UC Cloud Computing Security


Published on

Dean Jones has more than a 24-year track record in understanding technology-business interface, identifying & aligning clients technology needs with products & services, and solving complex problems. He has a successful and diverse background spanning technical, operational management, project delivery, and strategy development disciplines underscores expertise in engaging decision makers and devising winning strategies and solutions.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Companies implementing VoIP technologies in an effort to cut communication costs and extend corporate voice services to a distributed workforce face security risks associated with the convergence of voice and data networks. UC Cloud Computing Security and network integrity are an essential part of any UC Cloud Computing deployment. Two major barriers to cloud adoption for the 1,500 enterprises surveyed by IDG Enterprise Cloud Computing Research, Nov 2010 were:• Security—67 percent cited it as a concern, including risk of unauthorized access, being able to maintain data integrity, and data protection• Access to information— 41 percent were concerned about being able to preserve a uniform set of access privileges across cloud apps.The same security threats that plague data networks today are inherited by VoIP but the addition of VoIP as an application on the network makes those threats even more dangerous. By adding VoIP components to your network, you're also adding new security requirements. VoIP encompasses a number of complex standards that leave the door open for bugs and vulnerabilities within the software implementation. The same types of bugs and vulnerabilities that hamper every operating system and application available today also apply to VoIP equipment. Many of today's VoIP call servers and gateway devices are built on vulnerable Windows and Linux operating systems.
  • On a global basis the total cost of Toll Fraud is now about $80bn with $15bn of this accounted for by compromised PBX voicemail systems and around $10bn by hacking of IP based PBX solutions. The problem is growing despite all of the attempts of the industry to address the problem over the past few years, it is estimated that Toll Fraud is growing at a rate of around 10-15% per annum.Industry reports show that DDoS attacks are more frequent, with growth assessments as high as 45%. Must industry experts agree that a major culprit is low-cost, freely distributed DDoS attack technologies. Industry Experts find the bulk of attacks still stem from other sources, namely extortionists, cut-throat competitors and others who strike for profit. Industry experts agree that many of these attacks go unreported. After all, no one wants to go public when their systems have been assaulted. Customers flee, sales drop and stock prices follow suit.Perhaps most media-reported attacks are the work of hacktivists. But those who take aim at your bottom line—in the form of a ransom note threatening your website or a competitor lunging for market share—are still launching the majority of overall attacks.
  • Traditional Methods are InadequateTraditional methods such as using a static firewall are not equipped to support real time communications requirements such as VoIP or multimedia services. These traditional security systems simply do not provide an acceptable level of protection against the robust attacks and unauthorized access attempts that are common in today’s real-time, peer-to peer communications environment. This situation creates a multi-fold problem. First firewalls that block unsolicited traffic across IP boundaries will not work with dynamically assigned port ranges. Secondly policy management changes that affect RTP and RTCP pin hole configurations will be too great for a traditional firewall. And finally, inbound calls do not have visibility to the private address of the phone they are attempting to reach. As a result, the phone will not even ring, and work-arounds that attempt to address this problem risk compromising network integrity.
  • “Information theft was still the highest consequence — the type of information [stolen] ranged from a data breach of people’s [information] to intellectual property and source code,” says Larry Ponemon, CEO of the Ponemon Institute. “We found that detection and discovery are the most expensive [elements].”A recent Forrester survey found that 25% of respondents do not know, or do not know how to determine, the cost of data security breaches. Kark said the majority of organizations will incur a wide array of associated costs, sometimes significant enough to even put them out of business.Kark reported that discovery, response, and notification costs can be substantial. He averaged them out to be about $50 per lost record. These costs generally include outside legal fees, notification costs, increased call center costs, marketing and PR costs, and discounted product offers. "Forrester has seen a slight increase in this cost due to the increasing number of jurisdictions and circumstances to which breach disclosure applies, but we estimate this cost to be somewhere in this ballpark in the next few years," Kark added. Lost employee productivity also is a significant cost. When employees are diverted from their normal duties, or contractors are hired to respond to data breaches, the company incurs additional expenses, according to Kark, who noted that the Ponemon Institute calculated that this cost had increased 100% in 2006, going from $15 per record in 2005 to $30 per record in 2006.
