4. The Cost of Unsecured Hosted and Private UC Environments.
One Successful Toll
Fraud Attack $40,000
5. A crisis of complexity. The need for
progress is clear.
Global Annual Server Spending
(IDC)
300 Power and cooling costs
Management and admin costs
250
New system spend
200
Uncontrolled management
150
and energy costs
100
50
Steady CAPEX spend
$0B
To make progress, delivery organizations must address the server, storage
and network operating cost problem, not just CAPEX
Source: IBM Corporate Strategy analysis of IDC data
5 Cloud Computing
6.
7. Reports: Security Pros Shift Attention
From External Hacks To Internal Threats
Majority of IT and security execs say insider vulnerabilities worry them most.
Mar 09, 2009 | 08:08 AM
By Tim Wilson
DarkReading
It's official: Today's security managers are more worried about insiders leaking sensitive
corporate data than they are about outsiders breaking in to steal it.
http://www.darkreading.com/insiderthreat/security/vulnerabilities/showArticle.jhtml?articleID=215801195
8. Perimeter defense is essential –
But it doesn’t guard data against the human factor
Lost or Intellectual property exposed to competitors
stolen Sensitive customer data compromised
devices Competitive information leaked to the
media
Exposed Extracts pulled for processing and reporting
business Circulating data across organizations
processes Workarounds during system outages
Malicious Malware deployed within the network
insiders Intentional misuse of company information
Identity theft and Industrial espionage
Careless use Viruses unwittingly downloaded at home
of the Unsecured archives or copies of data
corporate Uncontrolled circulation of classified
documents or personal e-mail messages
network
9. Increased collaboration brings increased complexity
and increased risk.
Foes, Greml
ins, and
Banana
Peels
Coffee Shop
Hotels
Home
Business
Inadequate, disjointed Partners
Supply
technology management Chain
10. Many companies expend resources on the
network without achieving the expected results.
• A piecemeal approach to network security and updates leads to an overly complex infrastructure
– Time-consuming to pinpoint causes of performance
problems, especially for newly added voice and video applications that
impact traditional mission-critical applications
– Difficult to determine the best way to optimize costs and performance
– Hard to estimate future expenditures and justify current costs
– Almost impossible to predict capacity requirements accurately
• Through 2011, enterprises will waste $100 billion buying
the wrong networking technologies and services3
– Unnecessary technologies
– Excess bandwidth
– Unwarranted upgrades
3 Gartner, Gartner’s Top Predictions for IT Organizations
and Users, 2007 and Beyond, Daryl C. Plummer and others,
December 2006.
11. Ponemon Institute’s Security Breach Studies
• Ponemon Institute’s released two separate reports, ”The First Annual Cost of Cyber Crime
Study” (PDF), which was sponsored by ArcSight, “The Leaking Vault” (PDF) released today by
the Digital Forensics Association, both showing troubling findings for companies’ finances:
• a median cost of $3.8 million for an attack per year, including all costs, from detection,
investigation, containment, and recovery to any post-response operations.
• out of 2,807 publicly disclosed data breaches worldwide during the past five years, the cost
to the victim firms as well as those whose information was exposed reached $139 billion.
• nearly half of all of the reported breaches came from a laptop, which in 95 percent of the
cases is stolen
• hacks led to the most stolen records during 2005 to 2009, with 327 million of the 721.9
million covered in the report, although hacks represent only about 16 percent of the data
breaches
• Web-borne attacks, malicious code, and malicious insiders are the most costly types of
attacks, making up more than 90 percent of all cybercrime costs per organization per year
• A Web-based attack costs 143,209 USD; malicious code, 124,083 USD; and malicious insiders,
100,300 USD.
12.
