Security Featured Article

It is a truism that it doesn’t take long for great innovations to be attacked and manipulated to nefarious ends. Unified communications, or “UC,” and VoIP unfortunately are no different. That reality has kept Sipera Systems busy. It makes solutions for VoIP security and UC security enable enterprises to deploy teleworkers, distributed call centers, business continuity, secure SIP trunks, toll fraud prevention and media forking for logging and archiving.

 

TMCnet caught up with Adam Boone (News - Alert), Sipera’s vice president of marketing.

 

See their full exchange below.

 

TMC (News - Alert): Could you outline the severity of the data security (deliberate: i.e. ID/other theft, accidental: i.e. losing laptops) problem and trendlines.

 

AB: Our company is focused on VoIP and UC security, which has some fundamental differences from data security.  The primary differences are: 

 

 

 

 

VoIP and UC deployments have reached a critical mass in the security sense.  Basically, this means that there are enough of these systems deployed and in production that their security architectures are now being tested in the wild.  Several of our customers have deployed VoIP and UC to conduct distributed contact center functions, permitting agents to be located anywhere and conducting proficiency-based routing of inbound calls, for example.  These innovations present certain unique security challenges, such as access control and threat mitigation at the application layer

 

TMC: How are contact centers and staff vulnerable to deliberate and accidental data loss? Has Sipera (News - Alert) seen for example a step-up in attacks from outside and inside contact centers? Compare contact centers with retail and other environments as data risk points.

 

AB: Contact centers are as vulnerable as any other communication mechanism to potential data loss unless the appropriate security precautions and security architecture are put in place.  Several Sipera customers operate distributed contact centers, where agents may be working out of their homes or remote offices, and the objective is to securely extend fully featured unified communications –VoIP, IM, web collaboration applications, video – to their remote location. 

 

And yes, attacks are increasing against this new infrastructure.  We have an enterprise customer, for example, that uses our solution to provide a secure UC connection to their contact center representatives via VoIP and SIP trunks.  Our security appliance terminates the SIP trunk on the enterprise customer’s side and then provides continuous scanning of all signaling and media to look for threats and attacks.  Within only two hours of being installed, our appliance detected and blocked a reconnaissance attack which was a precursor to a potential denial of service attack.  Had the attack been successful, this retail-oriented company could have had their contact center go entirely off-line, and the contact center is a primary mode of interaction with the company’s clients.  This is an anecdotal example, but it is consistent with the trend we are seeing. 

 

TMC: Where are the risk points in contact centers? Discuss UC, wireless networks, VoIP and IP networks to remote offices/home agents, employee relations/culture, nearshoring/offshoring and home agents.

 

AB: Primary threats against contact centers using VoIP and UC include:

 

 

 

 

 

 

 

The primary benefit of VoIP and extended UC in the contact center context is that you can take advantage of very low cost transport of public network like the Internet and you can access talented call center representatives anywhere in the world.  But the drawback is that these networks are non-secure and untrusted. 

 

The best practices of VoIP and UC security in the distributed call center and extended enterprise environment call for these functions:

 

 

It seems obvious that encryption should be used across all communications traversing untrusted networks such as the Internet. But much business activity in the typical enterprise takes place using unauthorized applications that are not adequately encrypted. 

 

Perhaps more to the point is the fact that internal encryption is used sporadically, and security experts urge companies to encrypt all traffic, end-to-end, including internally, especially when patient data, credit card data, student data, consumer data or other protected information may use those applications. At the same time, compliance rules for contact centers often require communications to be monitored and archived, so the encryption scheme must enable that archiving compliance process to operate without restriction.

 

 

This function focuses on controlling the registration and authentication of users and their devices.  Some customers, especially in the financial services sector, carry this to the level of requiring 2 factor authentication.  In that architecture, a user must enter a PIN and a changing random number code from a token in order to use the VoIP or other UC system

 

 

An enterprise must define security rules to dictate which users and applications may engage with which resources and when. Then it must establish security control points to enforce the policies

 

 

Attackers have learned to exploit vulnerabilities in both signaling and media traffic of VoIP and UC applications. A best practice is to conduct continuous monitoring of traffic in real-time to detect signatures of attacks and halt them.

 

TMC: Discuss Sipera’s solutions including new and upcoming releases and how these are addressing/will address these issues.

 

AB: Sipera has three primary offerings:

 

 

 

 

Our appliance conducts deep packet inspection and comprehensive security with no performance degradation of the UC traffic. These solutions are used by our enterprise and service provider customers in these ways:

 

 

Our solution is deployed in the DMZ and provides fully secure unified communications to employees outside the DMZ.  Because of our security features, our customers can extend these communications to external employees while keeping compliant with privacy requirements for HIPAA (healthcare), FERPA (student records), PCI DSS (credit card data) and GLBA (consumer data).  No special device is needed in the employee’s location other than their phone or PC.

 

 

Termination and security of SIP trunks are used to replace traditional TDM PSTN trunks.  SIP trunks are a low cost way of connecting to the public telephony network and many of our customers, including those supporting call centers, use our appliance to terminate SIP trunks and provide application layer security on them.

 

 

 Effective VoIP security practices call for the separation and maintenance of logical sub-networks – VLANs, or virtual local area networks – that segregate voice and data traffic.  Our appliance can maintain and enforce these VLANs while provided threat detection and mitigation to protect the PBX (News - Alert) and call servers.

 

 

Our appliance is deployed to detect and block common toll fraud exploits while adding in authentication controls that further reduce toll fraud risk.

 

 

Our appliances permit an enterprise to instantly and securely extend to any location the mission-critical communications that are needed to sustain operations in the event of a disaster or emergency.  Numerous financial services clients use our solution as the communications backbone of their business continuity plans.

 

 

Our solution enables enterprises to comply with privacy mandates, keeping sensitive or protected information secure, but it also enables our customers to conduct archiving compliance.  The appliance will monitor the UC communications stream and push particular communication traffic to a recording or archiving device to comply with quality control rules or government mandates.