also said Florida wanted a tool for homeland security alerting -- a secure platform it could use to send alerts across the state about a threat level change or disaster.

All Layers Secure
"Any new technology poses additional challenges to the information security community," Florida's Russo said. "IM security seems to be one of the least known areas."

But Stein said all information that goes from the Professional Online Desktop (POD) client to the data center, and then to anyone else's POD client software is encrypted.

"That includes user names, passwords, all IM traffic, and to the extent it's being used by some states, file transfers -- everything is encrypted," he said.

That's just one layer of security.

For a second security layer, only people designated by the state administrator use the application.

"Unlike consumer platforms where anybody can download anything -- anybody can download AIM, start a network and start talking to each other -- with Omnipod, only those loaded in the system and designated as users by the centralized administrator can use the system," Stein said.

The third security layer involves access to different users on the system, which uses a domain and subdomain infrastructure to create a hierarchal framework of how people can communicate, Stein said.

"In a state environment, the governor's office might want to use the product on a daily basis, but they don't want rank-and-file employees from the department of transportation or department of health to IM the governor," he said. "Who can see whom online is very important in creating a workable framework for efficient communications."

Interoperability among various instant messaging programs is provided with Omnipod, but Stein said for the most part, state agencies disable the feature for yet another level of security. Administrators decide which features their users, or users in a subdomain, can access.

The MyFlorida Solution
The State Technology Office and the Executive Office of the Governor tested the product during the last few months, and the Department of Education just completed a pilot of its own, Russo said, adding that the state is spending $1 per user per month for the instant messaging software.

The next phase of deployment will encompass agency information security managers and officers, CIOs, and the Computer Security Incident Response Teams for communication of security-related incidents.

This additional form of communication gives immediate access to individuals and information, Russo said, which can be helpful in emergency situations the state may face.

"Another benefit is the ability to simulate a verbal conversation more accurately than even e-mail," he said. "This is particularly true in situations where short messages are exchanged between recipients. In addition, the SMS [short message service] blast -- text message to a cell phone -- capabilities are important for contacting staff in the event of a security incident."

Where there are benefits to instant messaging, there are also drawbacks. In Florida's case, the two main drawbacks are that enhanced user training may be needed to achieve a higher ROI, and implementations of instant messaging software tend to increase system administrators' workloads.

On the Alert
Federal agencies are also taking advantage of certain aspects of instant messaging programs.

After about a week of implementation time in October 2003, the U.S. Department of Health and Human Service's Administration for Children and Families was up and running with WiredRed's e/pop Alert software.

"[It's] a crippled version of their standard enterprise instant messaging program," said the administration's IT Specialist Kevin Fine.

Implementation was easy and costs were minimal -- about $5 per user, or $9,000 for the agency's 1,800 employees, Fine said. Thirty licenses of the full-blown product, which gives chat functionality, were also purchased because the chat feature allows certain administrators to send alerts to the entire agency.

"The Alert product is one-way -- [recipients] can actually respond to the message, but they can't originate anything," he said. "They don't even know they have it, because it's hidden in the background on each of our machines. They have no idea it's even running."

E/pop Alert was installed through the network so the IT department didn't have to visit every machine. In addition, Fine said it was set up so that if it installs on a machine and the user currently logged in has never used it before, it automatically creates an account.

"We didn't have to do any account creation. The product had an installation builder, so we just ran it and it installed itself," he said.

For chatting with co-workers, Fine said employees use Yahoo or AOL's instant messenger programs, and e/pop Alert gives the Administration for Children and Families what it needs.

"We bought it for emergency-type messages," he said. "With it, we can instantly broadcast a message to all our PCs. Think of it as an electronic PA system."

Thus far, it's been used for fire drills to blast an alert message to users' PCs.

"Last time we did it, we actually indicated it was a drill," Fine said. "We also included a map to our assembly area. The product plays a sound, and the messages are rich text -- they can include graphics [and] colors."

E/pop Alert can also prevent the alert messages from being turned off -- during the first fire drill, some users continued working rather than following the alert's instructions, Fine said, and the next drill will lock all users out of their computers by keeping the message on the screen for a specific amount of time.

"We can set it to time out after 'x' amount of minutes, so when users return to their computers, the alert is gone."

Messages can be sent to specific people or groups of people based on the administration's active directory, but the one downfall Fine noted was that blasts couldn't be sent based on user location.

"We don't know on what floors people are, but that's a limitation of our structure, not a limitation of the program," he said.

The Administration for Children and Families occupies a leased building that lacks a PA system, so Fine expects the e/pop Alert program will be used to send informational messages as well.

"A neighboring building had a security scare," he said. "We can see that building from our windows and can hear their PA system. They had a bomb scare on one side of the building, so they were telling people to move away from that part of the building.

"We didn't have the product at that time," he said. "But if we had, we could have sent a message that would have popped up on [our employees'] screens and said, 'Don't worry about this. We're in contact with them. We know what's going on.'"
Jessica Jones Managing Editor