Using ESBC\'s as A IAAS Cloud Platform for the SMB Space.

1. •
•BDPA DALLAS •May 24th Program
Meeting
•UC Security - Cloud
Computing
•Dean Jones, Engagement
Manager
•Infrastructure As A Service
(IAAS)

2. Discussion Topics
• Potential Security Breaches & Associated Cost
• Cloud Computing and Topology
• SIP – UC Cloud / IAAS Topology
• Case Studies

3. Potential Security Breaches

4. The Cost of Unsecured Hosted and Private UC Environments.
One Successful Toll
Fraud Attack $40,000

5. A crisis of complexity. The need for
progress is clear.
Global Annual Server Spending
(IDC)
300 Power and cooling costs
Management and admin costs
250
New system spend
200
Uncontrolled management
150
and energy costs
100
50
Steady CAPEX spend
$0B
To make progress, delivery organizations must address the server, storage
and network operating cost problem, not just CAPEX
Source: IBM Corporate Strategy analysis of IDC data
5 Cloud Computing

7. Reports: Security Pros Shift Attention
From External Hacks To Internal Threats
Majority of IT and security execs say insider vulnerabilities worry them most.
Mar 09, 2009 | 08:08 AM
By Tim Wilson
DarkReading
It's official: Today's security managers are more worried about insiders leaking sensitive
corporate data than they are about outsiders breaking in to steal it.
http://www.darkreading.com/insiderthreat/security/vulnerabilities/showArticle.jhtml?articleID=215801195

8. Perimeter defense is essential –
But it doesn’t guard data against the human factor
Lost or  Intellectual property exposed to competitors
stolen  Sensitive customer data compromised
devices  Competitive information leaked to the
media
Exposed  Extracts pulled for processing and reporting
business  Circulating data across organizations
processes  Workarounds during system outages
Malicious  Malware deployed within the network
insiders  Intentional misuse of company information
 Identity theft and Industrial espionage
Careless use  Viruses unwittingly downloaded at home
of the  Unsecured archives or copies of data
corporate  Uncontrolled circulation of classified
documents or personal e-mail messages
network

9. Increased collaboration brings increased complexity
and increased risk.
Foes, Greml
ins, and
Banana
Peels
Coffee Shop
Hotels
Home
Business
Inadequate, disjointed Partners
Supply
technology management Chain

10. Many companies expend resources on the
network without achieving the expected results.
• A piecemeal approach to network security and updates leads to an overly complex infrastructure
– Time-consuming to pinpoint causes of performance
problems, especially for newly added voice and video applications that
impact traditional mission-critical applications
– Difficult to determine the best way to optimize costs and performance
– Hard to estimate future expenditures and justify current costs
– Almost impossible to predict capacity requirements accurately
• Through 2011, enterprises will waste $100 billion buying
the wrong networking technologies and services3
– Unnecessary technologies
– Excess bandwidth
– Unwarranted upgrades
3 Gartner, Gartner’s Top Predictions for IT Organizations
and Users, 2007 and Beyond, Daryl C. Plummer and others,
December 2006.

11. Ponemon Institute’s Security Breach Studies
• Ponemon Institute’s released two separate reports, ”The First Annual Cost of Cyber Crime
Study” (PDF), which was sponsored by ArcSight, “The Leaking Vault” (PDF) released today by
the Digital Forensics Association, both showing troubling findings for companies’ finances:
• a median cost of $3.8 million for an attack per year, including all costs, from detection,
investigation, containment, and recovery to any post-response operations.
• out of 2,807 publicly disclosed data breaches worldwide during the past five years, the cost
to the victim firms as well as those whose information was exposed reached $139 billion.
• nearly half of all of the reported breaches came from a laptop, which in 95 percent of the
cases is stolen
• hacks led to the most stolen records during 2005 to 2009, with 327 million of the 721.9
million covered in the report, although hacks represent only about 16 percent of the data
breaches
• Web-borne attacks, malicious code, and malicious insiders are the most costly types of
attacks, making up more than 90 percent of all cybercrime costs per organization per year
• A Web-based attack costs 143,209 USD; malicious code, 124,083 USD; and malicious insiders,
100,300 USD.

