Re: Skype readies for Enterprise?

[krymson () gmail com]

You may not get too many list-wide replies because this topic seems to come up now and then. We had a thread last year 
that got to be quite extensive (I can't find it now). In fact, it came up just a few months ago as well (I swear this 
one was older, but it's been a long couple months I guess) [1][2] I wish I could find more, but I've always been 
unsuccessful with SFs search feature.

A Google search [3] will help find some articles. I know technology seems to often change at a blistering pace, but it 
also changes slowly. Don't discredit issues from 2005 in a product just because it is 2008 now. Skype has not 
fundamentally changed in concept since then. It is still a consumer product.

Skype has gotten better, which has reduced some of this discussion to simple personality differences. For instance, 
Skype has gotten better to manage, but it has not gotten terribly easy. [4] Your ability to accept that is up to you.

Skype will not necessarily gobble up your bandwidth. You'll want to monitor this firsthand, honestly, since only you 
know your bandwidth and how much your users may abuse it. But if you do any sort of netflow or connection analysis, 
Skype will frustrate you since it makes many, many connections out to places all over the world; places that would 
raise eyebrows otherwise. At any rate, install Skype, make a call, and monitor how much bandwidth it uses. Multiply 
that by your users and you have an idea, at least.

Check the second link below for a fairly up-to-date listing of issues I have with Skype. I'll just touch on a few here.

a) Are you bound by any regulations that require you to see inside or monitor communications made by employees to the 
outside world? If so, you can't use Skype. 

b) Do you have any sensitivity to the possibility that someone may be transmitting confidential data out of your 
organization using Skype? If so, Skype is not your man. While I know data can be sent out by someone malicious, this 
also includes asking yourself if you trust the Skype encryption. You need to ask yourself that, because your encrypted 
data will be sent to random supernodes, i.e. other users. If Skype's encryption is ever widely or secretly broken, 
those nodes can eavesdrop and you can't do anything about it. If you're Boeing, you laugh at Skype.

c) Skype has a paradigm problem in that it does not act like a trusted enterprise application. It attempts to use 
unnecessary ports if it can't get out through default ports, piggy-backing like so many unwanted software through port 
80. That is the behavior of a user-experience-enhancing consumer product, not an enterprise product. If you use this to 
connect remote users who may not be behind routers/NAT devices, it will still attempt to act as a supernode. Annoying.

You'll also get a lot less discussion about Skype because the situation does change. If you are a large corporation, 
chances are Skype is not for you. If you are a small start-up, Skype may offer good value. If you are an SMB, you could 
go either way, and likely will do so unless you have the above concerns.

On a security mailing list like this, you'll likely find we use Skype at home, but we're wary of it in the enterprise 
(see, well, me!). Are there any obvious silver bullets you can throw on the table to convince your business users that 
Skype is potentially bad? Not really. Not anymore than you can convince someone that HTML in email is bad, or web 
filtering is necessary, or you need to move from IE to Firefox enterprisewide. If they want to use it, they want to use 
it, rational or not.



[1] http://www.securityfocus.com/archive/105/408735/30/0/threaded

[2] http://www.securityfocus.com/archive/105/487937

[3] http://www.google.com/search?hl=en&q=manage+skype+in+the+enterprise

[4] http://www.networkcomputing.com/article/printFullArticle.jhtml?articleID=191502447


<- snip ->
Thanks for all your replies. But most of the publications are a bit old e.g. 2005. Are they still reflecting the truth 
of current verion of Skype (v3)?

When I compare to other VC products, Skype bascially has most of the functions e.g. encryption. Somehow it is hard to 
resist....

I am not saying Skype is good for corporations. From IT stand point, they don't want to have it because of lack of 
control and audit trails, vendor support, unknown encryption details etc. But these technical issues are hard to get 
business users understand. So what I am now thinking is that will Skype eats up huge amount of bandwidth. If yes, then 
I can put this into $$ value and business users can understand. Anyone has any experience on this?

Thanks so much,

Wang