13. Cloud Security Breach Examples
• Google Doc allowed shared permission without user
knowledge
– http://www.google.com/support/forum/p/Google+Docs/thread?tid=2ef115be2ce4fd0e&hl=en
• Salesforce.com phishing attack led to leak of a customer list;
subsequent attacks
– http://voices.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html
• Vasrev.com Webhost hack wipes out data for 100,000 sites
– http://www.theregister.co.uk/2009/06/08/webhost_attack/
• Twitter company files leaked in Cloud Computing security
failure
– /
http://www.infosecurity-us.com/view/2554/twitter-company-files-leaked-in-cloud-computing-security-failure
• DDoS attack that downed Twitter also hit Facebook
– http://www.computerworld.com/s/article/9136340/DDoS_attack_that_downed_Twitter_also_hit_Facebook?source=CTWNLE_nlt_security_
2009-08-07
15. Cloud: Consumption & Delivery Models Optimized
by Workload
“Cloud” is: Cloud enables:
• A new consumption Self-service
and delivery model
inspired by consumer Sourcing options
Internet services. Economies-of-scale
Cloud Services
Cloud Computing Model
“Cloud” represents: Multiple Types of Clouds
will co-exist:
The Industrialization of Private, Public and Hybrid
Delivery for IT Workload and/or
supported Services Programming Model Specific
15 Cloud Computing
16. Is cloud computing really new? Yes, and No.
Cloud computing is a new consumption
and delivery model inspired by consumer
Internet services. Cloud computing exhibits Usage
Tracking Web 2.0
the following 5 key characteristics:
•On-demand self-service
•Ubiquitous network access End User Focused
•Location independent resource pooling Service
Virtualization
•Rapid elasticity Automation
& SOA
•Pay per use
While the technology is not new, the end
user focus of self-service, self-management
leveraging these technologies is new.
Cloud Computing
17. Today there are three primary delivery models that
companies are implementing for cloud
Enterprise
Public
Traditional Private Clouds
Enterprise IT Cloud Hybrid
Cloud
Private Cloud Hybrid Cloud Public Cloud
IT activities/functions are provided “as Internal and external IT activities/functions are provided
a service,” over an intranet, within the service delivery “as a service,” over the Internet
enterprise and behind the firewall methods are
integrated, with Key features:
Key features include: activities/functions – Scalability
– Scalability allocated to based on – Automatic/rapid provisioning
– Automatic/rapid provisioning security – Standardized offerings
– Chargeback ability requirements, criticality, – Consumption-based pricing.
– Widespread virtualization architecture and other – Multi-tenancy
established policies.
Source: IBM Market Insights, Cloud Computing Research, July 2009.
Cloud Computing
20. Cost savings and faster time to value are the
leading reasons why companies consider cloud
To what degree would each of these factors induce you to
acquire public cloud services?
Pay only for what we use • Hardware savings
Reduce
costs
Software licenses savings • Lower labor and IT 77%
support costs • Lower outside maintenance costs
Take advantage of latest functionality •
Faster time to
value
Simplify updating/upgrading • Speed deployment 72%
• Scale IT resources to meet needs
Improve Improve system reliability •
reliability Improve system availability 50%
Respondents could rate multiple drivers items
Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090
UC Cloud Computing
21. Managing Cloud Adoption
• Cloud economics can be compelling
– Small companies will adopt as reliable, easy-to-use services are available
– Scale economics are within reach of many enterprises
• Client migration will be work load driven
– Trade-off is value vs. risk of migration
– Workload characteristics are critical
– New workloads will emerge as cloud makes them affordable (e.g. pervasive
analytics, Smart Healthcare)
21 Cloud Computing
22. Elements that Drive Cloud Efficiency and
Infrastructure
Economics
Virtualization of Drives lower capital
Leverage
Hardware requirements
Utilization of Virtualized environments
Infrastructure only get benefits of scale
if they are highly utilized
Clients who can “serve
Self Service themselves” require less
support and get services
Leverage
Labor
Automation of Take repeatable tasks and
Management automate
Standardization of More complexity =
Workloads less automation possible
= people needed
23. Enterprise Benefits from Cloud Computing
Capability From To
Server/Storage
10-20% Cloud accelerates 70-90%
Utilization
business value
Self service None across a wide Unlimited
variety of
Test Provisioning Weeks domains. Minutes
Change
Months Days/Hours
Management
Release
Weeks Minutes
Management
Fixed cost
Metering/Billing Granular
model
Standardization Complex Self-Service
Payback period
Years Months
for new services
Legacy environments Cloud enabled enterprise
Cloud Computing
24. Clients told us their implementation strategies —
public or private Cloud, present or future — for 25
specific workloads
Analytics
• Data mining, text mining, or other analytics
• Data warehouses or data marts Development and testing
• Transactional databases • Development environment
Analytics
• Test environment
Development
Business Services and Test
• CRM or Sales Force Automation
• e-mail
• ERP applications
Business • Industry-specific applications Infrastructure
Services • Application servers
• Application streaming
Collaboration • Business continuity/disaster recovery
Infrastructure
• Audio/video/web conferencing • Data archiving
• Unified communications • Data backup
• VoIP infrastructure • Data center network capacity
Collaboration
• Security
Desktop and devices • Servers
• Desktop
• Storage
• Service/help desk
• Training infrastructure
• WAN capacity
Desktop and
Devices
Source: IBM Market Insights, Cloud Computing Research, July 2009.