13. Cloud Security Breach Examples
• Google Doc allowed shared permission without user
knowledge
– http://www.google.com/support/forum/p/Google+Docs/thread?tid=2ef115be2ce4fd0e&hl=en
• Salesforce.com phishing attack led to leak of a customer list;
subsequent attacks
– http://voices.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html
• Vasrev.com Webhost hack wipes out data for 100,000 sites
– http://www.theregister.co.uk/2009/06/08/webhost_attack/
• Twitter company files leaked in Cloud Computing security
failure
– /
http://www.infosecurity-us.com/view/2554/twitter-company-files-leaked-in-cloud-computing-security-failure
• DDoS attack that downed Twitter also hit Facebook
– http://www.computerworld.com/s/article/9136340/DDoS_attack_that_downed_Twitter_also_hit_Facebook?source=CTWNLE_nlt_security_
2009-08-07

14. UC Cloud Computing and Topology

15. Cloud: Consumption & Delivery Models Optimized
by Workload
“Cloud” is: Cloud enables:
• A new consumption  Self-service
and delivery model
inspired by consumer  Sourcing options
Internet services.  Economies-of-scale
Cloud Services
Cloud Computing Model
“Cloud” represents: Multiple Types of Clouds
will co-exist:
 The Industrialization of  Private, Public and Hybrid
Delivery for IT  Workload and/or
supported Services Programming Model Specific
15 Cloud Computing

16. Is cloud computing really new? Yes, and No.
Cloud computing is a new consumption
and delivery model inspired by consumer
Internet services. Cloud computing exhibits Usage
Tracking Web 2.0
the following 5 key characteristics:
•On-demand self-service
•Ubiquitous network access End User Focused
•Location independent resource pooling Service
Virtualization
•Rapid elasticity Automation
& SOA
•Pay per use
While the technology is not new, the end
user focus of self-service, self-management
leveraging these technologies is new.
Cloud Computing

17. Today there are three primary delivery models that
companies are implementing for cloud
Enterprise
Public
Traditional Private Clouds
Enterprise IT Cloud Hybrid
Cloud
Private Cloud Hybrid Cloud Public Cloud
IT activities/functions are provided “as Internal and external IT activities/functions are provided
a service,” over an intranet, within the service delivery “as a service,” over the Internet
enterprise and behind the firewall methods are
integrated, with  Key features:
 Key features include: activities/functions – Scalability
– Scalability allocated to based on – Automatic/rapid provisioning
– Automatic/rapid provisioning security – Standardized offerings
– Chargeback ability requirements, criticality, – Consumption-based pricing.
– Widespread virtualization architecture and other – Multi-tenancy
established policies.
Source: IBM Market Insights, Cloud Computing Research, July 2009.
Cloud Computing

18. Security Implications of the Delivery
Models

20. Cost savings and faster time to value are the
leading reasons why companies consider cloud
To what degree would each of these factors induce you to
acquire public cloud services?
Pay only for what we use • Hardware savings
Reduce
costs
Software licenses savings • Lower labor and IT 77%
support costs • Lower outside maintenance costs
Take advantage of latest functionality •
Faster time to
value
Simplify updating/upgrading • Speed deployment 72%
• Scale IT resources to meet needs
Improve Improve system reliability •
reliability Improve system availability 50%
Respondents could rate multiple drivers items
Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090
UC Cloud Computing

21. Managing Cloud Adoption
• Cloud economics can be compelling
– Small companies will adopt as reliable, easy-to-use services are available
– Scale economics are within reach of many enterprises
• Client migration will be work load driven
– Trade-off is value vs. risk of migration
– Workload characteristics are critical
– New workloads will emerge as cloud makes them affordable (e.g. pervasive
analytics, Smart Healthcare)
21 Cloud Computing