  • The above is a clear indication that companies are getting complacent about their IT security. 12% of businesses blame it on senior management and 20% spend less than 1% of their IT budget on information security. The chief cause is that it is hard to measure the business benefits from spending money on security defenses. Unfortunately, only 20% of big firms analyze return on investment on their security expenditure.
  • Unified Communication benefits come from extending communications outside of the enterprise Connecting with suppliers, partners, clients, and others via SIP trunks to the PSTN or other companies Enabling remote and teleworkers, executive work-at-home programs Deploying UC solutions to the enterprise including softphones, IM clients, and presence Corporate policies drive UC features and security needs Voice routing at the logical SIP layer allows for simpler business continuity and disaster recovery Enabling green initiatives such as work-at-home programs Cost reduction was always one of the primary goals of VoIP and UC Converged voice and data infrastructure saves on maintenance, power, and capital SIP trunks are often cheaper that similar TDM solutions allowing sharing of voice and data trunks Sipera UC-Sec appliances simply and securely enable unified communications
  • With the extension of Unified Communications comes connections to untrusted, high risk networks As in the data world years ago, the router-based access control lists and data firewalls addressed trust and risk More complex UC attacks can circumvent data security measures Enterprise UC assets including the IP-PBX and phones must be protected Business policies must also be enforced and compliance monitored As an example, allow encrypted VoIP on the network, but disallow unencrypted VoIP and IM traffic As an example, blacklist SPAM phone calls, but whitelist emergency calls Authenticating users and devices ensures resources are used properly preventing toll fraud Providing two-factor authentication with RSA tokens (similar to data VPNs) assures proper usage As an example, strong authentication helps protect against man-in-the-middle and spoofing attacks Encryption is key to ensuring privacy Proper privacy implements key exchange standards, TLS signaling encryption, and SRTP media encryption Offload encryption from UC assets like Cisco Call Managers ensures call capacity is unaffected Deployment of VoIP / UC presents many challenges Configuring and managing remote phones Creating pin-holes and managing complex deep packet inspection rules on data firewalls Automatically traversing remote (home) firewalls and NAT systems for plug-and-play teleworker configuration
  • The Issue of SecurityThe reality is that in tandem with all the benefits and flexibility SIP trunking provides, it has distinct and more intensive security requirements than TDM. A TDM PSTN gateway provides an explicit demarcation point between the enterprise network and service provider combined with engrained security features. When SIP trunks are implemented, security concerns arise. It is extremely difficult for a malicious external user to traverse the network interconnection and access the enterprise network through the traditional TDM trunk while it is fairly easy to do so when the interconnect point is IP. Because SIP trunks offer direct IP connectivity to the enterprise network, they are inherently more unsecure than the TDM trunks. At the same time, one TDM trunk contains one call while a one megabit link could contain thousands of SIP calls, which increases the risk of a denial of service attack and the damage that may be caused. These kinds of problems can be solved by implementing an E-SBC, something interoperable with in all variations of SIP and with sufficient intelligence to facilitate the secure interactions of the various devices. Such an E-SBC could, for example, solve deployment issues, prevent attacks and deliver value to the enterprise in the process. Such a mediating device wouldessentially ensure that the requirements of enablement, control, protection, demarcation and ROI are met.
