Security Fears Prod Many Firms To Limit Staff Use of Web Services
Companies are clamping down on employees' workplace use of the expanding range of free Internet services, such as instant messaging and video downloading, to protect themselves from viruses, communications traffic jams and regulatory missteps.
General Electric Co. has barred outside instant-messaging and file-sharing programs, as well as access to personal online email accounts like those offered by Yahoo Inc. Telecom company Global Crossing Ltd. also blocks outside instant messaging and online email accounts. J.P. Morgan Chase & Co. is one of many banks that blocks Internet services it can't track or monitor, including outside instant-messaging, phone and email programs.
Another big bank, ABN Amro Holdings NV of the Netherlands, also bans many consumer-communications technologies, including Skype, the Internet phone service owned by eBay Inc. (See related article.) "I'm not allowing Skype because I don't know what it does," says Bill Rocholl, global head of strategy and engineering for ABN Amro's telecommunications and network services.
Mr. Rocholl says that in making such decisions he weighs whether the resources he needs to study and disarm any potential risks from Skype or other free services would outweigh the time or money that might be saved by using them.
The corporate crackdown underscores an emerging challenge for the Web. As the spread of broadband technology makes it possible for millions of Americans to watch TV on the Web or make cheap phone calls, companies, government agencies and universities are concerned about the possible side effects -- including the threat of a worm or other bit of malicious code sneaking into their computer systems.
Some companies worry the new services will overwhelm their networks with unwanted traffic. Others are primarily concerned about security or their ability to track workplace communications, especially in industries like financial services, where regular monitoring is required by regulators. Instant messages from the outside, for example, often aren't logged and archived the way email is, creating a potential backdoor for illicit communications or breaches of client privacy.
Skype and other service providers say such concerns are overblown. They say their products are in many cases safer than email attachments, a common source of viruses that businesses nonetheless consider indispensable tools. They also say the popularity of their services in part reflects their success in weeding out spam, viruses and other nuisances.
Still, many companies are proceeding cautiously. Global Crossing says it cut off its employees' access to outside instant-messaging services earlier this year after detecting a worm. It now has an internal instant-messaging system from Microsoft Corp., but that system can't be used to reach people outside the company.
Global Crossing started blocking its employees' access to personal email accounts on sites like Yahoo and Time Warner Inc.'s America Online in 2003 after a virus used them to slip in.
"I used to think nothing of checking my Yahoo mail several times a day," says Global Crossing Chief Marketing Officer Anthony Christie. Now that he can't, his long workday makes it hard to avoid using his work email account for personal messages, he says.
At Britain's Cambridge University, some colleges and departments ban Skype, fearing their data networks could become giant hubs for Skype transmissions from all over Europe. Most companies have stringent safeguards to block outside users from tapping into their internal networks, but many universities fear their more open systems could attract excessive traffic.
Skype and some of the other services that worry private network managers employ a decentralized technology known as peer-to-peer networking, in which users connect directly with one another to swap conversation or data, instead of linking to a central computer. Skype's system relies in part on computers known as supernodes that help direct traffic. Since ordinary users' machines can function as supernodes, some universities fear they will become supernodes and be flooded.
"We have had some occasions where the amount of traffic has been noticeable and has caused some problem," says Chris Cheney, head of the network division at Cambridge's Computing Service. Other universities, including Oxford and the University of Minnesota, have policies requiring Skype users to take steps in setting up their service that would prevent them from becoming way stations for other callers.
Kurt Sauer, Skype's chief of security, says that the belief that Skype could flood a network is based on a misunderstanding of how the technology works. In fact, he says, the computers that act as supernodes in Skype's system function as directories that indicate which users are online; they don't actually transmit calls.
The resistance to free Internet-based services comes as some commercial-network operators in Canada, China and elsewhere are moving to exclude certain online programs or limit the toll they take on network capacity. More than a year ago, for example, Canada's Rogers Communications Inc. and Shaw Communications Inc. assigned a lower priority to traffic generated by video-swapping programs BitTorrent and eDonkey; both services are heavy users of bandwidth, or transmission capacity.
Some Internet users fear such moves could set a precedent for phone and cable companies, which own the pipelines that give most consumers access to the Internet, to take a more aggressive stance toward phone and video services they view as potential rivals, by blocking their access to the network or charging them higher fees.
