Gartner Blog Network

Lawrence Orans on Containing the Risk of Using Skype

by John Pescatore  |  January 7, 2009  |  9 Comments

Today we have a guest blogger, Lawrence Orans of Gartner:

With the recession in full force, I am getting more questions from Gartner clients about the security risks associated with Skype.  Business executives view Skype as being “free” — they see it as a way to cut communications charges, but most are blind to the security risks.   Gartner has highlighted these risks in our research (see Q&A: Securing Skype in the Enterprise), namely the fact that Skype’s proprietary signaling protocol makes it hard to secure, the challenge of managing vulnerabilities in the Skype clients, and the threat from the IM features of Skype.  Because of these issues, our position has been that most organizations should block access to Skype, and if that is not possible, that they should take precautions to make Skype more enterprise friendly and secure.  

Pressure on IT executives to allow Skype is growing, so it is becoming increasingly difficult (politically) to say not and just block Skype.  Since there has not been a widespread, high-profile attack against Skype (save for a 2-day outage in August 2007 that was the result of a bug in the Skype system), it is difficult for IT execs to persuade business execs (many of whom are already using Skype) that Skype introduces security risks to the organization.  The politically smart choice for many IT execs is to allow Skype, albeit with the appropriate precautions.

Skype Version 3.8 (business version) provides some enterprise-friendly features that enable organizations to run the application more securely.  For example, IT managers can implement version control of the Skype client (so that all users are running the same version).  Version control is a huge problem with Skype.  One network manager recently told me that he counted 11 different versions of the Skype client amongst their 6500 desktops!  The business version of Skype also enables centralized policy configuration and control for the Skype clients.  So, most organizations should be able to mitigate Skype’s risks enough to allow it in their environment.  But, the process of mitigating these risks involves operational and support costs, so Skype should not be considered “free”.  

Lawrence Orans


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on Lawrence Orans on Containing the Risk of Using Skype

  1. Stiennon says:

    Good info on Skype for business Lawrence.

    Don’t Next-gen firewalls give you control over Skype usage?


  2. Lawrence Orans says:

    Yes, thanks for pointing this out Richard. Next-gen firewalls can enable organizations to build policies around Skype usage. For example, by integrating with a directory, they could allow some users to use Skype and block others. Several firewall vendors and secure web gateway (SWG) vendors (including proxy vendors) have Skype signatures that allow them to build these policies. I have heard of some universities that are proxying Skype traffic, mainly so that they can have a “shut off valve” if they need it (if Skype traffic becomes too heavy, which may happen if there are a lot of Skype supernodes). But, it’s not common today to use a firewall or SWG to control Skype in commercial enterprises. Unfortunately, the most common practice today is to ignore Skype, which is not a good idea. We recommend that network managers take a stand – either block it outright, or allow it but with the controls in place to make it enterprise-friendly and secure.

  3. […] couple things to think about regarding Skype in the enterprise. Lawrence Orans on Containing the Risk of Using Skype Tags: ( general skype […]

  4. michael says:

    It’s worth noting that in a normal enterprise environment, the issue of supernodes does not occur. In an environment with local DHCP, and where desktops do not publicly accessible IP addresses, open for inbound connections, then Skype clients can never become ‘supernodes’.

    This is the most prevalent enterprise setup.

    If in fact, an enterprise that has desktops with publicly accessible IP addresses, open for inbound connection, incurs other risks that eclipse the possibility of minimal third party traffic simply transiting the network. This traffic is arguably a simple ‘cost’ rather than a security risk.

  5. Lawrence Orans says:

    Thanks for your comments ,Michael. I agree – supernodes are not an issue in a normal enterprise environment with good firewall protection. I can’t recall speaking with a commercial enterprise that has had issues with supernodes. Some university environments present different challenges, since many have less restrictive firewall rules.

  6. Doug says:

    The main concern I have with allowing any IM outside the corporate network is there is no way to truly validate who you’re chatting with. You have to trust Skype’s directory, which I don’t. Are there ways to only allow users who have authenticated against our corporate directory?

  7. Lawrence Orans says:

    The “impersonation issue” is a risk with Skype and any other public IM service. Anyone can register with any user name – the public services don’t check user registration. You’ve proposed a solution for mitigating the impersonation risk, but I don’t know of any solutions that would allow you to enforce a policy that says “only allow Skype chat sessions to employees within my corporate directory”. With enterprise IM solutions like Microsoft Office Communicator, IBM’s Lotus Sametime and others, you should be able to limit communications to users within the corporate directory.

    With Skype, even though you do have the risk of impersonation, you do have some control over how employees use Skype. For example, you could disable the file transfer function for all Skype clients (this feature is available with the Skype for Business 3.0 and later releases). So, users could chat with someone outside the organization, but could not send them valuable info via a file transfer.

  8. […] a blog posting earlier this year I commented on how the recession is causing enterprises to consider Skype as an […]

  9. Hello! I just wanted to ask if you ever have any problems with hackers?
    My last blog (wordpress) was hacked and I ended up losing several weeks of
    hard work due to no backup. Do you have any methods to protect against hackers?

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.