May 13, 2011, 11:52 AM — Skype voice and video has tended to trigger IT security angst, and now that Microsoft has bought Skype, some observers are voicing hope that the service will be improved to help it be better managed in an enterprise setting.
"For the enterprise and the government, the default posture is to block Skype," says Mike Lee, senior product marketing manager at Websense, alluding to what's been the longstanding effort to keep it out. However, that's not necessarily easy to do because Skype is designed to aggressively search out random ports to get through in any way it can.
OPEN SOURCE ALTERNATIVE: Alas poor Skype, I knew you well
"It's sneaky, it's an intelligent application that searches for routes out of a network through a wide range of random ports for any port that's open," Lee notes. Skype has been a huge challenge for the security industry to try to corral, and one of the best things Microsoft could do for the enterprise is to change Skype "to go out Web ports consistently and reliably," Lee suggests.
Microsoft should build management tools to make configuring and managing Skype a more tenable prospect, he notes. Another aspect of Skype that poses challenges, its encryption, is also problematic for enterprises.
"Skype is very secure from the perspective it encrypts everything," Lee points out. But for data-loss prevention, "it's very difficult to analyze what's going out the door."
While this can be said to be true of other communications using encryption, Skype tends to be worse than most in terms of controlled measures to decrypt to inspect traffic, while encrypting again. Lee says Websense has worked with some customers to set up what he calls "an enterprise-controlled man-in-the-middle attack" in which the Websense Web Security Gateway basically is "pretending to be a terminating point" for Skype.
"You can force Skype to go out over the Web at port 80 and we can establish the connection to decrypt it on the client side, inspect and then re-encrypt," Lee explains. But he acknowledges it's hardly an optimum approach, especially as it does introduces a little latency that's unwanted in a video and voice application. Nonetheless, Skype is a security concern if only because it represents a "channel that could be used to carry data out of the enterprise."
Others also expressed some wariness about Skype in the enterprise.