Comments on: Lawrence Orans on Containing the Risk of Using Skype http://blogs.gartner.com/john_pescatore/2009/01/07/lawrence-orans-on-containing-the-risk-of-using-skype/ A member of the Gartner Blog Network Thu, 19 Nov 2009 18:00:12 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Guest Blogger: Lawrence Orans With an Update On Managing Risks of Skype Use http://blogs.gartner.com/john_pescatore/2009/01/07/lawrence-orans-on-containing-the-risk-of-using-skype/comment-page-1/#comment-1166 Guest Blogger: Lawrence Orans With an Update On Managing Risks of Skype Use Mon, 06 Jul 2009 11:27:28 +0000 http://blogs.gartner.com/john_pescatore/?p=303#comment-1166 [...] a blog posting earlier this year I commented on how the recession is causing enterprises to consider Skype as an [...] [...] a blog posting earlier this year I commented on how the recession is causing enterprises to consider Skype as an [...]

]]> By: Lawrence Orans http://blogs.gartner.com/john_pescatore/2009/01/07/lawrence-orans-on-containing-the-risk-of-using-skype/comment-page-1/#comment-1074 Lawrence Orans Tue, 02 Jun 2009 15:51:36 +0000 http://blogs.gartner.com/john_pescatore/?p=303#comment-1074 The “impersonation issue” is a risk with Skype and any other public IM service. Anyone can register with any user name – the public services don’t check user registration. You’ve proposed a solution for mitigating the impersonation risk, but I don’t know of any solutions that would allow you to enforce a policy that says “only allow Skype chat sessions to employees within my corporate directory”. With enterprise IM solutions like Microsoft Office Communicator, IBM’s Lotus Sametime and others, you should be able to limit communications to users within the corporate directory. With Skype, even though you do have the risk of impersonation, you do have some control over how employees use Skype. For example, you could disable the file transfer function for all Skype clients (this feature is available with the Skype for Business 3.0 and later releases). So, users could chat with someone outside the organization, but could not send them valuable info via a file transfer. The “impersonation issue” is a risk with Skype and any other public IM service. Anyone can register with any user name – the public services don’t check user registration. You’ve proposed a solution for mitigating the impersonation risk, but I don’t know of any solutions that would allow you to enforce a policy that says “only allow Skype chat sessions to employees within my corporate directory”. With enterprise IM solutions like Microsoft Office Communicator, IBM’s Lotus Sametime and others, you should be able to limit communications to users within the corporate directory.

With Skype, even though you do have the risk of impersonation, you do have some control over how employees use Skype. For example, you could disable the file transfer function for all Skype clients (this feature is available with the Skype for Business 3.0 and later releases). So, users could chat with someone outside the organization, but could not send them valuable info via a file transfer.

]]> By: Doug http://blogs.gartner.com/john_pescatore/2009/01/07/lawrence-orans-on-containing-the-risk-of-using-skype/comment-page-1/#comment-1072 Doug Mon, 01 Jun 2009 15:19:03 +0000 http://blogs.gartner.com/john_pescatore/?p=303#comment-1072 The main concern I have with allowing any IM outside the corporate network is there is no way to truly validate who you're chatting with. You have to trust Skype's directory, which I don't. Are there ways to only allow users who have authenticated against our corporate directory? The main concern I have with allowing any IM outside the corporate network is there is no way to truly validate who you’re chatting with. You have to trust Skype’s directory, which I don’t. Are there ways to only allow users who have authenticated against our corporate directory?

]]> By: Lawrence Orans http://blogs.gartner.com/john_pescatore/2009/01/07/lawrence-orans-on-containing-the-risk-of-using-skype/comment-page-1/#comment-457 Lawrence Orans Thu, 08 Jan 2009 22:54:02 +0000 http://blogs.gartner.com/john_pescatore/?p=303#comment-457 Thanks for your comments ,Michael. I agree - supernodes are not an issue in a normal enterprise environment with good firewall protection. I can't recall speaking with a commercial enterprise that has had issues with supernodes. Some university environments present different challenges, since many have less restrictive firewall rules. Thanks for your comments ,Michael. I agree – supernodes are not an issue in a normal enterprise environment with good firewall protection. I can’t recall speaking with a commercial enterprise that has had issues with supernodes. Some university environments present different challenges, since many have less restrictive firewall rules.

