You only need to type “voice over IP security” into Google and find the millions of results to realise the depth of the fear. Malicious damage to your business through business interruption, virus or denial of service (DoS) attacks, criminal activity, telephony fraud or theft of information are all genuine concerns.
However, IT managers should question what has changed in terms of threats: we are all concerned over information and its security, but what dimensions does voice over (VoIP) add?
Mindset is all. The key drivers for VoIP adoption are the ability to have more sophisticated, flexible services, and cost savings. The latter can be the downfall of many security strategies.
Perceived security risks increase dramatically when VoIP is used for cost eradication only, rather than cost control. There is a cost associated with good VoIP application, for example the access systems (SIP trunks) or delivery (minute termination). If the people setting the strategy have the wrong mindset, the risks in deploying VoIP increase.
Today there are two different methodologies for deploying VoIP. First, open systems where applications use the internet as the backbone to deliver a voice call. These calls suffer from the standard insecurities of the internet. There are new standards for encrypting such traffic, but these calls are still at a greater risk of attack than through a closed system, which is the second option.
It costs more, but poses no greater security problems than traditional public telephony. For these solutions, a company would run VoIP through a secure wide area network and hand calls directly to the voice carrier, which would run them through its secure backbone until local breakout to the telephone network.
So in what way can a closed system be insecure? The risk comes from the outposts, the edge devices which can leave holes in a company’s security.
More companies are providing home broadband connections directly connected to the company network for home workers and company executives. These people often have little IT knowledge, yet could be responsible for a wireless router, giving direct access to a corporate network.
Denial of service and especially spam over internet telephony (Spit) is being raised as a major concern: imagine receiving 20 voicemail messages every morning for Viagra or the promise of £10,000,000 from the Nigerian lottery. This could be potentially crippling to a company that needs inbound voice communication.
With the perception that VoIP is free, Spit is a major concern, added to which is the introduction of Enums. An Enum is the method of making VoIP free between different VoIP vendors or applications through the association with an IP address rather than a telephone number.
Consider how many spam emails you would receive if it cost the sender 2p per email, or would your financial director mind how many were received if your company were given 1p for every spam email?
Currently Spit has an associated cost, so the solution is simple: do not use Enums. It is better to stick to non-geographic numbers with a charge of 2p per minute.
Security is a risk with any form of IT, but cost control – rather than eradication – is the smart thinking that will allow businesses to manage VoIP security threats more effectively.
reader comments