  • Key point: Some concerns are more relevant to the UC Cloud than others, these are the most frequently discussed. Less control: Uncomfortable with the idea of their information on systems they do not own in-house. Cloud computing changes some of the basic expectations and relationships that influence how we assess security and perceive risk. In the cloud, it’s difficult to physically locate where data is stored. Security processes, once visible, are now hidden behind layers of abstraction. Even the most basic tasks, such as applying patches and configuring firewalls, may become the responsibility of the cloud operator, not the end user. While the intent of security remains the same - to ensure the confidentiality, integrity, and availability of information - cloud computing shifts control over data and operations. This forces us think about security in terms of the cloud provider, the custodian of our information, and how they ultimately implement, deploy, and manage security on our behalf.Data Security: A shared, multi-tenant infrastructure increases potential for unauthorized exposure. Especially in the case of public-facing clouds. Data will be Stored in multi-tenant environments, spanning multiple layers in the cloud stackAccessed by various parties of different trust levels(users, tenants, privileged cloud admins)Located in various geographiesEnforced by variouscontractual obligations and SLAsGoverned by various regulations and industry best practicesSecured by multiple technologies and services Reliability: They are worried about service disruptions affecting the business. Compliance: Regulations may prohibit the use of clouds for certain workloads and data. Security Management: How will today’s enterprise security controls be represented in the cloud?Public clouds maximize concerns. Hybrid & private clouds resonate with clients in demand of higher assurance.
  • NAT (network address translation) traversal. NAT traversal is the process by which IP address information is modifiedinside of IP header messages and because IP traffic is routed by headers, devices need to be able to look into packetsand read the embedded NAT addressing information. Yet traditional firewalls can’t do this. Consequently, to permit externaltraffic to enter the network, service providers often require the enterprise to “open up” the firewall in ways that compromisesecurity, reduce network control at the application layer, and prohibit the effective implementation of routing policies forSIP-based traffic. Given the plethora of threats facing networks today, such openness is unacceptable. Changes to the firewall will open holes for attacks from external sources such as hackers, malicious users and spammers. According to the Communication Fraud Control Association (CFCA), the body that monitors communication fraud, the crime of ‘Phreaking’ (hacking into a PBX and using it to route calls) actually costs UK businesses $2 billion to $2.4 billion per year. Authorities estimate that telecoms fraud caused by security gaps cost businesses nearly $80 billion per year. Other common attacks include Denial of Service (DoS)/Distributed Denial of Service (DDoS message floods and fuzzing, stealth DoS, and spoofing attacks. A DoS attack on a VoIP system, to give an example, floods a phone with spoofed requests that overwhelm the phone’s protocol stack and disables the device. A low volume variation on this kind of attack can cause VoIP phones to ring continuously.
  • Key message: Security doesn’t change when you move to the cloud, but the way in which we integrate, deploy, and manage security does. Point 1) Cloud is about not knowing the details. We don’t care about the underlying infrastructure, we care about the business services running on top of the cloud – physical machines, networking gear, and in some cases operating systems, middleware and applications are irrelevant to the customer. However, security is about knowing all the details (patch levels, networking protocols, application code, etc.). Cloud providers must offer customers the ability to see what’s behind the curtain and give information about what security tools are in place.Point 2) Nothing here is new. We’ve dealt with many of these problems before in Strategic Outsourcing, SOA, etc. Security remains the same - it's about providing confidentiality, integrity, and availability. In most cases, security technologies and the products they construct will remain the same when applied to cloud environments - encryption, access control, intrusion prevention, isolation, etc. However, the speed in which cloud services can be assembled and terminated (often without the Security Admin’s knowledge or permission) offers some new challenges for security vendors and cloud providers alike.
  • The SIP trunk E-SBC security device should provide for all of the following to ensure the four requirements of enablement, control, protection and demarcation are met:VoIP threat prevention: comprehensive SIP and media protection VoIP policy compliance: fine-grained policy enforcement Secure Access: firewall/NAT traversal and encrypted signaling and media proxy (TLS and SRTP) Demarcation: clear line of defense and termination for SIP trunks within the enterprise. This VoIP security device deploys at the edge of the enterprise network within the DMZ, between the network’s internal and external firewalls to ensure complete protection. The device performs border control functions such as firewall / NAT traversal, access management and control based on unified Communications policies, and intrusion preventionfunctionality to defend against denial of service, spoofing, stealth attacks and voice spam.The E-SBC is the safe SIP trunk choice for enterprise. The E-SBC:• Serves as the demarcation point for the enterprise VoIP and UC network and enforces fine-grained security policies.• Protects against SIP and RTP threats by blocking them at the enterprise perimeter.• Is proven in SIP trunk deployments involving all major VoIP and UC manufacturers and across all verticals.• Performs firewall/NAT traversal to simplify the deployment of SIP trunks.• Is upgradable to support the advanced UC Security functionality, safe VoIP and UC to any device over any network.
