Download the Skype Advisory doc format of    Skype Advisory

 

FROM:              Jason Snyder, Chief Technology Officer, Commonwealth of Massachusetts 

DATE:               10-6-2011 

RE:                     Advisory Memorandum – Skype 

 

The Commonwealth Chief Technology Officer is issuing this Advisory Memorandum in response to questions raised about the use of the “Skype” communication application for Secretariat/Agency deployment.  At this time, the use of “Skype” should be limited to use within networks that effectively segment high sensitivity data and systems from medium to low sensitivity data and systems. In such cases, “Skype for Business” can be used after a thorough review and acceptance of the risks that are introduced.  In instances where Secretariats and their Agencies choose to use “Skype for Business”, it should only be done in security zones that are used for systems and data with lower security classifications.

Based on preliminary testing, current industry practices, Commonwealth Secretariat/Agency feedback, and business owner feedback, it is advised that Secretariats/Agencies take into consideration the following key points when evaluating whether or not to deploy “Skype”.

“Skype for Business” Version:

“Skype” offers a business version of their software that is enterprise based and addresses many of the security concerns relevant to business use of such tools.

  • Secretariats/Agencies that maintain a segmented network security approach that require the use of such video chat based tools may use “Skype for Business” if it’s deemed the appropriate solution for their organizational needs.

Key features include the following:

    • “Skype for Business” offers an active directory based Group Policy which can control many settings on the “Skype for Business” clients including the ability to turn off “supernodes” and file transfers.
    • “Skype for Business” can force its clients to leverage HTTP and HTTPS proxy servers in order to maintain control of bandwidth used by Skype.  This also allows for the ability to “Shut Down” all Skype traffic in the case of an emergency.
  • When using “Skype for Business”, Agencies should ensure that the use of “Skype" is implemented in a way that does not pose a risk to data and systems that are classified as having high sensitivity.  Due to the highly sensitive nature of data and systems that are hosted within MAGNet, “Skype for Business” is not allowed on MAGNet at this time.

“Skype for Facebook” Version:

“Skype” recently combined their efforts with the social media website “Facebook” to collectively offer a Skype-connected Video/Audio communication feature within the Facebook web page. 

  1. “Skype for Facebook” (leveraging https) may be considered for use on mobile computers when they are NOT plugged into a MAGNet connected network. 
  2. Key points include the following:
    • “Skype for Facebook” is a browser plug-in that does not install a full client on a user’s desktop, but instead integrates directly into Facebook functionality.  This plug-in updates itself which eases concerns of potentially vulnerable older versions being used.
    • “Skype for Facebook” does not directly leverage peer to peer technology, but instead connects directly through http or https (user choice) to the Facebook data center, and then to a new “Skype” data center which then proxies the chat into Skype’s full peer to peer network.
    • “Skype for Facebook” does not include any file transfer capabilities.
    • “Skype for Facebook” contains no risk of a user’s computer becoming a “supernode”.
  1. Social Media implications
    • As of January 2011 Facebook’s terms changed in ways that that no longer clash with the Commonwealth’s use legally.
    • As with any Commonwealth use of any form of Social Media, there are legal considerations which are addressed in the Commonwealth Social Media Legal Guidance Toolkit .
    • While the commonwealth has made great strides to create specific social media toolkits for various forms of social media, there is not yet a specific toolkit addressing “Facebook”.  It is advised that state entities consult the Social Media Guidance and Best Practices web page for information surrounding use of Facebook or any other social media.

As with any technology deployment, we recommend secretariats/agencies conduct thorough testing of their own internal critical systems with “Skype for Business” or “Skype for Facebook” before considering implementing either as a communications solution. 

Skype Consumer-Based Version:

  1. After review by both the technology and security offices in ITD, it has been determined that the “Skype” consumer-based version violates enterprise policy due to its inherent peer-to-peer nature and cannot be used on MAGNet. 

Use of “Skype” on MAGNet introduces the following known risks:

    • “Skype” file transfers which are encrypted using Skype’s proprietary encryption may expose the MAGNet network to viruses, spyware or other malicious code without detection.
    • “Skype” file transfers which are encrypted using Skype’s proprietary encryption may also expose Secretariats/Agencies to the risk of confidential information being leaked to outside parties without detection.
    • As video data is bandwidth-intensive, “Skype” users can consume a sizeable amount of bandwidth on the MAGNet network without a way to control it.
    • A “Skype” client can sometimes cause a computer to become a “supernode”.  In a peer to peer network, “supernodes” act like a server, multiplying the amount of risk incurred.
    • Due to hacker exploitation and weaknesses in Skype’s file transfer feature, computers with “Skype” installed can be susceptible to botnet, denial-of-service and other attacks.
    • “Skype” can be downloaded at will, creating the potential of various client versions of the software installed across the Enterprise that could have known vulnerabilities, some of which even “Skype” might rate as "critical".
  1. Entities that require the use of this type of communication tool and do not have access to a segmented network are advised to contact ITD Unified Communications by emailing Brad.Steele@state.ma.us to look at possible policy compliant alternatives to “Skype” or establish a separate broadband connection and isolate any computers that may need to access “Skype” isolated from MAGNet.

In summary, ITD does not allow use of the consumer-based, the business version, or the Facebook version of “Skype” over MAGNet at this time.  ITD does however encourage careful evaluation of the impact to your Secretariat/Agency’s critical business systems before considering implementing “Skype for Business” on a Non-MAGNet network.  With due diligence paid to the Commonwealth social media considerations, “Skype for Facebook” (leveraging https) may be considered for use on mobile computers when they are NOT plugged into a MAGNet connected network.  Use of consumer-based “Skype” is generally discouraged on a Non-MAGNet network. 

 

Concerns regarding this advisory can be sent to: standards@state.ma.us