Skype still beats on the enterprise door with regularity. Brandon Knight talks about Skype in the enterprise over at infosecisland. I’ve talked about it before and before and before and before and before…
I like Brandon’s take on the potential eavesdropability risk with Skype (which is almost certainly real, since China allows its use and they certainly never would if it were truly private):
For example, how are you communicating today in your organization? If you are making calls which route across a PSTN (Public Switched Telephone Network) then you are already putting your conversations into the hands of service providers, governments, and whoever else may have physical access to the lines.
Fair enough argument. But this only applies to people who understand that Skype isn’t a private network. I’ve had plenty of discussions where users argue that Skype *is* private. You can’t make that assumption; you’re using someone else’s app, over someone else’s lines, and through someone else’s proxy/login/servers.
This also applies only to the instances given. If I want to eavesdrop on John’s Skype conversations, I can do some network tomfoolery to reroute traffic. Doing that on a PSTN or somesthing else is a whole different game. The name of the game in the digital world is efficiency, which blows away any comparable example in the analog world (just ask the MPAA or RIAA…).
Brandon’s article is an excellent companion to any discussion about Skype in the enterprise, and he brings up decent points about public information disclosure, desktop maintenance, network security visibility (data exfiltration), and even side-channel delivery of content such as the ads accompanying the app.
There are even other considerations, such as how you handle people’s personal accounts upon termination (and contact lists and client/customer contact habits), automatic updates, logging, etc.