Popular instant messaging programs have quietly sneaked into business and government environments as more people use AOL Instant Messenger, Yahoo Messenger or MSN Messenger to talk with friends and co-workers. These programs are great for communication, but typically lack sufficient security.
This is changing, however, as instant messaging programs with high levels of security are making their way into the government enterprise.
Florida, for instance, is trying the technology for a few reasons. State agencies want to increase work productivity, and the State Technology Office is seeking new ways to communicate securely among security staff, such as information security officers and managers, CIOs and Computer Security Incident Response Teams, according to Mike Russo, Florida's chief information security officer.
The state will use MyFlorida Instant Messaging Solution, an Omnipod product customized for use in Florida. The State Technology Office concluded a pilot to gauge the software's potential for statewide use and is implementing the application in all state agencies.
Previously Florida didn't have a system that efficiently tied its 33 state agencies together, said Omnipod CEO Gideon Stein.
"There was e-mail, there were phone networks, but people didn't know people's e-mail addresses, didn't know their phone numbers," he said. "They needed a system that would tie together those agencies and create a better system for interagency communication."
Stein also said Florida wanted a tool for homeland security alerting -- a secure platform it could use to send alerts across the state about a threat level change or disaster.
All Layers Secure
"Any new technology poses additional challenges to the information security community," Florida's Russo said. "IM security seems to be one of the least known areas."
But Stein said all information that goes from the Professional Online Desktop (POD) client to the data center, and then to anyone else's POD client software is encrypted.
"That includes user names, passwords, all IM traffic, and to the extent it's being used by some states, file transfers -- everything is encrypted," he said.
That's just one layer of security.
For a second security layer, only people designated by the state administrator use the application.
"Unlike consumer platforms where anybody can download anything -- anybody can download AIM, start a network and start talking to each other -- with Omnipod, only those loaded in the system and designated as users by the centralized administrator can use the system," Stein said.
The third security layer involves access to different users on the system, which uses a domain and subdomain infrastructure to create a hierarchal framework of how people can communicate, Stein said.
"In a state environment, the governor's office might want to use the product on a daily basis, but they don't want rank-and-file employees from the department of transportation or department of health to IM the governor," he said. "Who can see whom online is very important in creating a workable framework for efficient communications."
Interoperability among various instant messaging programs is provided with Omnipod, but Stein said for the most part, state agencies disable the feature for yet another level of security. Administrators decide which features their users, or users in a subdomain, can access.
The MyFlorida Solution
The State Technology Office and the Executive Office of the Governor tested the product during the last few months, and the Department of Education just completed a pilot of its own, Russo said, adding that the state is spending $1 per user per month for the instant messaging software.
The next phase of deployment will encompass agency information security managers and officers, CIOs, and the Computer Security Incident Response Teams for communication of security-related incidents.
This additional form of communication gives immediate access to