Network Communications News (NCN) December 2016 - Page 29

IP security S P E C I A L F E AT U R E VoipSec’s Easy SBC platform can help deliver VoIP security. The voice security gap So here we are today. When it comes to voice applications, from a user perspective, we are increasingly moving away from having dedicated appliances delivering such services, to having servers installed in data centres running applications delivering not only voice, but video and presence services, all of which enable us to communicate more richly with our coworkers, partners and customers. Why then are voice applications so often deployed with no consideration of security? Or, deployments where security has been considered, have utilised encryption as a way of securing voice? Surely any security professional would call this into question immediately as it’s well known that encryption provides privacy of data, not security. Why have we not adopted the same model we use to secure our web and email applications? The reason is that the convergence of voice onto the data network has left a security gap. Security teams don’t really understand the threats associated with VoIP and take the lead from the team deploying the VoIP application. In short, history is repeating itself, but we are failing to learn from what we already know. The other aspect is that vendors and service providers are making statements around the security of an application or service being deployed, which insinuates that security is taken care of. Many of the SIP trunk providers today make these wild claims when in fact it’s a risk to both them and their customers. A customer would never trust a service provider delivering any other application, so why VoIP? The solution VoIP is an application that can be exploited in the very same way web and email can be exploited, so we need to use the tried and tested security architectures to deliver security in the same way. We also need to look at what these security vendors are delivering. Is it static security or does it work like a web proxy or email proxy in that the security policy can be defined, updates are regular and alerting is enabled. Are there additional features that allow specific threat vectors to be addressed and lastly, is it in the control of the security team or the network or application team? We have seen the rise of the Session Border Controller (SBC) as a VoIP security function, but this is a product that is fast showing its weaknesses when it comes to security. Having been originally created to solve interworking issues between carriers, we have latterly seen bolted on functionality that is positioned as security. Those who remember will recall that firewall vendors took this approach to solving the web and email security issues and experienced the same issues we are seeing with SBC’s and VoIP today. They failed and it was a new range of start-ups who addressed the issue differently that won the day. The conclusion With VoIP and UC we need to see the same mindset change occur. The security function has to adopt voice as just another application, around which they are building security policy and procedure that delivers a robust enterprise-wide security posture. Breach data is readily available; costs to the business are high. The difference with VoIP is that the typical breach does not only come with data leakage or downtime; it comes with a direct cost that has to be paid irrespective of where the fault lays. Customers should be looking at ways to secure their voice application with a dedicated security function that provides all the features we expect from our web and email security solutions. Anything less is leaving themselves wide open to costly breaches. 29 28-29 IP Security – VoipSec.indd 29 02/12/2016 11:07