About 56% of the nation's households have high-speed Internet connections, according to research firm TNS Telecoms, making it feasible for them to use Skype and other Internet services. Many of those users don't hesitate to use the same services at work. In a recent international poll of 300 workers, British Internet-security company SmoothWall Ltd. found that 23% used Skype at work and 41% used instant messaging. More than 60% tapped into outside personal email accounts. Fewer than 54% knew if their companies had policies forbidding such activity.
"You now have umpteen ways of breaching security or violating corporate policy," says Shailesh Shukla, vice president of marketing and partnerships at Juniper Networks Inc., whose company allows him to use instant messaging regularly to communicate with colleagues. Mr. Shukla says that the modern, always-connected mobile workplace makes it increasingly hard to define and police the boundaries of private networks.
Adding to the policing problem is the subtlety of some new technology. For example, the same encryption that keeps Skype conversations private makes it hard to distinguish Skype transmissions from other data moving in and out of networks. That makes it tough to block Skype with a firewall, says Brian NeSmith, chief executive of Blue Coat Systems Inc., a Sunnyvale, Calif., company that recently introduced a Skype-blocking system for corporate use.
Michael Jackson, Skype's vice president of operations, says that many technologies that are now crucial business tools were once greeted with fear and suspicion. "Many organizations were initially scared of the Internet and email," he said. "Now there's hardly a workplace on the planet that doesn't have an Internet connection."
Corporate attitudes toward the new services may be starting to make a similar shift, especially among high-tech companies. Sonus Networks Inc., a telecom-equipment maker based in Chelmsford, Mass., allows outside instant messaging and doesn't block access to Skype. "It's a productivity tool," says Chief Executive Hassan Ahmed, adding that Sonus is now able to archive instant message communications as effectively as it does email.
网络安全堪忧 员工上网受限
为减少病毒侵袭、数据流拥塞和监管方面发生失误的风险,一些企业纷纷禁止员工在工作中使用各种互联网服务,如即时通讯系统和视频下载等。
通用电气(General Electric)禁止员工对外使用即时信息和文件共享程序,或进入雅虎(Yahoo Inc.)等网站上的个人邮箱。
环球电讯(Global Crossing Ltd.)也禁止员工使用即时通讯和网上电子邮箱。有多家银行则禁止员工使用他们不能跟踪或监控的互联网服务,包括对外即时通讯系统、网上电话及电子邮件等,摩根大通(J.P. Morgan Chase)就是其中之一。