25. Clients cite "push factors" for and "barriers" against
cloud adoption for each workload type
Barriers
Higher propensity Data privacy or
regulatory and
for cloud compliance issues
Fluctuating demand
High level of Internal
Highly standardized control required
applications
Accessibility and
Modular, reliability are a
independent concern
applications
Cost is not a concern
Unacceptably Lower propensity
high costs
for cloud
Push factors
Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090
26. IT needs to become smarter about…
… delivering “services” and service management
Standardized processes
Service management systems provide visibility, control and automation
Lower operational costs and higher productivity
… optimizing workloads
Rate and degree of standardization of IT and business services
Complex transaction and information management processes
Rapid return-on-investment and productivity gains
… deployment choices
New models are emerging for the enterprise
Self-service, economies-of-scale, and flexible sourcing options
New choices of deployment – define these new models
Analytics Collaboration Development Desktop and Infrastructure Business
and Test Devices Services
27. Focus on Managing Services
End to End Service Management
Architectural and process level integration that
delivers business aligned Visibility, Control and
Automation of all Data Center Elements
Modular, Self-
Modular, Self- Legacy Environment :
contained, Scalable NON – IBM Solutions
contained, Scalable Workload Delivery Requiring workload
Workload Delivery Platform connectivity
Platform
Service Service Service
Management Management Management
WORKLOAD A WORKLOAD B WORKLOAD C
+ + + +
Mobility Facilities Production Technology Communications
Infrastructure Infrastructure Infrastructure Infrastructure Infrastructure
28. 3 options to deploy workloads – providing you
the choice to meet your business needs!
Smart Business Services – cloud services delivered.
1. Standardized services on the cloud – Public Cloud.
2. Private cloud services, built and/or run by Private Cloud.
Smart Business Systems – purpose-built infrastructure.
3. Integrated Service Delivery Platform
Analytics Collaboration Development Desktop and Infrastructure Business
and Test Devices Services
30. What do we mean by Unified
Communications and Collaboration?
Web Conferencing
Messaging Video
Conferencing
Voice
Mobile
Instant
E-Mail
Messaging
Calendaring
Call Management Communities
Unified Communications + Collaboration = UC²
with the added power of mobility
31. Renovate & Innovate
• How do we address the immediate pressure to cut costs, reduce risk and
complexity?
• How do we Innovate to take advantage of new opportunities?
How can we do both at the same time?
• We focus on delivering services in new ways - lowering cost while increasing
speed and flexibility!
32. Benefits of Unified Communications
• UC benefits come from
extending the UC network Extended Workforce Suppliers, Partners
• New modes of collaboration
– Extended workforce
– Suppliers Remote Phones SIP Trunks
– Partners
Enterprise
– Clients
• Corporate policies
IP-PBX
– Business continuity UC Assets
– Privacy compliance, auditing
– Green initiatives Internal Phones SIP Trunks
• Cost reduction
Employees, Departments Clients
– Converged infrastructure
– SIP trunks
33. Challenges of Extending UC
• IP PBX & phone protection Extended Workforce Suppliers, Partners
• Policy and compliance
Internet Hacker Infected PC
enforcement
• Device and user authentication
Remote Phones SIP Trunks
• Signaling and media privacy
• Deployment Enterprise
– Phone configuration and
management IP-PBX
– Corporate firewall configuration UC Assets
– Remote firewall traversal
Internal Phones SIP Trunks
Employees, Departments Clients
Rogue Employee Spammer
34. Additional Security Concerns
• The significant security concerns for this type
of deployment are mainly SIP/SCCP/H.323 call
control and application level attacks along
with:
• Attacks originating from a peering network
• End user Spam attacks
• Border control and traversal issues
• Handling of domain policies
35. High-level Cloud Security concerns
Data Security
Less Control Migrating workloads to a
Many companies and governments shared network and
are uncomfortable with the idea of compute infrastructure
their information located on increases the potential for
systems they do not control.