  • UC-Sec appliances offer comprehensive security for voice over IP (VoIP) and unified communications, enabling enterprises to take full advantage of the cost savings and productivity opportunities VoIP and UC offer over any network to any device. With UC-Sec, enterprises can safely deploy new UC applications, including:• Softphones, Wi-Fi , and dual-mode smartphones• E-mail, voice, video, and instant messaging integrationEnterprises are also able to simply and easily extend rich communications to home and remote work configurationsincluding teleworkers, mobile workers with remote IP phones, partners, the supply chain, and customers with SIP trunks.Most Importantly Business are now empowered to manage primary core competencies.
  • Cost Savings: Operational and CapitalAllows for Consolidation: to one ISP/ITSP, one Data CenterSimplicity: works with installed IP-PBX and telephonesEfficiency: Efficient use of bandwidth
  • UC Cloud Computing Security

    1. 1. BDPA DALLAS May 31st Program Meeting UC Cloud Computing Security •Dean Jones, Engagement Manager •Infrastructure As A Service (IAAS)
    2. 2. Discussion Topics• Potential Security Breaches & Associated Cost• Cloud Computing and Topology• SIP – UC Cloud / IAAS Topology• Case Studies
    3. 3. Potential Security Breaches
    4. 4. The Cost of Unsecured Hosted and Private UC Environments. One Successful Toll Fraud Attack $40,000
    5. 5. A crisis of complexity. The need for progress is clear. Global Annual Server Spending (IDC)300 Power and cooling costs Management and admin costs250 New system spend200 Uncontrolled management150 and energy costs100 50 Steady CAPEX spend$0B To make progress, delivery organizations must address the server, storage and network operating cost problem, not just CAPEX Source: IBM Corporate Strategy analysis of IDC data 5 Cloud Computing
    6. 6. Perimeter defense is essential – But it doesn’t guard data against the human factorLost or  Intellectual property exposed to competitorsstolen  Sensitive customer data compromiseddevices  Competitive information leaked to the mediaExposed  Extracts pulled for processing and reportingbusiness  Circulating data across organizationsprocesses  Workarounds during system outagesMalicious  Malware deployed within the networkinsiders  Intentional misuse of company information  Identity theft and Industrial espionageCareless use  Viruses unwittingly downloaded at homeof the  Unsecured archives or copies of datacorporate  Uncontrolled circulation of classified documents or personal e-mail messagesnetwork
    7. 7. Increased collaboration brings increased complexity and increased risk.Foes, Gremlins, andBananaPeels Coffee Shop Hotels Home Business Inadequate, disjointed Partners Supply technology management Chain
    8. 8. Many companies expend resources on the network without achieving the expected results.• A piecemeal approach to network security and updates leads to an overly complex infrastructure – Time-consuming to pinpoint causes of performance problems, especially for newly added voice and video applications that impact traditional mission-critical applications – Difficult to determine the best way to optimize costs and performance – Hardto estimate future expenditures and justify current costs – Almost impossible to predict capacity requirements accurately• Through 2011, enterprises will waste $100 billion buying the wrong networking technologies and services3 – Unnecessary technologies – Excess bandwidth – Unwarranted upgrades 3 Gartner, Gartner’s Top Predictions for IT Organizations and Users, 2007 and Beyond, Daryl C. Plummer and others, December 2006.