22. Elements that Drive Cloud Efficiency and
Infrastructure
Economics
Virtualization of Drives lower capital
Leverage
Hardware requirements
Utilization of Virtualized environments
Infrastructure only get benefits of scale
if they are highly utilized
Clients who can “serve
Self Service themselves” require less
support and get services
Leverage
Labor
Automation of Take repeatable tasks and
Management automate
Standardization of More complexity =
Workloads less automation possible
= people needed

23. Enterprise Benefits from Cloud Computing
Capability From To
Server/Storage
10-20% Cloud accelerates 70-90%
Utilization
business value
Self service None across a wide Unlimited
variety of
Test Provisioning Weeks domains. Minutes
Change
Months Days/Hours
Management
Release
Weeks Minutes
Management
Fixed cost
Metering/Billing Granular
model
Standardization Complex Self-Service
Payback period
Years Months
for new services
Legacy environments Cloud enabled enterprise
Cloud Computing

24. Clients told us their implementation strategies —
public or private Cloud, present or future — for 25
specific workloads
Analytics
• Data mining, text mining, or other analytics
• Data warehouses or data marts Development and testing
• Transactional databases • Development environment
Analytics
• Test environment
Development
Business Services and Test
• CRM or Sales Force Automation
• e-mail
• ERP applications
Business • Industry-specific applications Infrastructure
Services • Application servers
• Application streaming
Collaboration • Business continuity/disaster recovery
Infrastructure
• Audio/video/web conferencing • Data archiving
• Unified communications • Data backup
• VoIP infrastructure • Data center network capacity
Collaboration
• Security
Desktop and devices • Servers
• Desktop
• Storage
• Service/help desk
• Training infrastructure
• WAN capacity
Desktop and
Devices
Source: IBM Market Insights, Cloud Computing Research, July 2009.

25. Clients cite "push factors" for and "barriers" against
cloud adoption for each workload type
Barriers
Higher propensity Data privacy or
regulatory and
for cloud compliance issues
Fluctuating demand
High level of Internal
Highly standardized control required
applications
Accessibility and
Modular, reliability are a
independent concern
applications
Cost is not a concern
Unacceptably Lower propensity
high costs
for cloud
Push factors
Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090

26. IT needs to become smarter about…
… delivering “services” and service management
 Standardized processes
 Service management systems provide visibility, control and automation
 Lower operational costs and higher productivity
… optimizing workloads
 Rate and degree of standardization of IT and business services
 Complex transaction and information management processes
 Rapid return-on-investment and productivity gains
… deployment choices
 New models are emerging for the enterprise
 Self-service, economies-of-scale, and flexible sourcing options
 New choices of deployment – define these new models
Analytics Collaboration Development Desktop and Infrastructure Business
and Test Devices Services

27. Focus on Managing Services
End to End Service Management
Architectural and process level integration that
delivers business aligned Visibility, Control and
Automation of all Data Center Elements
Modular, Self-
Modular, Self- Legacy Environment :
contained, Scalable NON – IBM Solutions
contained, Scalable Workload Delivery Requiring workload
Workload Delivery Platform connectivity
Platform
Service Service Service
Management Management Management
WORKLOAD A WORKLOAD B WORKLOAD C
+ + + +
Mobility Facilities Production Technology Communications
Infrastructure Infrastructure Infrastructure Infrastructure Infrastructure

28. 3 options to deploy workloads – providing you
the choice to meet your business needs!
Smart Business Services – cloud services delivered.
1. Standardized services on the cloud – Public Cloud.
2. Private cloud services, built and/or run by Private Cloud.
Smart Business Systems – purpose-built infrastructure.
3. Integrated Service Delivery Platform
Analytics Collaboration Development Desktop and Infrastructure Business
and Test Devices Services

29. SIP – UC Cloud / IAAS Topology

30. What do we mean by Unified
Communications and Collaboration?
Web Conferencing
Messaging Video
Conferencing
Voice
Mobile
Instant
E-Mail
Messaging
Calendaring
Call Management Communities
Unified Communications + Collaboration = UC²
with the added power of mobility

31. Renovate & Innovate
• How do we address the immediate pressure to cut costs, reduce risk and
complexity?
• How do we Innovate to take advantage of new opportunities?
How can we do both at the same time?
• We focus on delivering services in new ways - lowering cost while increasing
speed and flexibility!