Providers must offer a high degree
unauthorized exposure.
of security transparency to help Authentication and access
put customers at ease. technologies become
Reliability increasingly important.
High availability will be a key concern.
IT departments will worry about a loss
of service should outages occur.
Mission critical applications may not
run in the cloud without strong
availability guarantees.
Compliance
Complying with SOX, HIPPA,
PCI DSS, FERPA
Security Management
Providers must supply easy,
and other regulations may
visual controls to manage
prohibit the use of clouds
firewall and security
for some applications.
settings for applications and
Comprehensive auditing
runtime environments in the
capabilities are essential.
cloud.
36. Industry, Government, Risk & Corporate
Compliance
Numerous mandates for privacy apply to UC deployments as well as data protection
• FDIC VoIP Guidelines
• FERPA: Family Educational Rights and Privacy Act
• GLBA: Gramm-Leach-Bliley Act – consumer data protection
• FTC Safeguards for consumer protection, enforcing GLBA
• HIPAA: The Health Insurance Portability and Accountability Act
• PCI DSS: The Payment Card Industry Data Security Standard
38. Cloud Security 101: Simple Example
TODAY TOMORROW
? ?
?
? ?
We Have Control ? Who Has Control?
It’s located at X. Where is it located?
It’s stored in server’s Y, Z. Where is it stored?
We have backups in place. Who backs it up?
Our admins control access. Who has access?
Our uptime is sufficient. How resilient is it?
The auditors are happy. How do auditors observe?
Our security team is engaged. How does our security
team engage?
Lesson Learned: We have responded to these questions before…
clouds demand fast, responsive, agile answers.
39. What is a SIP Trunk?
Definition:
• SIP Trunk is a service offered by Enterprise
PSTN
an ITSP (Internet Telephony
Service Provider) that connects
a company's IP-PBX to the MGW
telephone system (PSTN) via PBX
Internet using the SIP VoIP
standard. IPCS
SIP Trunk ITSP
ISP
(Source: wikipedia.org)
LAN
Extending VoIP: Internet
• With IP-PBX enterprise’s have
converged data and Voice over
LAN, SIP trunk allows
enterprises to do the same
over WAN/Internet
40. SIP Trunk Requirements
Threat protection
• What about toll fraud, Spam, DoS
• Who has access to my PBX Enterprise
PSTN
• Monitoring of security incidences
Policy enforcement
• Need to change Fire Wall policy?
PBX
• Control services and features
Access control SIP Trunk ITSP
IPCS
• Who, from where, when
LAN
Privacy
Internet
• Who has access to my private
communication
Deployment issues
• Will it work
• Change, upgrades
• Voice Quality
• Visibility QoS/SLA
46. Return on Security Investment
• Return on Security Investment factors
– Single Loss Expectancy (SLE)
• Dollar amount assigned to event
– Annualized Rate of Occurrence (ARO)
• Estimated frequency of event
– Annualized Loss Expectancy (ALE)
• SLE x ARO = ALE
47. Theft of Service Assumptions
• Large Enterprise with 500 SIP trunks
– 50% average utilization
• Without SIP trunk security
– Billing rate 2¢ / min
– Event forces theft of 20% of average utilized trunks
– SLE = 20% x 250 x 2¢ = $ 1/min
– ARO = 365 days x 24 hours x 60 min = events/year
– ALE = 365 x 24 hours 60 min x $1 = $525,600
• With UC Security -protected SIP Trunk
– VOIP Vulnerability Assessment
– Best practices
– Comprehensive UC security
48. Theft of Service Business Case
Unprotected SIP Trunk Protected SIP Trunk
Item Qty Unit Cost Total Cost Item Qty Unit Cost Total Cost
Capital Cost (list price) Capital Cost (list price)
VOIP Sec Asses 2 weeks $10,000 $20,000
UC-Sec 2000 HA 1 pair $65,950 $65,950
UC-SEC EMS 1 $7,495 $7,495
Installation 1 $3,000 $3,000
Total Capital Cost $0 Total Capital Cost $96,445
