Hello everyone, I wanted to see what members thought about companies allowing the free version of Skype on their corporate network. I have been asked about this many times and have seen this as well. There seems to be many different opinions on this.
After reviewing a couple of studies and reading many security articles related to free Skype on a corporate network, there have been vulnerabilities and there will be more in the future but many of these are no different than the vulnerabilities we have with our browsers, Adobe, Flash and Java. As long as versions are kept current those risks should be low.
The main disadvantage of allowing free Skype our network is lack of control and loss of information. Then again is this really any different than allowing users to access social media or personal webmail?
I usually suggest free Skype is a bad idea on a corporate network but my latest research has me questioning myself.
I think that you need to go through the motions of a risk assessment. The way that you referred to using other Internet applications on organization resources makes me think that this was trivialized in the past.
Allowing each individual application in a vacuum may seem insignificant. As you permit access you are making actual changes to your security posture that may be imperceptible to you, but not necessarily to an adversary (inside or outside). The aggregate of all vulnerabilities in your enterprise may make you considerably more at risk than you think.
Software development is how I got into IT so I'll put that hat on...
Always the #1 question to ask -- what are your requirements? If there is a business need to use a Skype-like product, then explore that some more in the context of requirements, drivers, enablers,etc. If not, then there is your answer.
You have concerns about Skype on your systems but the post didn't cover why someone wants to load Skype on your systems.
If you have a need for a Skype-like product, then have you done any internal trade studies on what meets the org's requirements best? Skype isn't the only provider out there. How does your org know Skype is what it wants?
Implementation before design is rarely a good thing.
Here's the fun technical part. How have you prototyped/tested any of the potential/candidate solutions? Have you monitored network traffic while testing it to see all the things which are hitting your infrastructure? If you're worried about vulnerabilities, have you researched that? Like going out to something like exploit-db and others and seeing what can be done to Skype?
If you've done this work, great. If not, how does one make a recommendation one way or another? Wouldn't someone along the way in the decision making process eventually look for facts?
To use your example of Skype, it may be worth implementing in an organization that doesn't prioritize security but has a need for continuous easy communication between users' systems, but not in an organization where communication is to be tightly controlled & security is a major concern.
Nothing is free, remember that. What are you giving up by using this "free" tool? Does it send info about your network out, etc.
Also make sure to read the EULA (End User License Agreement) to make sure it can legally be used on a corporate network. It used to be that free software was designed to be used by non-business customers and the EULA's clearly stated that it was not for use on corporate, business, or government networks. That may have changed, but I always like to check. You may want to have your legal department (if you have one) take a look at it. Look to see what data it collects and transmits.
Maintenance has already been mentioned but make sure you have the people to support it.
That's a good point. I assumed Bill (@bspicer) was talking about letting folks just have access to their personal Skype accounts so they can coordinate their grocery shopping and the like with their spouse. But, if it's for commercial use there's a liability there for unauthorized use.