    9. 9. Ponemon Institute’s Security Breach Studies• Ponemon Institute’s released two separate reports, ”The First Annual Cost of Cyber Crime Study” (PDF), which was sponsored by ArcSight, “The Leaking Vault” (PDF) released today by the Digital Forensics Association, both showing troubling findings for companies’ finances:• a median cost of $3.8 million for an attack per year, including all costs, from detection, investigation, containment, and recovery to any post-response operations.• out of 2,807 publicly disclosed data breaches worldwide during the past five years, the cost to the victim firms as well as those whose information was exposed reached $139 billion.• nearly half of all of the reported breaches came from a laptop, which in 95 percent of the cases is stolen• hacks led to the most stolen records during 2005 to 2009, with 327 million of the 721.9 million covered in the report, although hacks represent only about 16 percent of the data breaches• Web-borne attacks, malicious code, and malicious insiders are the most costly types of attacks, making up more than 90 percent of all cybercrime costs per organization per year• A Web-based attack costs 143,209 USD; malicious code, 124,083 USD; and malicious insiders, 100,300 USD.
    10. 10. Cloud Security Breach Examples• Google Doc allowed shared permission without user knowledge – http://www.google.com/support/forum/p/Google+Docs/thread?tid=2ef115be2ce4fd0e&hl=en• Salesforce.com phishing attack led to leak of a customer list; subsequent attacks – http://voices.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html• Vasrev.com Webhost hack wipes out data for 100,000 sites – http://www.theregister.co.uk/2009/06/08/webhost_attack/• Twitter company files leaked in Cloud Computing security failure – / http://www.infosecurity-us.com/view/2554/twitter-company-files-leaked-in-cloud-computing-security-failure• DDoS attack that downed Twitter also hit Facebook – http://www.computerworld.com/s/article/9136340/DDoS_attack_that_downed_Twitter_also_hit_Facebook?source=CTWNLE_nlt_security_ 2009-08-07
    11. 11. UCCloud Computing Security and Topology
    12. 12. Cloud: Consumption & Delivery Models Optimized by Workload “Cloud” is: Cloud enables: • A new consumption  Self-service and delivery model inspired by consumer  Sourcing options Internet services.  Economies-of-scale Cloud Services Cloud Computing Model “Cloud” represents: Multiple Types of Clouds will co-exist:  The Industrializationof  Private, Public and Hybrid Deliveryfor IT  Workload and/or supported Services Programming Model Specific 15 Cloud Computing
    13. 13. Is cloud computing really new? Yes, and No.Cloud computing is a new consumptionand delivery model inspired by consumerInternet services. Cloud computing exhibits Usage Tracking Web 2.0the following 5 key characteristics: •On-demand self-service •Ubiquitous network access End User Focused •Location independent resource pooling Service Virtualization •Rapid elasticity Automation & SOA •Pay per useWhile the technology is not new, the enduser focus of self-service, self-managementleveraging these technologies is new. Cloud Computing
    14. 14. Today there are three primary delivery models that companies are implementing for cloud Enterprise Public Traditional Private Clouds Enterprise IT Cloud Hybrid Cloud Private Cloud Hybrid Cloud Public Cloud IT activities/functions are provided “as Internal and external IT activities/functions are provided a service,” over an intranet, within the service delivery “as a service,” over the Internet enterprise and behind the firewall methods are integrated, with Key features: Key features include: activities/functions – Scalability – Scalability allocated to based on – Automatic/rapid provisioning – Automatic/rapid provisioning security – Standardized offerings – Chargeback ability requirements, criticality, – Consumption-based pricing. – Widespread virtualization architecture and other – Multi-tenancy established policies.Source: IBM Market Insights, Cloud Computing Research, July 2009. Cloud Computing
    15. 15. Security Implications of the Delivery Models
    16. 16. Cost savings and faster time to value are theleading reasons why companies consider cloud To what degree would each of these factors induce you to acquire public cloud services? Pay only for what we use • Hardware savings Reduce costs Software licenses savings • Lower labor and IT 77% support costs • Lower outside maintenance costs Take advantage of latest functionality • Faster time to value Simplify updating/upgrading • Speed deployment 72% • Scale IT resources to meet needs Improve Improve system reliability • reliability Improve system availability 50% Respondents could rate multiple drivers itemsSource: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090 UC Cloud Computing
