"I'm always intrigued by how people distinguish between business and consumer - we're all consumers, right? We all download instant messaging software," says Kailash Ambwani, president & CEO of instant messaging (IM) security developer FaceTime.

He argues that enterprise IM software such as Microsoft's Live Communication Server (LCS) and IBM's Lotus SameTime has its place, and is doing a good job in boosting awareness, but is unlikely to displace the public or consumer IM clients like the AOL, MSN and Yahoo Messengers, even within companies.

That's partly because the latter already own the market, but also for reasons of cost and compatibility - public IM is free to the user, and if your friends or colleagues are established on AIM or Yahoo say, that's where you must go to join them.

"It depends which analyst you talk to, but there's between 30 million and 50 million IM users within business, that number's growing rapidly and they're mostly on the public IM networks," Ambwani adds. "On the consumer side it's already happened - there's around 300 million users."

A public boost
Installing enterprise IM for internal use may even accelerate the uptake of public IM. He quotes an IBM/Gartner study as showing that people exposed to SameTime find it so useful that they want public IM too, so they can also talk to people outside the organisation.

The message for companies is therefore don't try to fight it - concentrate instead on making it safe. And don't assume that there is no IM usage in your organisation just because you've banned it or blocked a few ports. This stuff is port-agile and security-aware, and may even use encryption to go undetected.

FaceTime addresses this need with two security devices, Ambwani says. The first is an IM proxy that provides monitoring and logging, with anti-virus, anti-spam and content filtering, plus links to corporate directory services for identity management, while the second is a perimeter device that identifies protocols and can apply policies to them.

"We still run into a lot of corporates who think they have blocked IM, here in the UK as well as in the US," Ambwani adds. "We can set our appliance in non-blocking discovery mode and lend it to them, and sure enough they find they have thousands of IM sessions running."

Adding P2P to the mix
Once you include peer-to-peer protocols, it gets even worse. Most networks are designed on a core architecture, but if traffic never even passes through the core then how can it even be detected, much less managed and filtered?

"The whole security landscape is changing now," Ambwani says. "It was to build a wall around us and keep the bad guys out, but now there's a new generation of threats brought in by your employees, and once they're in they go out - and firewalls aren't designed for outbound traffic."

Nor is it a stationary target - he says FaceTime currently blocks over 40 protocol threats and has set up a team to identify more, which is averaging three new protocols a month. It also provides free vulnerability surveys, with tools to mimic P2P and test your security.

He argues though that IM and P2P are as much an opportunity as a threat, and says companies need to look at the potential benefits they could gain from emerging collaborative tools.

"I think that over time people will want to enable business use of P2P applications, although by their very nature those should be well behaved," he says. "Skype is a harbinger of things to come, it's a fusion of IM and P2P, and we will see more and more IM clients based on P2P.

"It's not just 'let people do it because they'll do it anyway,' it's 'let people do it because it has business value.' So don't block it, but do make sure it's safe."