Monthly Service Theft Cost Monthly Maintenance Cost
Theft 30*24*60 $1 $43,200 UC-Sec Maint. 1 yr / 12 $13,190 $1,099
= 43,200 EMS Maint. 1 yr / 12 $1,499 $125
Total Monthly Theft Cost $43,200 Total Monthly Maintenance Cost $1,224
Pay Back Period: 3 months and IRR > 75%
With No VoIP/UC Security In place Annualized Loss Expectancy = $525,600
49. Loss of Service Assumptions
• Large enterprise
– 25,000 users
– 20% using softphones
• Assets
– 5 Avaya SES SIP servers
– 25,000 IP Phones
– 5,000 Softphones
– Softphone laptops carry company confidential
data
50. Threat Level Assumptions
• Threat level or probability of exploit • IP Phones, Softphones
– 37 Vulnerabilities discovered – Confidentiality
– 7 high threats with exploit probability • 1 medium: Unencrypted snoop
>70% per month – Integrity
– 5 medium threats with exploit • 2 medium: Spoofing / hijacking
probability >50% per month – Availability
– 26 low threats with exploit probability • 2 high: Denial of Service, fuzzing
<50% per month
• 1 medium: QoS degradation
• SIP Servers
• Softphones only
– Integrity
– Confidentiality and availability
• 1 medium: Spoof Call Server
• 2 high: Fuzzing with execute shell
– Availability code
• 2 high: Denial of Service – Integrity (no high/medium)
• 1 medium: Service degradation
51. Loss of Service ALE Calculation
Number Vulnerability Type Probability of Assets Affected $Loss on single Annualized rate Annualized Loss
Exploit occurrence of occurrence Expectancy
1 DoS High Server 15 mins, $50,000 7 350,000
2 DoS High Server 15 mins, $50,000 7 350,000
3 Degradation Medium Server 15 mins, $25,000 5 125,000
4 Spoofing Medium Server 15 mins, $35,000 5 175,000
5 DoS High IP Phone, 1 hr, $50 35 1,750
Softphone
6 DoS High IP Phone, 1 hr, $50 35 1,750
Softphone
7 Degradation Medium IP Phone, 1 hr, $25 25 625
Softphone
8 Spoofing Medium IP Phone, 1 hr, $500 25 6,250
Softphone
9 Hijack Medium IP Phone, 1 hr, $500 25 6,250
Softphone
10 Sniffing Medium IP Phone, 1 hr, $500 25 6,250
Softphone
11 Buffer overflow, High Softphone Company, $3000, 35 105,000
Shell-code
12 Buffer overflow, High Softphone Company, $3000, 35 105,000
Shell-code
Total 12 7 High, 5 medium ~ $1.2 million
52. Loss of Service Business Case
Unprotected IP-PBX Sipera-protected IP-PBX
Item Qty Unit Cost Total Cost Item Qty Unit Cost Total Cost
Capital Cost (list price) Capital Cost (list price)
VIPER Asses 2 weeks $10,000 $20,000
UC-Sec 50k HA 1 pair $229,850 $229,850
UC-SEC EMS 1 $7,495 $7,495
Installation 1 $3,000 $3,000
Total Capital Cost $0 Total Capital Cost $260,345
Monthly Service Loss Cost Monthly Maintenance Cost
Loss 1 $100,000 $100,000 UC-Sec Maint. 1 yr / 12 $30,000 $2,500
EMS Maint. 1 yr / 12 $1,499 $125
Total Monthly Loss Cost $100,000 Total Monthly Maintenance Cost $2,625
Pay Back Period: 3 months and IRR > 60%
With No VoIP/UC Security In place Annualized Loss Expectancy = $1,200,000
53. Other Downtime Effects
• Impact on stock price • Interest value on deferred billings
• Cost of fixing / replacing equipment • Penalty clauses invoked for late delivery
• Cost of fixing / replacing software and failure to meet Service Levels
• Salaries paid to staff unable to undertake • Loss of profits
productive work • Additional cost of credit through reduced
• Salaries paid to staff to recover work credit rating
backlog and maintain deadlines • Fines and penalties for non-compliance
• Cost of re-creation and recovery of lost • Liability claims
data • Additional cost of advertising, PR and
• Loss of customers (lifetime value of each) marketing to reassure customers and
and market share prospects to retain market share
• Loss of product • Additional cost of working; administrative
• Product recall costs costs; travel and subsistence etc.
