Skype voice and video has tended to trigger IT security angst, and now that Microsoft has bought Skype, some observers are voicing hope that the service will be improved to help it be better managed in an enterprise setting.
“For the enterprise and the government, the default posture is to block Skype,” says Mike Lee, senior product marketing manager at Websense, alluding to what’s been the longstanding effort to keep it out. However, that’s not necessarily easy to do because Skype is designed to aggressively search out random ports to get through in any way it can.
“It’s sneaky, it’s an intelligent application that searches for routes out of a network through a wide range of random ports for any port that’s open,” Lee notes. Skype has been a huge challenge for the security industry to try to corral, and one of the best things Microsoft could do for the enterprise is to change Skype “to go out Web ports consistently and reliably,” Lee suggests.
Microsoft should build management tools to make configuring and managing Skype a more tenable prospect, he notes. Another aspect of Skype that poses challenges, its encryption, is also problematic for enterprises.
“Skype is very secure from the perspective it encrypts everything,” Lee points out. But for data-loss prevention, “it’s very difficult to analyze what’s going out the door.”
While this can be said to be true of other communications using encryption, Skype tends to be worse than most in terms of controlled measures to decrypt to inspect traffic, while encrypting again. Lee says Websense has worked with some customers to set up what he calls “an enterprise-controlled man-in-the-middle attack” in which the Websense Web Security Gateway basically is “pretending to be a terminating point” for Skype.
“You can force Skype to go out over the Web at port 80 and we can establish the connection to decrypt it on the client side, inspect and then re-encrypt,” Lee explains. But he acknowledges it’s hardly an optimum approach, especially as it does introduces a little latency that’s unwanted in a video and voice application. Nonetheless, Skype is a security concern if only because it represents a “channel that could be used to carry data out of the enterprise.”
Others also expressed some wariness about Skype in the enterprise.
“Look, I love Skype, it’s a wonderful tool,” says Matt McKinley, U.S. director of product management at StoneSoft. But in an enterprise setting, Skype raises a multitude of concerns, he notes. It’s not only “very, very hard to block,” but the protocols used in Skype are “proprietary and not subject to peer review.” There has been a huge amount of mystery about what Skype, which has been a tightly kept secret by its European software developers, at its core really is. That has led to suspicion and speculation about Skype over the years from many quarters.
“There are open questions about what Skype is capable of doing or not,” says McKinley. These range from whether Skype has a backdoor for eavesdropping, an idea bolstered three years ago by reports out of Europe that claimed unnamed Austrian officials were listening in on Skype conversations. (But most of the time, governments around the world are heard to complain that Skype is stymieing their surveillance efforts, as last month the Russian security service FSB did by asking that Skype — as well as Gmail and Hotmail — be banned from Russia.)
McKinley said corporate customers and the industry would benefit if Skype became more open and standardized, which would help give security vendors and enterprise customers a better chance at assuring it’s used appropriately. Skype itself has had security issues, such as a need for patching, as any other application might.
Microsoft isn’t divulging its full plans for Skype, but earlier this week Microsoft CEO Steve Ballmer said Skype, which has 170 million users, will be tightly integrated into Office, Xbox and Windows Phone in the future, and will continue to be offered to non-Microsoft devices and platforms. He said he expected to see more business users connecting via Skype calls in the future.