]]> By: michael http://blogs.gartner.com/john_pescatore/2009/01/07/lawrence-orans-on-containing-the-risk-of-using-skype/comment-page-1/#comment-453 michael Thu, 08 Jan 2009 08:20:28 +0000 http://blogs.gartner.com/john_pescatore/?p=303#comment-453 It's worth noting that in a normal enterprise environment, the issue of supernodes does not occur. In an environment with local DHCP, and where desktops do not publicly accessible IP addresses, open for inbound connections, then Skype clients can never become 'supernodes'. This is the most prevalent enterprise setup. If in fact, an enterprise that has desktops with publicly accessible IP addresses, open for inbound connection, incurs other risks that eclipse the possibility of minimal third party traffic simply transiting the network. This traffic is arguably a simple 'cost' rather than a security risk. It’s worth noting that in a normal enterprise environment, the issue of supernodes does not occur. In an environment with local DHCP, and where desktops do not publicly accessible IP addresses, open for inbound connections, then Skype clients can never become ’supernodes’.

This is the most prevalent enterprise setup.

If in fact, an enterprise that has desktops with publicly accessible IP addresses, open for inbound connection, incurs other risks that eclipse the possibility of minimal third party traffic simply transiting the network. This traffic is arguably a simple ‘cost’ rather than a security risk.

]]> By: Interesting Information Security Bits for 01/07/2009 at Infosec Ramblings http://blogs.gartner.com/john_pescatore/2009/01/07/lawrence-orans-on-containing-the-risk-of-using-skype/comment-page-1/#comment-451 Interesting Information Security Bits for 01/07/2009 at Infosec Ramblings Wed, 07 Jan 2009 18:43:06 +0000 http://blogs.gartner.com/john_pescatore/?p=303#comment-451 [...] couple things to think about regarding Skype in the enterprise. Lawrence Orans on Containing the Risk of Using Skype Tags: ( general skype [...] [...] couple things to think about regarding Skype in the enterprise. Lawrence Orans on Containing the Risk of Using Skype Tags: ( general skype [...]

]]> By: Lawrence Orans http://blogs.gartner.com/john_pescatore/2009/01/07/lawrence-orans-on-containing-the-risk-of-using-skype/comment-page-1/#comment-450 Lawrence Orans Wed, 07 Jan 2009 17:27:19 +0000 http://blogs.gartner.com/john_pescatore/?p=303#comment-450 Yes, thanks for pointing this out Richard. Next-gen firewalls can enable organizations to build policies around Skype usage. For example, by integrating with a directory, they could allow some users to use Skype and block others. Several firewall vendors and secure web gateway (SWG) vendors (including proxy vendors) have Skype signatures that allow them to build these policies. I have heard of some universities that are proxying Skype traffic, mainly so that they can have a "shut off valve" if they need it (if Skype traffic becomes too heavy, which may happen if there are a lot of Skype supernodes). But, it's not common today to use a firewall or SWG to control Skype in commercial enterprises. Unfortunately, the most common practice today is to ignore Skype, which is not a good idea. We recommend that network managers take a stand - either block it outright, or allow it but with the controls in place to make it enterprise-friendly and secure. Yes, thanks for pointing this out Richard. Next-gen firewalls can enable organizations to build policies around Skype usage. For example, by integrating with a directory, they could allow some users to use Skype and block others. Several firewall vendors and secure web gateway (SWG) vendors (including proxy vendors) have Skype signatures that allow them to build these policies. I have heard of some universities that are proxying Skype traffic, mainly so that they can have a “shut off valve” if they need it (if Skype traffic becomes too heavy, which may happen if there are a lot of Skype supernodes). But, it’s not common today to use a firewall or SWG to control Skype in commercial enterprises. Unfortunately, the most common practice today is to ignore Skype, which is not a good idea. We recommend that network managers take a stand – either block it outright, or allow it but with the controls in place to make it enterprise-friendly and secure.

]]> By: Stiennon http://blogs.gartner.com/john_pescatore/2009/01/07/lawrence-orans-on-containing-the-risk-of-using-skype/comment-page-1/#comment-448 Stiennon Wed, 07 Jan 2009 15:36:00 +0000 http://blogs.gartner.com/john_pescatore/?p=303#comment-448 Good info on Skype for business Lawrence. Don't Next-gen firewalls give you control over Skype usage? -Stiennon Good info on Skype for business Lawrence.

Don’t Next-gen firewalls give you control over Skype usage?

-Stiennon

]]>