Knowledge.

Skype Security Risks for the Enterprise, Part 1

Recently, I have had a number of questions from clients about the use of Skype in the Enterprise and the security risks that it presents.  While Skype is not new, I believe this represents exactly the type of question that IT security will be increasingly asked:  How to say yes to the use of applications that are consumer-oriented, distributed and, frankly, difficult to secure.  

I know, most of you are picturing yourself hands on hips in the Superman pose saying in a loud, clear, steady voice, "Skype? Not on my network!"  I foresee a couple problems with this position: first, these users are not necessarily on your network.  Many are probably toting laptops, traveling and connecting up in a hotel or WiFi hotspot.  Second, it's really not your network: it's the business'. And if end users with enough business justification (or political clout) need it, you're probably going to have to live with it.  Third, probably no one actually asked you anything.  More likely, you just found out the CEO is already using Skype while she travels to talk to her kids via video conference.  Now what Superman?  You better have a good argument for shutting down family hour or... figure out how to say yes and do it as safely as possible. 

To try to help answer that question, will cover Skype use in 3-part series.  The first part, you're reading now, will introduce the topic and outline the approach.  Next, we'll review the specific concerns and risks that Skype presents. And the last part will provide fairly detailed recommendations and even a few procedures. 

Skype is a peer-to-peer (P2P) application whose features include: Voice Over IP (VOIP) communication, Video Conferencing, Screen Sharing, File Transfer and Instant Messaging (IM). Skype is purposely built to easily traverse firewalls and NAT devices. As it is a P2P application, no central gateway is required for Skype to work - end points communicate directly with each other. All Skype session traffic is encrypted from end point to end point.

The benefits of using Skype are pretty easy to understand – it’s free (mostly), widely adopted, and easy-to-use. However, the combination of features built into Skype, its network behavior, and its ability to tunnel (encrypt) all its session data present real security risks for organizations.

For organizations that require strict control or auditing of communications going in and out of the organization, Skype should be banned.  This is easier said than done.  We cover now to identity and block Skype later.  For everyone else, a careful evaluation of the benefits and risks that Skype presents the organization is more appropriate. If the benefits to the organization are strong enough, the first task for the IT organization is to identify all the risks and requirements for running Skype (relatively) safely in the environment.

• Policies governing the use of Skype should be identified or created.
• Then appropriate controls and administrative procedures put into place.
• End user awareness and training will also need to be addressed.
• Adherence to policy, procedure as well as Skype usage should be monitored on an on-going basis.

In the next part of this series, we'll review the specific risks that Skype presents to the Enterprise.