• Loss of cash flow from debtors
Companies implementing VoIP technologies in an effort to cut communication costs and extend corporate voice services to a distributed workforce face security risks associated with the convergence of voice and data networks. UC Cloud Computing Security and network integrity are an essential part of any UC Cloud Computing deployment. Two major barriers to cloud adoption for the 1,500 enterprises surveyed by IDG Enterprise Cloud Computing Research, Nov 2010 were:• Security—67 percent cited it as a concern, including risk of unauthorized access, being able to maintain data integrity, and data protection• Access to information— 41 percent were concerned about being able to preserve a uniform set of access privileges across cloud apps.The same security threats that plague data networks today are inherited by VoIP but the addition of VoIP as an application on the network makes those threats even more dangerous. By adding VoIP components to your network, you're also adding new security requirements. VoIP encompasses a number of complex standards that leave the door open for bugs and vulnerabilities within the software implementation. The same types of bugs and vulnerabilities that hamper every operating system and application available today also apply to VoIP equipment. Many of today's VoIP call servers and gateway devices are built on vulnerable Windows and Linux operating systems.
On a global basis the total cost of Toll Fraud is now about $80bn with $15bn of this accounted for by compromised PBX voicemail systems and around $10bn by hacking of IP based PBX solutions. The problem is growing despite all of the attempts of the industry to address the problem over the past few years, it is estimated that Toll Fraud is growing at a rate of around 10-15% per annum.Industry reports show that DDoS attacks are more frequent, with growth assessments as high as 45%. Must industry experts agree that a major culprit is low-cost, freely distributed DDoS attack technologies. Industry Experts find the bulk of attacks still stem from other sources, namely extortionists, cut-throat competitors and others who strike for profit. Industry experts agree that many of these attacks go unreported. After all, no one wants to go public when their systems have been assaulted. Customers flee, sales drop and stock prices follow suit.Perhaps most media-reported attacks are the work of hacktivists. But those who take aim at your bottom line—in the form of a ransom note threatening your website or a competitor lunging for market share—are still launching the majority of overall attacks.
Traditional Methods are InadequateTraditional methods such as using a static firewall are not equipped to support real time communications requirements such as VoIP or multimedia services. These traditional security systems simply do not provide an acceptable level of protection against the robust attacks and unauthorized access attempts that are common in today’s real-time, peer-to peer communications environment. This situation creates a multi-fold problem. First firewalls that block unsolicited traffic across IP boundaries will not work with dynamically assigned port ranges. Secondly policy management changes that affect RTP and RTCP pin hole configurations will be too great for a traditional firewall. And finally, inbound calls do not have visibility to the private address of the phone they are attempting to reach. As a result, the phone will not even ring, and work-arounds that attempt to address this problem risk compromising network integrity.
“Information theft was still the highest consequence — the type of information [stolen] ranged from a data breach of people’s [information] to intellectual property and source code,” says Larry Ponemon, CEO of the Ponemon Institute. “We found that detection and discovery are the most expensive [elements].”A recent Forrester survey found that 25% of respondents do not know, or do not know how to determine, the cost of data security breaches. Kark said the majority of organizations will incur a wide array of associated costs, sometimes significant enough to even put them out of business.Kark reported that discovery, response, and notification costs can be substantial. He averaged them out to be about $50 per lost record. These costs generally include outside legal fees, notification costs, increased call center costs, marketing and PR costs, and discounted product offers. "Forrester has seen a slight increase in this cost due to the increasing number of jurisdictions and circumstances to which breach disclosure applies, but we estimate this cost to be somewhere in this ballpark in the next few years," Kark added. Lost employee productivity also is a significant cost. When employees are diverted from their normal duties, or contractors are hired to respond to data breaches, the company incurs additional expenses, according to Kark, who noted that the Ponemon Institute calculated that this cost had increased 100% in 2006, going from $15 per record in 2005 to $30 per record in 2006.
The above is a clear indication that companies are getting complacent about their IT security. 12% of businesses blame it on senior management and 20% spend less than 1% of their IT budget on information security. The chief cause is that it is hard to measure the business benefits from spending money on security defenses. Unfortunately, only 20% of big firms analyze return on investment on their security expenditure.
