Mission Critical Messaging – Do you have a polic    



In today’s multi-connected world, each method of communicating is underpinned by particular technologies. I am going to look at these technologies and offer some suggestions on managing these responsibly through good policy development and adherence. First I’ll look at where we tend to get it right, and then highlight messaging services which may be more easily overlooked or harder to manage.

Characteristics of Mission Critical Applications
Mission critical means that the availability, reliability, maintainability, safety and integrity of an application or data must be maintained or the business suffers. Addressing other mission critical areas like applications and data is fairly standard.

Deployments are configured for redundancy. On servers this means RAID for the hard drives, multiple power supplies and even duplicate servers. Mission critical data storage is stored centrally and backed up; it is kept off of end user work stations

Medium and enterprise businesses typically apply redundancy where it is needed in such cases, and they do this very well when it comes to email. Email isn’t stored locally. The mail storage facility is made always-on in the form of a redundant array of drives and is committed to back-up regularly with old email being archived. Email services are treated as application and data, along with other business services. The scramble to provide this level of integrity took place roughly 10 years ago, and we’ve become good at it.

And that’s where most of us stop. Where else are employees communicating with each other, and with our clients? What other forms of communication require our attention these days?

Other Means of Communication
CHAT
IM or instant messaging has become quite popular. The most popular IM services are the large internet-based services like Yahoo, Google, and Microsoft. Each requires that the user install an IM client on their local work station. And each offers a way to configure the tool to record all chat dialogues. The default storage location for the sessions is the local workstation. This default setting means that these IM tools do not meet the minimal requirements for a mission critical application; namely the sessions aren’t centrally stored or backed up.

IM tools are subject to other problems. Recall that I earlier stated that a mission critical application had to be protected with respect to the safety, availability and integrity. And yet, the content inside the IM sessions is harder to manage securely – chats happen in real-time and while there are tools to manage and monitor IM chat sessions they are rarely deployed.

IRC or Internet Relay Chat and ICQ or Internet Chat Query are the precursors to today’s popular IM applications and therefore share many of the same problems with regards to fulfilling the mission critical mandate. Some may consider these antiquated but they are still functional and should therefore be guarded. It should be noted the IRC is currently seeing heavy use in the BOT-NET world as the protocol used for command and control of infected machines used to send out spam.

Social Media
Social media sites, such as FaceBook, LinkedIN or MySpace, are a feature-rich means of communication. These sites have messaging functionality that for the end user seems much like email or chat. However, the message content remains only on the proprietary site servers and in many cases the messages are not owned or manageable by the content author, and certainly not by his or her employer.

Twitter combines the functions of social media and chat and suffers the same mission critical weaknesses of both.

The harsh conclusion is that despite their ease of use and popularity, while non-critical uses can be considered, social media sites should not be used for mission critical communication at all.

Mobile Communication
Feature-rich mobile communication provides for yet another means of unrestricted and uncontrolled communication. While some companies manage their own mobile communications servers, many rely on the proprietary services of the providers. Much like social media, your communication logs and message content are not accessible and not recoverable.

The low-bandwidth alternatives, mobile SMS or texting and PIN-2-PIN suffer similarly.

The ‘other’ problem - litigation
Though not thought about at the time messages are created, organizations may be called upon by the court system to present stored communications as evidence. With so many places to retrieve data from, something may be forgotten or missed. Retrieving communications from end user computers where it may or may not reside is an arduous task at best. This situation compounds with each end machine added. And with much of the content stored only on inaccessible proprietary services, the situation can compound.

The term e-discovery has been coined to describe the task of sifting through digital information. Being prepared for this process in advance means less panic at a time when calmness is critical.

Remediation
When instant messaging or IM type chat has shown to improve business processes then you need to think through how to support them as mission critical. Consider changing the default message storage location to a network share and then ensure all such files are added to the back-up process. And still, doing this on each machine can become tedious. The deployment of enforcement tools or your own server needs to be considered as well.
Alternately an IM proxy can be installed. These come in two flavours: pass through or passive. The pass through version requires a configuration change on the client side while the passive solution is effectively an intrusion detection system tailored to record chat conversations.
For SMS and other mobile communication when the subject matter is critical to business then a follow up email is recommended as a means of ensuring the preservation of the conversation. This becomes a matter of company policy.

Conclusion
Including your position and requirements about managing instant messaging and social media in your Internet usage policy is an essential step towards educating all staff on the benefits and dangers of these types of communications. Your policy needs to be subjected to regular review to ensure it addresses the present day and the rapidly changing landscape. If the cost of supporting these applications as mission critical is outside of the budget, I advocate banning them all together. And not just in your policy, but also at the firewall.


Originally published November, 2010

PDF this Page
Fragment - Current Release


Articles
Administration

IT Roles and Responsibilities
App_Sec
BCP STATS
On Passwords
Spending Enough
Planning to Fail
Living With the Enemy
A Reason for Policy
Mission Critical Messaging – Do you have a policy
Globalizing the SMB
High Availability: People and Processes
Case for Project Management
Risk Management
Networking

On Routing
VLAN Tutorial
IPs 4 Golden Rules
WAN Technology primer
DHCP Primer
Your Head in the Cloud(s)
DNS: Terms and Process
VPN Surfing Challenge
Network Slowdown
Importance of Time
High Availability: Technologies
Security

Spammers Go Full Circle
Beyond the Lock
The Guardian at the Gate
A Web of Trust
Data Breach Notification
Misc

Electricity Primer
Documentation-101
Data Control
Open Source in the Enterprise
Closing the Loop
Helping IT to help you
Your ICT Keystone

eSubnet Services

Contact us regarding your network,
security and Internet services needs




All content © eSubnet 2003-2017
ESUBNET ENTERPRISES INC. TORONTO CANADA