The move to convergence of voice and data is undeniable, and it is commonly acknowledged that within ten years IP telephony will be the norm. This is reiterated by the fact that two-thirds of Global 2000 enterprises are expected to implement VoIP technology by 2006, according to Deloitte Services LP analysts, and by Insight Research, which predicts that by 2007 the global market for VoIP will be US$196.5 billion.
However, as with the board game, for every ladder there is a snake. In this case, for every new technology, there are the correlating security threats. For every forward-thinking company wanting to embrace the digital networked economy, there is a hacker waiting to exploit any vulnerabilities – and the more technology advances, the more sophisticated the attacks become.
Benefits and Threats
There is no denying the benefits of voice and data integration – cost reduction, bandwidth efficiency, enhanced scalability and improved productivity to name but a few. In addition, the indirect benefits of convergence are that companies can run not just voice and data, but a wide range of applications such as unified messaging, video conferencing or flexible remote access, all over one network.
Clearly the potential hardware savings are substantial, and it eliminates the need to negotiate separate maintenance contracts.
In parallel, however, the convergence migration process opens networks and applications to new threats, and is one of the primary forces driving the increased IT security spending that we have seen over recent years. IDC, for example, estimates that the Western European security software market reached almost $2.5 billion in 2003.
The reason why running voice over your IT network causes more security problems isn’t immediately logical, but it lies in the significant changes that are made to the infrastructure. Traditionally the technology in a TDM-based environment was mainly circuit-based and proprietary – and as such was difficult to infiltrate or corrupt. This gave companies complete confidence in their telephone systems and security was simply something that never had to be considered.
Unfortunately however, in the new IP-based communications environment, PBX and associated application functionality resides on the standard computing platforms. This means that they are vulnerable to the same risks that affect the whole data environment, including the propagation of viruses, worms and Trojans.
These threats only increase as IP networks extend outside the enterprise, particularly with a global internet-connected population and the rise of home working. Each remote connection or access point is just another place that has to be secured, which makes the company more and more vulnerable.
Failure is not an Option
However, there is a reason that VoIP security is so important – call quality and reliability. There is no point having the most technologically advanced VoIP network in the world if the customer can’t understand what you are saying on the phone, or your CEO can’t get a dial tone.
This is where the big industry players have a problem – voice availability is a given. With traditional systems they simply didn’t fail, or so rarely that people would be shocked. Unlike IT / data networks, where people are in many ways used to the occasional downtime, this simply isn’t the case with voice. On emails, most of the time it makes no difference if it takes an email five minutes to come through – but if a phone call takes that long the user will be on the phone to the helpdesk. Failure to get a dialling tone or to connect a call to its destination is simply unacceptable.
Security, consequently, is critical. Any failure of service, (even a short interruption), can have disastrous consequences.
Take the example of a global bank that will be conducting transactions continually. If somebody infiltrates the network and initiates a successful denial-of service attack, the potential implications extend far beyond lost revenue from the actual downtime itself. One obvious example is that of negative press coverage – which can quickly and easily increase the market awareness of the problem, and in turn damage the brand. Which could then result in a loss not only of the trust of existing customers but also of potential new business opportunities.
There are even more serious potential problems if you take the example of the healthcare sector. Imagine a major hospital’s intensive care unit. Via the drug company’s 24-hour contact centre helpline, it needs to check availability of a drug which (with one administration) will save a life. In this context, loss of voice service and inability to check crucial details might lead to loss of life and, for the drugs company, potential litigation, adverse publicity and a negative impact on its brand.
As a result of these types of threats, there is increasing awareness of how important it is to ensure the resilience of voice solutions and that this functionality must be built into voice applications from the start. Consequently, many former data solutions giants are investing strongly in marketing voice security and exploiting it as a point of differentiation. Clearly security is only one aspect of maintaining VoIP integrity, but others such as network management and quality of infrastructure tends to be easier to control – security is affected by outside influences.
Strategy and the CSO
So how can companies tackle the current and possible future threats to voice integrity? A good first step is to put in place appropriate security policies and procedures – to make sure that as far as possible users know what to do and how to use the system, to help prevent any security breaches being caused by internal mistakes.