VoIP and UC security - Is it important?

I've been involved in VoIP and UC security for a number of years now and lately, people have been asking me one simple question; "Why are VoIP and UC security not perceived as important as data network security?" 

Good question!

Unfortunately there is no simple answer. First, given their emerging nature, there is a lack of knowledge and understanding of VoIP and UC technologies. It is true that VoIP or UC are new technologies that combine the old communication mediums such as voice and video with the newer networking technologies such as IP and 3G networks. For many years these two different worlds co-existed, rarely crossing well defined demarcation lines. Converged networks are changing all of this, but we know it is much easier to change technologies than it is to change people. The result is that we have IT folks that understand very well data networking and applications, but they are not really VoIP or UC experts. Then we have the telecommunications experts that could configure your entire PBX in no time, but their knowledge of IP networking and applications is fairly basic. Then we have the IT security professionals who know a great deal about how to secure data and IP networks, but securing a VoIP and UC network falls outside their area of expertise.

VoIP and UC security have yet to be widely addressed from a regulatory compliance perspective, and as a result, many organizations do not include  guidance relating to their framework and processes. Most of the organization have a strong framework and processes in place to deal with security issues for data networking and applications, but VoIP and UC are not yet part of this framework.

Risk assessment and risk management practitioners have just started to focus on  VoIP and UC security as demonstrated by the increasing number of firms including them as part of the risk assessment analysis they do for securing any IT infrastructure. There is recognition now that it is almost impossible to properly secure converged enterprise networks, including VoIP and UC, without a proper strategy that looks beyond the data centric model used in the past.

Making the business case for VoIP and UC and coming up with an ROI is difficult. Adding requirements for proper security could make them unacceptable to business decision makers given the perceived extra costs. Also,  VoIP and UC vendors are not interested in putting sales at risk so they either avoid talking about security entirely, or try and assure customers that their solutions are fully secure.

I would think that  IT security groups should be proactively implementing VoIP and UC security infrastructures using well known processes and methodologies developed and proven for data networks and applications. The reality, though, is that there are not very many VoIP or UC security incidents reported that have had a major impact on businesses besides a couple of toll fraud type attacks, PBX/Voice mail hacking and few SIP DoS attacks. A number of organizations, including my company, VoIPshield Systems, have published a number of VoIP and UC vulnerabilities that potentially could be used to attack the VoIP and UC infrastructure.

I should note that perhaps the bottom line here is that there is not a significant enough level of "pain" in the market to elevate the importance of VoIP and UC security to the level similar to something like bank card fraud, or email security, etc.. As it's stands today, while VoIP and UC security are gaining in awareness and importance for future budgeting purposes, relatively few organizations have it as their number one priority for IT security related investments.

Back the original question "Is VoIP and UC security important?" If history can be used to predict future, I think that we will start to see VoIP and UC security appear as part of the security mainstream when the number of "painful" events that disrupt business operations increases and causes measurable damage. When downtime, lost sales, information theft or negative influences on brand equity start to cause real financial loses, both mind share and budgets will focus more on VoIP and UC security risks.

| 0 Comments | 0 TrackBacks

Listed below are links to sites that reference VoIP and UC security - Is it important?:

VoIP and UC security - Is it important? TrackBack URL : http://blog.tmcnet.com/mt/mt-tb.cgi/38128

Around TMCnet:

Leave a comment

Around TMCnet Blogs

Latest Whitepapers

TMCnet Videos