Depending on who you talk to these days, the security issues around IP telephony are either likely to bring about Armageddon or are massively over-hyped.
One man firmly in the former camp is David Lacey, the Royal Mail's director of information security and chairman of the Jericho Forum, an international group of IT user and vendor organisations that focuses on security issues. At the annual Business Continuity Expo in London's Docklands in March, he warned that "an electronic Pearl Harbour-type event will happen in 2006 or 2007" because "new technologies such as VoIP risk driving a horse and cart through the security in our networks".
Lacey's main concern was that companies may rush to take advantage of cheap telephony services without undertaking the necessary due diligence around security issues.
But analyst group Gartner takes a quite different stance. It believes that widely voiced concerns around malicious individuals being able to eavesdrop electronically on IP calls are overstated, not least because perpetrators would need to be hooked up to the same LAN as the IP phone they are targeting. The analyst firm is concerned that organisations will be put off moving to the technology because of hype designed to fuel fears and sell more security products.
So how much of an added security risk does VoIP actually pose and what is the reality between these two differing points of view?
Ian Williams, a research director at Datamonitor, for one, believes that both are correct, just in different ways. On the one hand, he points out that, as head of the Jericho Forum, which aims to both provide security best practice to peers and ensure that vendors are catering to users' needs, Lacey's views carry weight and he has no real reason to exaggerate.
"He's not just being a doom-monger. He's basically saying that people should take time to ensure that they've battened down all the hatches and have looked at the potential security implications rather than moving to VoIP in haste," Williams says.
The issue is that, when voice becomes an application, it also becomes subject to all of the same security threats as other applications on the data network and so, given its key role in enabling business communication, has to be adequately protected.
Talkback
I was very interested to read Ian Williams’ take on the adoption of internet telephony, and support his view that one of the biggest inhibitors to the growth of VoIP is the question of availability. Telephony "dial-tone" requirements for VoIP will raise the bar for performance and increase the complexity of the network.
I think it can be agreed that network hiccups can be a frustrating phenomenon regardless of when and where they occur. Despite the problems they nurture, however, they seem to have become a widely embedded and accepted facet of organisational culture. Today, if the always-on network is disrupted, few people will even notice. Do you really care if your email took a few minutes to be delivered, or that your browser page did not load? Things inevitably get slow(er) at peak times, but in truth, these performance inconsistencies are considered minor annoyances. Conversely, I don’t think the same would be true if you went to pick up the phone and there was no dial tone. With VoIP, people will notice if a connection takes more than 500ms or if the VoIP phone cannot get an address on the network.
Consider this example; if you were relying solely on VoIP to place an emergency services call, a disrupted internet connection could be potentially disastrous. An extreme example perhaps, but the underlying premise is the same; having your avenues for communication severed, for any period of time, can be a costly and dangerous thing for business. That said, VoIP in itself is not an inherently risky technology. Essentially, it is more a case of network availability. If all of an organisations’ communication devices, such as voice, fax and email, are 100% reliant on a singular network, the availability of that network does become mission critical to the business.
Therefore, the bigger picture for rolling out VoIP is not whether or not companies can protect themselves from any specific security attack; rather, it is more a case of investing in the network infrastructure to ensure your data network is capable of handling the increased complexity.