    17. 17. Managing Cloud Adoption• Cloud economics can be compelling – Small companies will adopt as reliable, easy-to-use services are available – Scale economics are within reach of many enterprises• Client migration will be work load driven – Trade-off is value vs. risk of migration – Workload characteristics are critical – New workloads will emerge as cloud makes them affordable (e.g. pervasive analytics, Smart Healthcare)21 Cloud Computing
    18. 18. Elements that Drive Cloud Efficiency andInfrastructure Economics Virtualization of Drives lower capital Leverage Hardware requirements Utilization of Virtualized environments Infrastructure only get benefits of scale if they are highly utilized Clients who can “serve Self Service themselves” require less support and get servicesLeverage Labor Automation of Take repeatable tasks and Management automate Standardization of More complexity = Workloads less automation possible = people needed
    19. 19. Enterprise Benefits from Cloud Computing Capability From ToServer/Storage 10-20% Cloud accelerates 70-90% Utilization business value Self service None across a wide Unlimited variety ofTest Provisioning Weeks domains. Minutes Change Months Days/Hours Management Release Weeks Minutes Management Fixed costMetering/Billing Granular modelStandardization Complex Self-Service Payback period Years Monthsfor new services Legacy environments Cloud enabled enterprise Cloud Computing
    20. 20. Clients told us their implementation strategies —public or private Cloud, present or future — for 25 specific workloads Analytics • Data mining, text mining, or other analytics • Data warehouses or data marts Development and testing • Transactional databases • Development environment Analytics • Test environment Development Business Services and Test • CRM or Sales Force Automation • e-mail • ERP applications • Industry-specific applications Infrastructure Business Services • Application servers • Application streaming Collaboration • Business continuity/disaster recovery • Audio/video/web conferencing Infrastructure • Data archiving • Unified communications • Data backup • VoIP infrastructure • Data center network capacityCollaboration • Security Desktop and devices • Servers • Desktop • Storage • Service/help desk • Training infrastructure • WAN capacityDesktop and Devices Source: IBM Market Insights, Cloud Computing Research, July 2009.
    21. 21. Clients cite "push factors" for and "barriers" against cloud adoption for each workload type Barriers Higher propensity Data privacy or regulatory and for cloud compliance issues Fluctuating demand High level of Internal Highly standardized control required applications Accessibility and Modular, reliability are a independent concern applications Cost is not a concern Unacceptably Lower propensity high costs for cloud Push factors Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090
    22. 22. IT needs to become smarter about…… delivering“services” and service management  Standardized processes  Service management systems provide visibility, control and automation  Lower operational costs and higher productivity… optimizingworkloads  Rate and degree of standardization of IT and business services  Complex transaction and information management processes  Rapid return-on-investment and productivity gains… deploymentchoices  New models are emerging for the enterprise  Self-service, economies-of-scale, and flexible sourcing options  New choices of deployment – define these new models Analytics Collaboration Development Desktop and Infrastructure Business and Test Devices Services
    23. 23. Focus on Managing Services End to End Service Management Architectural and process level integration that delivers business aligned Visibility, Control and Automation of all Data Center Elements Modular, Self- Modular, Self- Legacy Environment : contained, Scalable NON – IBM Solutions contained, Scalable Workload Delivery Requiring workload Workload Delivery Platform connectivity Platform Service Service Service Management Management Management WORKLOAD A WORKLOAD B WORKLOAD C + + + +Mobility Facilities Production Technology CommunicationsInfrastructure Infrastructure Infrastructure Infrastructure Infrastructure
    24. 24. 3 options to deploy workloads – providing you the choice to meet your business needs! Smart Business Services – cloud services delivered. 1. Standardized serviceson the cloud – Public Cloud. 2. Private cloud services,built and/or run by Private Cloud. Smart Business Systems – purpose-built infrastructure. 3. Integrated Service Delivery PlatformAnalytics Collaboration Development Desktop and Infrastructure Business and Test Devices Services
    25. 25. SIP – UC Cloud / IAAS Topology
    26. 26. Renovate &Innovate• How do we address the immediate pressure to cut costs, reduce risk and complexity?• How do we Innovate to take advantage of new opportunities?How can we do both at the same time?• We focus on delivering services in new ways - lowering cost while increasing speed and flexibility!