32. Benefits of Unified Communications
• UC benefits come from
extending the UC network Extended Workforce Suppliers, Partners
• New modes of collaboration
– Extended workforce
– Suppliers Remote Phones SIP Trunks
– Partners
Enterprise
– Clients
• Corporate policies
IP-PBX
– Business continuity UC Assets
– Privacy compliance, auditing
– Green initiatives Internal Phones SIP Trunks
• Cost reduction
Employees, Departments Clients
– Converged infrastructure
– SIP trunks

33. Challenges of Extending UC
• IP PBX & phone protection Extended Workforce Suppliers, Partners
• Policy and compliance
Internet Hacker Infected PC
enforcement
• Device and user authentication
Remote Phones SIP Trunks
• Signaling and media privacy
• Deployment Enterprise
– Phone configuration and
management IP-PBX
– Corporate firewall configuration UC Assets
– Remote firewall traversal
Internal Phones SIP Trunks
Employees, Departments Clients
Rogue Employee Spammer

34. Additional Security Concerns
• The significant security concerns for this type
of deployment are mainly SIP/SCCP/H.323 call
control and application level attacks along
with:
• Attacks originating from a peering network
• End user Spam attacks
• Border control and traversal issues
• Handling of domain policies

35. High-level Cloud Security concerns
Data Security
Less Control Migrating workloads to a
Many companies and governments shared network and
are uncomfortable with the idea of compute infrastructure
their information located on increases the potential for
systems they do not control.
Providers must offer a high degree
unauthorized exposure.
of security transparency to help Authentication and access
put customers at ease. technologies become
Reliability increasingly important.
High availability will be a key concern.
IT departments will worry about a loss
of service should outages occur.
Mission critical applications may not
run in the cloud without strong
availability guarantees.
Compliance
Complying with SOX, HIPPA,
PCI DSS, FERPA
Security Management
Providers must supply easy,
and other regulations may
visual controls to manage
prohibit the use of clouds
firewall and security
for some applications.
settings for applications and
Comprehensive auditing
runtime environments in the
capabilities are essential.
cloud.

36. Industry, Government, Risk & Corporate
Compliance
Numerous mandates for privacy apply to UC deployments as well as data protection
• FDIC VoIP Guidelines
• FERPA: Family Educational Rights and Privacy Act
• GLBA: Gramm-Leach-Bliley Act – consumer data protection
• FTC Safeguards for consumer protection, enforcing GLBA
• HIPAA: The Health Insurance Portability and Accountability Act
• PCI DSS: The Payment Card Industry Data Security Standard

37. Inherent Technology Threats

38. Cloud Security 101: Simple Example
TODAY TOMORROW
? ?
?
? ?
We Have Control ? Who Has Control?
It’s located at X. Where is it located?
It’s stored in server’s Y, Z. Where is it stored?
We have backups in place. Who backs it up?
Our admins control access. Who has access?
Our uptime is sufficient. How resilient is it?
The auditors are happy. How do auditors observe?
Our security team is engaged. How does our security
team engage?
Lesson Learned: We have responded to these questions before…
clouds demand fast, responsive, agile answers.