Unified Communication benefits come from extending communications outside of the enterprise Connecting with suppliers, partners, clients, and others via SIP trunks to the PSTN or other companies Enabling remote and teleworkers, executive work-at-home programs Deploying UC solutions to the enterprise including softphones, IM clients, and presence Corporate policies drive UC features and security needs Voice routing at the logical SIP layer allows for simpler business continuity and disaster recovery Enabling green initiatives such as work-at-home programs Cost reduction was always one of the primary goals of VoIP and UC Converged voice and data infrastructure saves on maintenance, power, and capital SIP trunks are often cheaper that similar TDM solutions allowing sharing of voice and data trunks Sipera UC-Sec appliances simply and securely enable unified communications
With the extension of Unified Communications comes connections to untrusted, high risk networks As in the data world years ago, the router-based access control lists and data firewalls addressed trust and risk More complex UC attacks can circumvent data security measures Enterprise UC assets including the IP-PBX and phones must be protected Business policies must also be enforced and compliance monitored As an example, allow encrypted VoIP on the network, but disallow unencrypted VoIP and IM traffic As an example, blacklist SPAM phone calls, but whitelist emergency calls Authenticating users and devices ensures resources are used properly preventing toll fraud Providing two-factor authentication with RSA tokens (similar to data VPNs) assures proper usage As an example, strong authentication helps protect against man-in-the-middle and spoofing attacks Encryption is key to ensuring privacy Proper privacy implements key exchange standards, TLS signaling encryption, and SRTP media encryption Offload encryption from UC assets like Cisco Call Managers ensures call capacity is unaffected Deployment of VoIP / UC presents many challenges Configuring and managing remote phones Creating pin-holes and managing complex deep packet inspection rules on data firewalls Automatically traversing remote (home) firewalls and NAT systems for plug-and-play teleworker configuration
The Issue of SecurityThe reality is that in tandem with all the benefits and flexibility SIP trunking provides, it has distinct and more intensive security requirements than TDM. A TDM PSTN gateway provides an explicit demarcation point between the enterprise network and service provider combined with engrained security features. When SIP trunks are implemented, security concerns arise. It is extremely difficult for a malicious external user to traverse the network interconnection and access the enterprise network through the traditional TDM trunk while it is fairly easy to do so when the interconnect point is IP. Because SIP trunks offer direct IP connectivity to the enterprise network, they are inherently more unsecure than the TDM trunks. At the same time, one TDM trunk contains one call while a one megabit link could contain thousands of SIP calls, which increases the risk of a denial of service attack and the damage that may be caused. These kinds of problems can be solved by implementing an E-SBC, something interoperable with in all variations of SIP and with sufficient intelligence to facilitate the secure interactions of the various devices. Such an E-SBC could, for example, solve deployment issues, prevent attacks and deliver value to the enterprise in the process. Such a mediating device wouldessentially ensure that the requirements of enablement, control, protection, demarcation and ROI are met.
Key point: Some concerns are more relevant to the UC Cloud than others, these are the most frequently discussed. Less control: Uncomfortable with the idea of their information on systems they do not own in-house. Cloud computing changes some of the basic expectations and relationships that influence how we assess security and perceive risk. In the cloud, it’s difficult to physically locate where data is stored. Security processes, once visible, are now hidden behind layers of abstraction. Even the most basic tasks, such as applying patches and configuring firewalls, may become the responsibility of the cloud operator, not the end user. While the intent of security remains the same - to ensure the confidentiality, integrity, and availability of information - cloud computing shifts control over data and operations. This forces us think about security in terms of the cloud provider, the custodian of our information, and how they ultimately implement, deploy, and manage security on our behalf.Data Security: A shared, multi-tenant infrastructure increases potential for unauthorized exposure. Especially in the case of public-facing clouds. Data will be Stored in multi-tenant environments, spanning multiple layers in the cloud stackAccessed by various parties of different trust levels(users, tenants, privileged cloud admins)Located in various geographiesEnforced by variouscontractual obligations and SLAsGoverned by various regulations and industry best practicesSecured by multiple technologies and services Reliability: They are worried about service disruptions affecting the business. Compliance: Regulations may prohibit the use of clouds for certain workloads and data. Security Management: How will today’s enterprise security controls be represented in the cloud?Public clouds maximize concerns. Hybrid & private clouds resonate with clients in demand of higher assurance.
