But despite these risks, Collins believes that looking at VoIP and IP telephony as a potential security risk is a misnomer. "VoIP is not a security risk in and of itself. If you're looking at it as a security issue, you've got it the wrong way round. It's no more of a risk than using video-over-IP or calendar management-over-IP," Collins says.
The security issues emanate from people not putting the right level of protection in place not any inherent flaws in the technology itself. "To me, people are the top un-hyped security threat, followed by denial as number two. Too many organisations do risk management by implementing something and finding out what the problems are when things go wrong, but that's more of a psychological issue than a technical one," he explains.
As a result, it is crucial that organisations evaluate the potential security risks before even thinking about implementing any new technology, VoIP included. Mike Gillespie, principal consultant at Advent Information Management, explains: "The secret is not retrofitting security, but designing it into systems from day one. For most people, it's generally about functionality first and security second, but that simply has to change."
A good starting point, says Gillespie, is to evaluate what the organisation intends to use VoIP for and to safeguard it in a way that is commensurate with the impact of any security incident on the business.
"There's no one-size-fits-all approach. It's about implementing controls that are appropriate to what you're using VoIP for and prioritising resources in line with that. So if you're only using it to call a colleague up the road for a chat, it's a very different situation to using it to call a business associate about a top secret takeover, and how you implement your security should reflect that," he says.
VoIP and IP telephony should not be treated any differently to any other part of the organisation's IT infrastructure. The technology should be included in the existing security policy which should specify processes and procedures that are acceptable user behaviour. The policy should also details what practices should be followed in the wake of an incident and the technology that needs to be in place to shield the infrastructure from attack.
The minimum security technology that should be in place includes voice firewalls and content filtering software such as antivirus and anti-spam programs that can undertake deep packet inspection. Encrypting voice traffic is another possibility, while undertaking regular patch management on voice servers is a must. Larger companies that prefer to retain their own VoIP infrastructure in-house rather than use third-party service providers will also need to consider the ramifications of the technology in terms of disaster recovery and business continuity planning.
While it is questionable at this point how many companies would consider removing their PSTN network completely to rely solely on VoIP anyway, should they do choose to do so, they do have choices. "You might need to have a power generator to provide an alternative source of supply in the event of failure, you could go for PSTN fail-over or provide staff with mobile phones so that they can make emergency calls. It's a contingency thing, but you don't have to go overboard. You just have to provide people with options," explains Datamonitor's Williams
In the end it seems that VoIP isn't any more inherently insecure than any other technology. The problem stems from the fact that the potential of VoIP as a revolutionary cost-saving technology has been overhyped — the attention given to security concerns could be seen as a natural realignment. "Some people are saying that, despite the telephony call savings, they won't move to VoIP due to security concerns. But how you secure VoIP should be the same as how you safeguard your data. It just means that rather than having two networks to manage you only have one so rather than making makes life more complex, it could actually become simpler."
Talkback
I was very interested to read Ian Williams’ take on the adoption of internet telephony, and support his view that one of the biggest inhibitors to the growth of VoIP is the question of availability. Telephony "dial-tone" requirements for VoIP will raise the bar for performance and increase the complexity of the network.
I think it can be agreed that network hiccups can be a frustrating phenomenon regardless of when and where they occur. Despite the problems they nurture, however, they seem to have become a widely embedded and accepted facet of organisational culture. Today, if the always-on network is disrupted, few people will even notice. Do you really care if your email took a few minutes to be delivered, or that your browser page did not load? Things inevitably get slow(er) at peak times, but in truth, these performance inconsistencies are considered minor annoyances. Conversely, I don’t think the same would be true if you went to pick up the phone and there was no dial tone. With VoIP, people will notice if a connection takes more than 500ms or if the VoIP phone cannot get an address on the network.
Consider this example; if you were relying solely on VoIP to place an emergency services call, a disrupted internet connection could be potentially disastrous. An extreme example perhaps, but the underlying premise is the same; having your avenues for communication severed, for any period of time, can be a costly and dangerous thing for business. That said, VoIP in itself is not an inherently risky technology. Essentially, it is more a case of network availability. If all of an organisations’ communication devices, such as voice, fax and email, are 100% reliant on a singular network, the availability of that network does become mission critical to the business.
Therefore, the bigger picture for rolling out VoIP is not whether or not companies can protect themselves from any specific security attack; rather, it is more a case of investing in the network infrastructure to ensure your data network is capable of handling the increased complexity.