39. What is a SIP Trunk?
 Definition:
• SIP Trunk is a service offered by Enterprise
PSTN
an ITSP (Internet Telephony
Service Provider) that connects
a company's IP-PBX to the MGW
telephone system (PSTN) via PBX
Internet using the SIP VoIP
standard. IPCS
SIP Trunk ITSP
ISP
(Source: wikipedia.org)
LAN
 Extending VoIP: Internet
• With IP-PBX enterprise’s have
converged data and Voice over
LAN, SIP trunk allows
enterprises to do the same
over WAN/Internet

40. SIP Trunk Requirements
 Threat protection
• What about toll fraud, Spam, DoS
• Who has access to my PBX Enterprise
PSTN
• Monitoring of security incidences
 Policy enforcement
• Need to change Fire Wall policy?
PBX
• Control services and features
 Access control SIP Trunk ITSP
IPCS
• Who, from where, when
LAN
 Privacy
Internet
• Who has access to my private
communication
 Deployment issues
• Will it work
• Change, upgrades
• Voice Quality
• Visibility QoS/SLA

41. SIP Trunk Requirements Cont’d

42. Key Benefits of UC Cloud Computing
Security

43. The UC Cloud Computing Security
Competitive Advantage
Security Services Security Research
• Asset Discovery • Vulnerability Discovery
• Security Posture Assessment • Threat Advisory
• Business Risk Assessment • Exploit Tools (Sipera LAVA)
• Security Recommendations • Security Signature Development
Threat Protection
• Block reconnaissance
• Block DoS floods Privacy
• Block DDoS floods • Encryption (TLS to TCP) signaling
• Block stealth DoS proxy
• Block fuzzing/malformed messages • Encryption (SRTP or ERTP to RTP)
• Block spoofing, masquerading, toll media proxy
fraud • Topology hiding (network privacy)
• Rogue media blocking • User and caller ID privacy (user
• Block and verify anomalous behavior privacy)
Policy Enforcement
• Domain and user level blacklist
Access Control
• Network, user, device, ToD-based
• SSL/TLS X.509 certificate-based
policy control
mutual authentication
• Application control
• Clientless two-factor (RSA SecurID)
• Signaling control
authentication
• Media control
• Local firewall/NAT traversal
• Security rules and profiles
• Secure channel NAT traversal
• Soft key control
• SIP digest authentication
• Device security profiles
• RADIUS AAA integration
• Web application control
• Call admission control

44. Case Studies

45. The Cost Benefits of a SIP Deployment

46. Return on Security Investment
• Return on Security Investment factors
– Single Loss Expectancy (SLE)
• Dollar amount assigned to event
– Annualized Rate of Occurrence (ARO)
• Estimated frequency of event
– Annualized Loss Expectancy (ALE)
• SLE x ARO = ALE

47. Theft of Service Assumptions
• Large Enterprise with 500 SIP trunks
– 50% average utilization
• Without SIP trunk security
– Billing rate 2¢ / min
– Event forces theft of 20% of average utilized trunks
– SLE = 20% x 250 x 2¢ = $ 1/min
– ARO = 365 days x 24 hours x 60 min = events/year
– ALE = 365 x 24 hours 60 min x $1 = $525,600
• With UC Security -protected SIP Trunk
– VOIP Vulnerability Assessment
– Best practices
– Comprehensive UC security

48. Theft of Service Business Case
Unprotected SIP Trunk Protected SIP Trunk
Item Qty Unit Cost Total Cost Item Qty Unit Cost Total Cost
Capital Cost (list price) Capital Cost (list price)
VOIP Sec Asses 2 weeks $10,000 $20,000
UC-Sec 2000 HA 1 pair $65,950 $65,950
UC-SEC EMS 1 $7,495 $7,495
Installation 1 $3,000 $3,000
Total Capital Cost $0 Total Capital Cost $96,445
Monthly Service Theft Cost Monthly Maintenance Cost
Theft 30*24*60 $1 $43,200 UC-Sec Maint. 1 yr / 12 $13,190 $1,099
= 43,200 EMS Maint. 1 yr / 12 $1,499 $125
Total Monthly Theft Cost $43,200 Total Monthly Maintenance Cost $1,224
Pay Back Period: 3 months and IRR > 75%
With No VoIP/UC Security In place Annualized Loss Expectancy = $525,600

49. Loss of Service Assumptions
• Large enterprise
– 25,000 users
– 20% using softphones
• Assets
– 5 Avaya SES SIP servers
– 25,000 IP Phones
– 5,000 Softphones
– Softphone laptops carry company confidential
data