再如荷兰银行(ABN Amro Holdings NV),它也禁止员工使用多项个人通讯服务,其中包括eBay Inc.提供的Skype互联网电话服务。该行通讯和网络服务部门策略和实施分部 全球策略主管比尔?洛科尔(Bill Rocholl)说,我不允许使用Skype,因我不知道它是用来作什么的。
洛科尔说,作出这类决定时,他考虑的是,他为研究和消除来自skype和其他免费服务的潜在风险所需消耗的资源,是否超过了使用这些服务能给他节省的时间或者金钱。
这些企业的上述规定凸显了网络面临的一个新挑战。随著宽频技术使数百万美国人可以在网上收看电视节目或者以极低廉的价格拨打电话,企业、政府机构及大学对这种便利可能带来的副作用感到非常担忧,比如病毒和其他恶意代码的威胁等等。
一些公司担心,各种新服务会让他们的网络承担他们不希望的流量。其他机构则主要担心安全问题、以及他们是否有能力跟踪工作场所的信息通讯问题。这一担心在金融服务领域尤为突出,因为在金融行业,日常的监督是监管机构所要求的。比如,来自外部的即时聊天内容往往不能像电子邮件那样可以记录存档,这就为违规传递信息及侵犯客户隐私的行为留下了空子。
Skype和其他服务供应商说,这种担忧有点言过其实了。他们指出,他们的产品在很多情况下比电子邮件附件还安全,电子邮件常常是病毒的载体,却被商业人士视为不可或缺的沟通工具。他们还说,他们提供的服务之所以受到欢迎,一定程度上正是反映了他们在清除垃圾邮件、病毒及其他有害内容方面很成功。
尽管如此,许多公司还是非常谨慎。环球电讯说,今年早些时候,在发现病毒之后,他们切断了员工接入对外即时通讯服务的途径。现在他们采用了微软(Microsoft)的内部即时聊天系统,但该系统无法用于与外部人士的连通。
在此之前,环球通讯2003年在发现病毒侵袭之后开始禁止员工进入雅虎、或美国在线(America Online)等网站的个人电子邮箱。
环球电讯首席市场营销主管安东尼?克里斯蒂(Anthony Christie)说,我以前觉得每天查几次雅虎邮箱没什么关系。但现在他不能了。他说,由于每天工作到很晚,他很难避免用公司邮箱收发个人邮件。
英国剑桥大学(Cambridge University)部分学院和科系就禁止使用Skype,他们担心学校的数据网有可能变成为Skype处理欧洲各地信息交换的枢纽。多数公司有严格的防范措施阻止外部用户侵入他们的内部网络,但许多大学担心,他们相对开放的系统会引来过多的信息流。
Skype和其他一些让专用网络管理人员担心的服务供应商使用了一种被称为对等网络的技术,用户与对话或交换数据的对象之间直接联接,而不是联到中央服务器上。Skype的系统部分依靠超节点(supernode)电脑帮助其指挥信息流。由于普通用户的电脑也能作为超节点使用,一些大学担心,超节点会在校园内泛滥起来。
剑桥大学电脑服务部门网络分部负责人克里斯?切尼(Chris Cheney)说,他们曾发生过流量过大并引发问题的情况。其他如牛津大学、明尼苏达大学等学校则规定,Skype用户在设定服务时需采取一定步骤、以防自己变成其他通话用户的“驿站”。
Skype的安全事务总监库尔特?索尔(Kurt Sauer)说,人们认为Skype可能会导致网络信息流泛滥,这主要是由于他们并没有真正了解Skype的技术。他说,实际上,Skype系统中充当超节点的电脑其功能相当于一个通讯录,它可以显示哪个用户在线上,但它本身并不直接传送呼叫。
目前,加拿大和中国等地的商业网络运营商正在采取措施禁止某些网络程序或者限制它们占用的网络资源。比如一年多以前,加拿大的Rogers Communications Inc.和Shaw Communications Inc.就对视频交换服务项目BitTorrent和eDonkey的流量分配了较低的优先权;这两个项目需要使用大量带宽。
一些互联网用户担心,这种做法可能会给其他拥有带宽资源的电话和有线公司设立一个先例,让他们得以对那些潜在竞争对手的电话和视频服务采取更强硬的立场,比如不让后者接入网络,或者对他们提高收费。
据行业研究机构TNS Telecoms提供的数据,56%的美国家庭已安装了高速互联网接入装置,这使他们有条件使用Skype或其他互联网服务。这些用户觉得在工作中使用这些服务也是理所当然的。
英国互联网安全技术公司SmoothWall Ltd.近期在世界各地对300名企业员工所作的国际调查中发现,23%的人工作时会使用Skype,41%的人使用即时通讯服务。有60%的人会使用外部个人邮箱。54%以上的人不知道自己所在的企业是否有禁止这些做法的规定。
“现如今,可能破坏安全或违反企业政策的方式数不胜数,”Juniper Networks Inc.的合伙人兼营销副总裁舒克拉(Shailesh Shukla)说。公司允许他使用即时通讯服务与同事进行联络。舒克拉表示,随时在线的现代化移动办公方式使得定义专用网络的界限、以及就此进行管理变得越来越困难。
除管理问题外,新技术的精密性也成为管理专用网络的一大障碍。举例来说,Skype用户可以使用相同的编码进行私密聊天,企业很难从来往的数据中对其进行辨别。用防火墙来阻隔Skype是非常困难的,Blue Coat Systems Inc.首席执行长布莱恩?内史密斯(Brian NeSmith)说。该公司最近引入了一种防Skype的系统。
Skype运营副总裁迈克尔?杰克逊(Michael Jackson)表示,过去有很多技术曾经遭到质疑或引起某些人士的担忧,而最终却成为了企业运营中非常重要的商务工具。“很多机构最初对互联网和电子邮件谈虎色变,”他说,“而如今在地球上已经很难找到没有互联网的办公楼了。”
企业对待这些新鲜事物的态度可能也会开始发生转变,特别是在高科技企业。电信设备制造商Sonus Networks Inc.开始允许员工通过即时通讯服务与外部联络,并且不阻隔Skype。“这可以提高工作效率,”Sonus首席执行长哈桑?艾哈迈德(Hassan Ahmed)说。他补充称,Sonus目前可以对即时通讯服务的往来数据建立数据库,就像对待电子邮件一样有效。
