Educause Security Discussion mailing list archives
Re: IM Security?? - Anyone written policies, selected products, got some lessons learned / war stories
From: Gary Dobbins <dobbins () ND EDU>
Date: Tue, 27 Jan 2004 15:09:58 -0500
While IM is, like email, a "right" which is reasonably expected by members of the university community, IMO (IANAL) it's also possible to treat it as we do email, and thus leverage extant policies governing that form of messaging. Policies governing messaging must focus on, among other aspects, defending users from the risks created by the potential carelessness or errors of others, where possible/practical. To that end, many of us already filter virii from email (analogous to "public safety"), and may be agnostic as to content (preservation of openness/freedom). So it could stand to reason that it's therefore prudent, and culturally tolerable, to filter malware/agents from IM as well. Another policy aspect (someone may have already mentioned this) is that with currently-popular products (e.g. AIM) university messages (do they, like email, count as university data/property on your campus?) are being handled by an uncontracted-with third party. Policies, extant, covering disclosure of certain university data to third-parties may apply here, depending on your campus' rigor in stipulation of internal-data disclosure. (e.g. sending a comment containing an individual's salary/SSN between two persons in HR, over AIM, could transfer those data through external systems) Matthew Keller wrote:
We are currently exploring the use of an in-house Jabber server (http://www.jabber.org/ for general Jabber information, or http://jabberd.jabberstudio.org/2/ for the server itself) for use by students/staff/faculty. Jabberd is an OpenSource Jabber server, and the Jabber protocols themselves are open standards. Jabber servers can also be installed with gateways so you could allow users on you Jabber servers to still talk to AOL/MSN/Yahoo/etc. users through your environment, if you wanted to turn off general IM access. Please note that we have _no_ plans to turn off general IM access and are looking at ways of allowing our community members to build their own groups and communicate securely with other in the community without going to outside services. On Tue, 2004-01-27 at 12:09, Dewitt Latimer wrote:nothing other than we're contemplating the same questions and looking into the feasibility of in-house IM service to complement base-line e-mail, web, calendaring, etc. Some concern as to whether the user community would use an in-house IM service vs. an open AIM, MSN, Yahoo type service (Big Brother phenomenon). And if so, would we take extraordinary steps to block said services from traversing our net or accept the notion there is a role for them in an open learning community. -d --------------------------------- Dewitt Latimer, Ph.D. Deputy CIO and Chief Technology Officer The University of Notre Dame dewitt () nd edu ----- Original Message ----- From: "Jim Moore" <jhmfa () RIT EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Tuesday, January 27, 2004 12:03 PM Subject: [SECURITY] IM Security?? - Anyone written policies, selected products, got some lessons learned / war stories We have usage of Instant Messaging at several campus locations. Looking into IM and IM security. Anything people are willing to share? Jim - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Office: 585-475-5406 Fax: 585-475-7950 "In cases of defence 'tis best to weigh the enemy more mighty than he seems" - William Shakespeare (Henry V, Act 2, Scene 4) ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.-- Matthew Keller Enterprise Systems Analyst Computing & Technology Services State University of New York @ Potsdam Potsdam, NY USA http://mattwork.potsdam.edu/ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- dobbins () nd edu Director, Information Security University of Notre Dame, Office of Information Technologies Voice: 574.631.5554 ------------------------------------------------------------ "Mind the gap..." ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- IM Security?? - Anyone written policies, selected products, got some lessons learned / war stories Jim Moore (Jan 27)
- <Possible follow-ups>
- Re: IM Security?? - Anyone written policies, selected products, got some lessons learned / war stories Dewitt Latimer (Jan 27)
- Re: IM Security?? - Anyone written policies, selected products, got some lessons learned / war stories Matthew Keller (Jan 27)
- Re: IM Security?? - Anyone written policies, selected products, got some lessons learned / war stories Mark Poepping (Jan 27)
- Re: IM Security?? - Anyone written policies, selected products, got some lessons learned / war stories Gary Dobbins (Jan 27)