50. Threat Level Assumptions
• Threat level or probability of exploit • IP Phones, Softphones
– 37 Vulnerabilities discovered – Confidentiality
– 7 high threats with exploit probability • 1 medium: Unencrypted snoop
>70% per month – Integrity
– 5 medium threats with exploit • 2 medium: Spoofing / hijacking
probability >50% per month – Availability
– 26 low threats with exploit probability • 2 high: Denial of Service, fuzzing
<50% per month
• 1 medium: QoS degradation
• SIP Servers
• Softphones only
– Integrity
– Confidentiality and availability
• 1 medium: Spoof Call Server
• 2 high: Fuzzing with execute shell
– Availability code
• 2 high: Denial of Service – Integrity (no high/medium)
• 1 medium: Service degradation

51. Loss of Service ALE Calculation
Number Vulnerability Type Probability of Assets Affected $Loss on single Annualized rate Annualized Loss
Exploit occurrence of occurrence Expectancy
1 DoS High Server 15 mins, $50,000 7 350,000
2 DoS High Server 15 mins, $50,000 7 350,000
3 Degradation Medium Server 15 mins, $25,000 5 125,000
4 Spoofing Medium Server 15 mins, $35,000 5 175,000
5 DoS High IP Phone, 1 hr, $50 35 1,750
Softphone
6 DoS High IP Phone, 1 hr, $50 35 1,750
Softphone
7 Degradation Medium IP Phone, 1 hr, $25 25 625
Softphone
8 Spoofing Medium IP Phone, 1 hr, $500 25 6,250
Softphone
9 Hijack Medium IP Phone, 1 hr, $500 25 6,250
Softphone
10 Sniffing Medium IP Phone, 1 hr, $500 25 6,250
Softphone
11 Buffer overflow, High Softphone Company, $3000, 35 105,000
Shell-code
12 Buffer overflow, High Softphone Company, $3000, 35 105,000
Shell-code
Total 12 7 High, 5 medium ~ $1.2 million

52. Loss of Service Business Case
Unprotected IP-PBX Sipera-protected IP-PBX
Item Qty Unit Cost Total Cost Item Qty Unit Cost Total Cost
Capital Cost (list price) Capital Cost (list price)
VIPER Asses 2 weeks $10,000 $20,000
UC-Sec 50k HA 1 pair $229,850 $229,850
UC-SEC EMS 1 $7,495 $7,495
Installation 1 $3,000 $3,000
Total Capital Cost $0 Total Capital Cost $260,345
Monthly Service Loss Cost Monthly Maintenance Cost
Loss 1 $100,000 $100,000 UC-Sec Maint. 1 yr / 12 $30,000 $2,500
EMS Maint. 1 yr / 12 $1,499 $125
Total Monthly Loss Cost $100,000 Total Monthly Maintenance Cost $2,625
Pay Back Period: 3 months and IRR > 60%
With No VoIP/UC Security In place Annualized Loss Expectancy = $1,200,000

53. Other Downtime Effects
• Impact on stock price • Interest value on deferred billings
• Cost of fixing / replacing equipment • Penalty clauses invoked for late delivery
• Cost of fixing / replacing software and failure to meet Service Levels
• Salaries paid to staff unable to undertake • Loss of profits
productive work • Additional cost of credit through reduced
• Salaries paid to staff to recover work credit rating
backlog and maintain deadlines • Fines and penalties for non-compliance
• Cost of re-creation and recovery of lost • Liability claims
data • Additional cost of advertising, PR and
• Loss of customers (lifetime value of each) marketing to reassure customers and
and market share prospects to retain market share
• Loss of product • Additional cost of working; administrative
• Product recall costs costs; travel and subsistence etc.
• Loss of cash flow from debtors

54. Hacking Tools - YouTube Movies
• http://youtu.be/89fXxmaca4E
• http://youtu.be/x56j2BRkUME
• http://youtu.be/DU8hg4FTm0g