    27. 27. Additional Security Concerns• The significant security concerns for this type of deployment are mainly SIP/SCCP/H.323 call control and application level attacks along with:• Attacks originating from a peering network• End user Spam attacks• Border control and traversal issues• Handling of domain policies
    28. 28. High-level Cloud Security concerns Data Security Less Control Migrating workloads to aMany companies and governments shared network andare uncomfortable with the idea of compute infrastructure their information located on increases the potential for systems they do not control.Providers must offer a high degree unauthorized exposure. of security transparency to help Authentication and access put customers at ease. technologies become Reliability increasingly important. High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud without strong availability guarantees. ComplianceComplying with SOX, HIPPA, PCI DSS, FERPA Security Management Providers must supply easy,and other regulations may visual controls to manage prohibit the use of clouds firewall and security for some applications. settings for applications and Comprehensive auditing runtime environments in the capabilities are essential. cloud.
    29. 29. Inherent Technology Threats
    30. 30. Cloud Security 101: Simple Example TODAY TOMORROW ? ? ? ? ?We Have Control ? Who Has Control?It’s located at X. Where is it located?It’s stored in server’s Y, Z. Where is it stored?We have backups in place. Who backs it up?Our admins control access. Who has access?Our uptime is sufficient. How resilient is it?The auditors are happy. How do auditors observe?Our security team is engaged. How does our security team engage? Lesson Learned: We have responded to these questions before… clouds demand fast, responsive, agile answers.
    31. 31. SIP Trunk Requirements Cont’d
    32. 32. Key Benefits of UC Cloud Computing Security
    33. 33. Case Studies
    34. 34. The Cost Benefits of a SIP Deployment
    35. 35. Return on Security Investment• Return on Security Investment factors – Single Loss Expectancy (SLE) • Dollar amount assigned to event – Annualized Rate of Occurrence (ARO) • Estimated frequency of event – Annualized Loss Expectancy (ALE) • SLE x ARO = ALE
    36. 36. Theft of Service Assumptions• Large Enterprise with 500 SIP trunks – 50% average utilization• Without SIP trunk security – Billing rate 2¢ / min – Event forces theft of 20% of average utilized trunks – SLE = 20% x 250 x 2¢ = $ 1/min – ARO = 365 days x 24 hours x 60 min = events/year – ALE = 365 x 24 hours 60 min x $1 = $525,600• With UC Security -protected SIP Trunk – VOIP Vulnerability Assessment – Best practices – Comprehensive UC security
    37. 37. Theft of Service Business CaseUnprotected SIP Trunk Protected SIP TrunkItem Qty Unit Cost Total Cost Item Qty Unit Cost Total CostCapital Cost (list price) Capital Cost (list price) VOIP Sec Asses 2 weeks $10,000 $20,000 UC-Sec 2000 HA 1 pair $65,950 $65,950 UC-SEC EMS 1 $7,495 $7,495 Installation 1 $3,000 $3,000Total Capital Cost $0 Total Capital Cost $96,445Monthly Service Theft Cost Monthly Maintenance CostTheft 30*24*60 $1 $43,200 UC-Sec Maint. 1 yr / 12 $13,190 $1,099 = 43,200 EMS Maint. 1 yr / 12 $1,499 $125Total MonthlyTheft Cost $43,200 Total MonthlyMaintenance Cost $1,224 Pay Back Period: 3 months and IRR > 75% With No VoIP/UC Security In place Annualized Loss Expectancy = $525,600
