Your SlideShare is downloading. ×
0
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
SpeechTEK 2009: Securing Cloud Telephony Aug2009
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SpeechTEK 2009: Securing Cloud Telephony Aug2009

1,246

Published on

In this talk at SpeechTEK 2009 in New York City, Dan York, discussed: …

In this talk at SpeechTEK 2009 in New York City, Dan York, discussed:

As voice and self-service applications move increasingly into the cloud and to IP communications, what do you need to be concerned about with regard to the security of hosted solutions? If you grow to trust the cloud, how can you be sure it will be there for you? What protections can you put in place? What backup plans can you establish? What questions should you ask potential hosted/cloud vendors? In this session, security professional Dan York will walk you through the basic risk areas of voice-over-IP security, explain how those relate to both hosted and hybrid configurations and leave you with a concrete list of questions to consider in considering hosted/cloud options.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,246
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
84
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SpeechTEK 2009 Securing Cloud Telephony Dan York, CISSP Director of Conversations, Voxeo Best Practices Chair, VoIP Security Alliance (VOIPSA) dyork@voxeo.com
  • 2. Security concerns in telephony are not new… Image courtesy of the Computer History Museum
  • 3. Nor are our attempts to protect against threats… Image courtesy of Mike Sandman – http://www.sandman.com/
  • 4. Privacy Availability Compliance Confidence Mobility Cost Avoidance Business Continuity
  • 5. TDM security is relatively simple... PSTN Gateways TDM IVR Switch Physical Voicemail Wiring
  • 6. VoIP security is more complex Operating Desktop PSTN E-mail Systems PCs Gateways Systems Network Web Firewalls Switches Servers Standards Voice over IVR Wireless Instant IP Devices Messaging Directories Internet Databases Physical Voicemail Wiring
  • 7. Confidentiality Integrity Availability
  • 8. Voice Application Diagram HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 9. Voice Transport HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 10. Voice Transport Voice Phone Browser PSTN (on svr) Voice Phone PBX Browser PSTN TDM (on svr) Voice Phone IP-PBX Browser PSTN SIP (on svr) SIP Voice Phone Service Browser PSTN Internet/WAN Provider (on svr) SIP Voice Phone Browser Internet/WAN (on svr) SIP
  • 11. Voice Transport - SIP Voice Phone Browser PSTN (on svr) Voice Phone PBX Browser PSTN TDM (on svr) Voice Phone IP-PBX Browser PSTN SIP (on svr) SIP Voice Phone Service Browser PSTN Internet/WAN Provider (on svr) SIP Voice Phone Browser Internet/WAN (on svr) SIP
  • 12. Voice Authentication HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ??? Who are you talking to?
  • 13. Voice Biometrics Voice Auth Biometrics Svr HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 14. Web Transport HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 15. App/DB Server Transport HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 16. Server Security HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 17. Management Interfaces HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 18. APIs HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 19. Local Storage / Logging HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 20. Call Recording HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 21. Web Interaction - Authentication Web Svr HTTP Voice App/DB Web Phone Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 22. Web Interaction - XSS/Injection Web Input validation? Svr HTTP Voice App/DB Web Phone Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 23. External Interaction HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets ? Java XML ??? App/DB Svr
  • 24. Moving Into The Cloud
  • 25. Location - Single network/server HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 26. Location - Distributed HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
  • 27. Location - Distributed HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
  • 28. Location - Into the cloud HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
  • 29. Location - Distributed/Cloud HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
  • 30. Location - Distributed/Cloud HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
  • 31. Location - Hybrid HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML HTTP Voice App/DB Web Browser ? (on svr) Svr Svr VoiceXML or CCXML
  • 32. Can You Trust The Cloud To Be There?
  • 33. Location/network questions • What level of network connectivity do you have available? • What kind of availability guarantees / Service Level Agreements (SLAs) do you have in place? • What kind of geographic redundancy is built into your underlying network? • What kind of network redundancy is built into your underlying network? • What kind of physical redundancy is built into your data centers? • What kind of monitoring do you perform? • What kind of scalability is in the cloud computing platform? • What kind of security, both network and physical, is part of the platform? • What kind of security policies and procedures are in place? • What kind of patch management plans? • Will firewall traversal be necessary (for instance, for a SIP trunk) and if so, how? • How scalable is the solution? • Do you have appropriately-trained and available staff?
  • 34. Distributed Architectures Web App/DB Svr Svr Web App/DB Voice Svr Svr Browser (on svr) Phone Audio App/DB Voice Svr Browser (on svr) MR CP ASR
  • 35. Geography
  • 36. Confidentiality Integrity Availability
  • 37. Thank you! Dan York, CISSP Director of Conversations, Voxeo Best Practices Chair, VoIP Security Alliance (VOIPSA) dyork@voxeo.com

×