NAT (network address translation) traversal. NAT traversal is the process by which IP address information is modifiedinside of IP header messages and because IP traffic is routed by headers, devices need to be able to look into packetsand read the embedded NAT addressing information. Yet traditional firewalls can’t do this. Consequently, to permit externaltraffic to enter the network, service providers often require the enterprise to “open up” the firewall in ways that compromisesecurity, reduce network control at the application layer, and prohibit the effective implementation of routing policies forSIP-based traffic. Given the plethora of threats facing networks today, such openness is unacceptable. Changes to the firewall will open holes for attacks from external sources such as hackers, malicious users and spammers. According to the Communication Fraud Control Association (CFCA), the body that monitors communication fraud, the crime of ‘Phreaking’ (hacking into a PBX and using it to route calls) actually costs UK businesses $2 billion to $2.4 billion per year. Authorities estimate that telecoms fraud caused by security gaps cost businesses nearly $80 billion per year. Other common attacks include Denial of Service (DoS)/Distributed Denial of Service (DDoS message floods and fuzzing, stealth DoS, and spoofing attacks. A DoS attack on a VoIP system, to give an example, floods a phone with spoofed requests that overwhelm the phone’s protocol stack and disables the device. A low volume variation on this kind of attack can cause VoIP phones to ring continuously.
Key message: Security doesn’t change when you move to the cloud, but the way in which we integrate, deploy, and manage security does. Point 1) Cloud is about not knowing the details. We don’t care about the underlying infrastructure, we care about the business services running on top of the cloud – physical machines, networking gear, and in some cases operating systems, middleware and applications are irrelevant to the customer. However, security is about knowing all the details (patch levels, networking protocols, application code, etc.). Cloud providers must offer customers the ability to see what’s behind the curtain and give information about what security tools are in place.Point 2) Nothing here is new. We’ve dealt with many of these problems before in Strategic Outsourcing, SOA, etc. Security remains the same - it's about providing confidentiality, integrity, and availability. In most cases, security technologies and the products they construct will remain the same when applied to cloud environments - encryption, access control, intrusion prevention, isolation, etc. However, the speed in which cloud services can be assembled and terminated (often without the Security Admin’s knowledge or permission) offers some new challenges for security vendors and cloud providers alike.
The SIP trunk E-SBC security device should provide for all of the following to ensure the four requirements of enablement, control, protection and demarcation are met:VoIP threat prevention: comprehensive SIP and media protection VoIP policy compliance: fine-grained policy enforcement Secure Access: firewall/NAT traversal and encrypted signaling and media proxy (TLS and SRTP) Demarcation: clear line of defense and termination for SIP trunks within the enterprise. This VoIP security device deploys at the edge of the enterprise network within the DMZ, between the network’s internal and external firewalls to ensure complete protection. The device performs border control functions such as firewall / NAT traversal, access management and control based on unified Communications policies, and intrusion preventionfunctionality to defend against denial of service, spoofing, stealth attacks and voice spam.The E-SBC is the safe SIP trunk choice for enterprise. The E-SBC:• Serves as the demarcation point for the enterprise VoIP and UC network and enforces fine-grained security policies.• Protects against SIP and RTP threats by blocking them at the enterprise perimeter.• Is proven in SIP trunk deployments involving all major VoIP and UC manufacturers and across all verticals.• Performs firewall/NAT traversal to simplify the deployment of SIP trunks.• Is upgradable to support the advanced UC Security functionality, safe VoIP and UC to any device over any network.
UC-Sec appliances offer comprehensive security for voice over IP (VoIP) and unified communications, enabling enterprises to take full advantage of the cost savings and productivity opportunities VoIP and UC offer over any network to any device. With UC-Sec, enterprises can safely deploy new UC applications, including:• Softphones, Wi-Fi , and dual-mode smartphones• E-mail, voice, video, and instant messaging integrationEnterprises are also able to simply and easily extend rich communications to home and remote work configurationsincluding teleworkers, mobile workers with remote IP phones, partners, the supply chain, and customers with SIP trunks.Most Importantly Business are now empowered to manage primary core competencies.
Cost Savings: Operational and CapitalAllows for Consolidation: to one ISP/ITSP, one Data CenterSimplicity: works with installed IP-PBX and telephonesEfficiency: Efficient use of bandwidth