    38. 38. Threat Level Assumptions• Threat level or probability of exploit • IP Phones, Softphones – 37 Vulnerabilities discovered – Confidentiality – 7 high threats with exploit probability • 1 medium: Unencrypted snoop >70% per month – Integrity – 5 medium threats with exploit • 2 medium: Spoofing / hijacking probability >50% per month – Availability – 26 low threats with exploit probability • 2 high: Denial of Service, fuzzing <50% per month • 1 medium: QoS degradation• SIP Servers • Softphones only – Integrity – Confidentiality and availability • 1 medium: Spoof Call Server • 2 high: Fuzzing with execute shell – Availability code • 2 high: Denial of Service – Integrity (no high/medium) • 1 medium: Service degradation
    39. 39. Loss of Service ALE CalculationNumber Vulnerability Type Probability of Assets Affected $Loss on single Annualized rate Annualized Loss Exploit occurrence of occurrence Expectancy1 DoS High Server 15 mins, $50,000 7 350,0002 DoS High Server 15 mins, $50,000 7 350,0003 Degradation Medium Server 15 mins, $25,000 5 125,0004 Spoofing Medium Server 15 mins, $35,000 5 175,0005 DoS High IP Phone, 1 hr, $50 35 1,750 Softphone6 DoS High IP Phone, 1 hr, $50 35 1,750 Softphone7 Degradation Medium IP Phone, 1 hr, $25 25 625 Softphone8 Spoofing Medium IP Phone, 1 hr, $500 25 6,250 Softphone9 Hijack Medium IP Phone, 1 hr, $500 25 6,250 Softphone10 Sniffing Medium IP Phone, 1 hr, $500 25 6,250 Softphone11 Buffer overflow, High Softphone Company, $3000, 35 105,000 Shell-code12 Buffer overflow, High Softphone Company, $3000, 35 105,000 Shell-codeTotal 12 7 High, 5 medium ~ $1.2 million
    40. 40. Loss of Service Business CaseUnprotected IP-PBX Sipera-protected IP-PBXItem Qty Unit Cost Total Cost Item Qty Unit Cost Total CostCapital Cost (list price) Capital Cost (list price) VIPER Asses 2 weeks $10,000 $20,000 UC-Sec 50k HA 1 pair $229,850 $229,850 UC-SEC EMS 1 $7,495 $7,495 Installation 1 $3,000 $3,000Total Capital Cost $0 Total Capital Cost $260,345Monthly Service Loss Cost Monthly Maintenance CostLoss 1 $100,000 $100,000 UC-Sec Maint. 1 yr / 12 $30,000 $2,500 EMS Maint. 1 yr / 12 $1,499 $125Total MonthlyLoss Cost $100,000 Total MonthlyMaintenance Cost $2,625 Pay Back Period: 3 months and IRR > 60% With No VoIP/UC Security In place Annualized Loss Expectancy = $1,200,000
    41. 41. Other Downtime Effects• Impact on stock price • Interest value on deferred billings• Cost of fixing / replacing equipment • Penalty clauses invoked for late delivery• Cost of fixing / replacing software and failure to meet Service Levels• Salaries paid to staff unable to undertake • Loss of profits productive work • Additional cost of credit through reduced• Salaries paid to staff to recover work credit rating backlog and maintain deadlines • Fines and penalties for non-compliance• Cost of re-creation and recovery of lost • Liability claims data • Additional cost of advertising, PR and• Loss of customers (lifetime value of each) marketing to reassure customers and and market share prospects to retain market share• Loss of product • Additional cost of working; administrative• Product recall costs costs; travel and subsistence etc.• Loss of cash flow from debtors
    42. 42. Hacking Tools - YouTube Movies• http://youtu.be/89fXxmaca4E• http://youtu.be/x56j2BRkUME• http://youtu.be/DU8hg4FTm0g