Security directors find new opportunities, and consequently new challenges, in most new technologies. Many are seeing great opportunity in voice over Internet protocol. This technology offers potential benefits when deployed in the right places, but security directors should also be aware of the information security concerns of VoIP and the steps that should be taken to address those concerns.
The Good News
With the adoption of the TCP/IP protocol across multiple technologies and service offerings, it was inevitable that we'd eventually use the data network and IP-enabled technology to handle voice transmissions. The cost savings alone holds great appeal. VoIP can eliminate the entire expense stream of establishing and maintaining a circuit-switched network for telephone connections. The concept of running only one wire to the desk is also appealing.
Vendors like the idea of bundling services for customers because it increases the perceived value of their offerings. Customers like the idea of having to call only one vendor (or department, for internal applications) for installations and service calls. As deployment of VoIP service offerings continues to grow, the increasing competition and options for the consumer are making the prospect of VoIP even more appealing.
The adoption and growth of this industry is somewhat akin to a gold rush. Recently Microsoft acquired the Zurich-based media-streams.com AG, which specializes in VoIP applications, with the vision of adding VoIP capabilities to its Office products. EBay has also jumped on board with its $2.6 billion acquisition of Skype Technologies, one of the world's largest providers of VoIP service signals.
But I always get nervous when I hear comments like, “Well, everyone's doing it!” There is often a life lesson attached to comments like that. Moving to VoIP is a perfect example.
Problems for Law Enforcement
First, don't make the mistake of assuming VoIP works just like a traditional phone line, because it doesn't. In fact, the move to this technology has presented challenges in unexpected areas. For example, in the rush to establish and configure VoIP services, everyone forgot to consider the needs of law enforcement and wiretapping regulations. Well-defined laws and processes give law enforcement access to traditional telephone traffic, and they need it now more than ever due to their increasing role in handling terrorist threats. The fact that an increasing percentage of telecommunication traffic is going over a completely different technology throws uncertainty over the processes used.
New regulations approved by the FCC in August that make it easier for law enforcement to tap Internet phone calls are being challenged in court. Internet service providers and universities are wincing under the potential expense of complying with the new regulations. In October, CNN quoted Terry Hartle, senior vice president of the American Council on Education, saying, “We fear that the FCC order will make every college and university replace every router and every switch in their systems. The cost of doing that is substantial.”
When VoIP is brought up, most information security professionals groan and mutter something along the lines of, “Oh man, not another one!” It's not that they think VoIP by itself is evil or more troublesome than other IP-enabled technologies. But they understand all the effort necessary to make it available, useful, and properly secure.
Much of the current VoIP technology has not been constructed or deployed with security in mind. Much of the time it is deployed before a serious risk assessment and analysis is conducted. In a recent seminar I attended, this issue was described as the “airline magazine syndrome”; a high-ranking executive reads an interesting article about the technology in an airline magazine and buys it without a second thought. The IT staff is then tasked with finding enough baling wire and duct tape to pull the project together, since they did not have the benefit of architecting the solution before it arrived.