Can You Control Skype?

There is clearly a move to take back control of corporate networks. Which, to be clear, is a good thing. Ultimately corporate networks (and the devices that run on them) are the property of the corporation and should be treated as such. I'm as big an MP3 user as most, but that doesn't mean I should have 20GB of music on my work laptop. I have a jukebox that I carry with me, and that suits me just fine.

But what about Skype? Obviously a lot of small businesses are using Skype for business calls. So, controlling Skype is not high on the agenda given the cost savings it provides, especially for those global organizations. Yet, it still begs the question about enterprises, should you allow Skype? If so, can you control it? If not, how can you stop it?It seems that my friends over at the Burton Group have a strong opinion about the topic, as evidenced by this quote in an article called "Skype Dangers May Be Acceptable to Business" on March 7:

"If the risk is too high - ban Skype. If the reward outweighs the risk - consider Skype as part of your overall communications strategy," says Irwin Lazar, senior analyst for Burton.

Now that is taking a hard position. First let's weigh the actual risks of Skype. It uses a very innovative mechanism to evade both detection and ensure connections go unfettered regardless of the security products put in place. They also use their own encryption techniques to make sure the sessions (and files or conversations) cannot be snooped. NetworkWorld contracted with Ed Mier a while back to see what the real impact of Skype was on a network and whether it was a security risk. The article is [http://www.networkworld.com/reviews/2005/121205-skype-test.html]. The answer was rather impressive in that Mier couldn't really find anything wrong with running Skype, from a security perspective.

Of course, that assumes that none of your devices is a Skype Supernode, their term for a call switching node. Kind of like a Class 4 switch for Skype calls. Have any of you seen a Class 4 switch? They are big, have lots of horsepower, and a ton of network connectivity. Your desktop is not that, so if you mysteriously have significant network congestion and your computer is inexplicably smoking, you should probably turn it off. SuperNodes are bad for corporate network hygiene.Now from a policy perspective it could present a big problem.

Let's say you are in a regulated business and you need to have every call with a customer logged and in some cases recorded. You can't do that with Skype. You won't even know the call happened. Most of your diligent employees wouldn't be doing something below board like this, but you wouldn't know it even if they did. That's a problem. Same goes for environments with real sensitive intellectual property. Skype can transfer files too.

I'm pretty sure that the "extrusion prevention" tools like Vontu and Reconnex don't know what to do with Skype either. So it's not something that you can control if you let it in. Yes, free is a good price, so the cost savings can be compelling. But for those having to answer to Sen. Sarbanes or Rep. Oxley, you may want to think twice. It's hard to have strong controls on something that you can't control.

How do you stop it? As with most things, you can attack it at the network or at the endpoint. Skype was designed by the folks that did Kazaa, so they know a little bit about how to go into a network undetected. I saw an announcement from SurfControl (http://biz.yahoo.com/prnews/060321/sftu084.html?.v=52) that says they can stop Skype on the gateway, and maybe they can. For now. How long will it be before Skype changes the packet dynamics and connection mechanisms? I guess since they are owned by eBay now, they are less likely to act like hackers, but still. Part of their value is that it just works, so I suspect they'll spend some time making sure it still works, regardless of the "defenses" that security vendors put in place. That may not be a battle that SurfControl (or any other network solution) can win.

So that leaves the endpoint, which is where I think it should be controlled. You can deploy application control technology as a subset of endpoint security to basically define a list of acceptable applications that can run on the desktop. Skype wouldn't be on it. Thus, the executable will not run on the desktop and Skype is not a problem anymore.

Does that seem too simple? Maybe it is, but there is no prize for finding the hardest, most technically elegant solution to anything. Do what works, and application control will work to control this (and any other) unwanted application.