Companies implementing VoIP technologies in an effort to cut communication costs and extend corporate voice services to a distributed workforce face security risks associated with the convergence of voice and data networks. UC Cloud Computing Security and network integrity are an essential part of any UC Cloud Computing deployment. Two major barriers to cloud adoption for the 1,500 enterprises surveyed by IDG Enterprise Cloud Computing Research, Nov 2010 were:• Security—67 percent cited it as a concern, including risk of unauthorized access, being able to maintain data integrity, and data protection• Access to information— 41 percent were concerned about being able to preserve a uniform set of access privileges across cloud apps.The same security threats that plague data networks today are inherited by VoIP but the addition of VoIP as an application on the network makes those threats even more dangerous. By adding VoIP components to your network, you're also adding new security requirements. VoIP encompasses a number of complex standards that leave the door open for bugs and vulnerabilities within the software implementation. The same types of bugs and vulnerabilities that hamper every operating system and application available today also apply to VoIP equipment. Many of today's VoIP call servers and gateway devices are built on vulnerable Windows and Linux operating systems.
On a global basis the total cost of Toll Fraud is now about $80bn with $15bn of this accounted for by compromised PBX voicemail systems and around $10bn by hacking of IP based PBX solutions. The problem is growing despite all of the attempts of the industry to address the problem over the past few years, it is estimated that Toll Fraud is growing at a rate of around 10-15% per annum.Industry reports show that DDoS attacks are more frequent, with growth assessments as high as 45%. Must industry experts agree that a major culprit is low-cost, freely distributed DDoS attack technologies. Industry Experts find the bulk of attacks still stem from other sources, namely extortionists, cut-throat competitors and others who strike for profit. Industry experts agree that many of these attacks go unreported. After all, no one wants to go public when their systems have been assaulted. Customers flee, sales drop and stock prices follow suit.Perhaps most media-reported attacks are the work of hacktivists. But those who take aim at your bottom line—in the form of a ransom note threatening your website or a competitor lunging for market share—are still launching the majority of overall attacks.
Traditional Methods are InadequateTraditional methods such as using a static firewall are not equipped to support real time communications requirements such as VoIP or multimedia services. These traditional security systems simply do not provide an acceptable level of protection against the robust attacks and unauthorized access attempts that are common in today’s real-time, peer-to peer communications environment. This situation creates a multi-fold problem. First firewalls that block unsolicited traffic across IP boundaries will not work with dynamically assigned port ranges. Secondly policy management changes that affect RTP and RTCP pin hole configurations will be too great for a traditional firewall. And finally, inbound calls do not have visibility to the private address of the phone they are attempting to reach. As a result, the phone will not even ring, and work-arounds that attempt to address this problem risk compromising network integrity.
“Information theft was still the highest consequence — the type of information [stolen] ranged from a data breach of people’s [information] to intellectual property and source code,” says Larry Ponemon, CEO of the Ponemon Institute. “We found that detection and discovery are the most expensive [elements].”A recent Forrester survey found that 25% of respondents do not know, or do not know how to determine, the cost of data security breaches. Kark said the majority of organizations will incur a wide array of associated costs, sometimes significant enough to even put them out of business.Kark reported that discovery, response, and notification costs can be substantial. He averaged them out to be about $50 per lost record. These costs generally include outside legal fees, notification costs, increased call center costs, marketing and PR costs, and discounted product offers. "Forrester has seen a slight increase in this cost due to the increasing number of jurisdictions and circumstances to which breach disclosure applies, but we estimate this cost to be somewhere in this ballpark in the next few years," Kark added. Lost employee productivity also is a significant cost. When employees are diverted from their normal duties, or contractors are hired to respond to data breaches, the company incurs additional expenses, according to Kark, who noted that the Ponemon Institute calculated that this cost had increased 100% in 2006, going from $15 per record in 2005 to $30 per record in 2006.
The above is a clear indication that companies are getting complacent about their IT security. 12% of businesses blame it on senior management and 20% spend less than 1% of their IT budget on information security. The chief cause is that it is hard to measure the business benefits from spending money on security defenses. Unfortunately, only 20% of big firms analyze return on investment on their security expenditure.
Unified Communication benefits come from extending communications outside of the enterprise Connecting with suppliers, partners, clients, and others via SIP trunks to the PSTN or other companies Enabling remote and teleworkers, executive work-at-home programs Deploying UC solutions to the enterprise including softphones, IM clients, and presence Corporate policies drive UC features and security needs Voice routing at the logical SIP layer allows for simpler business continuity and disaster recovery Enabling green initiatives such as work-at-home programs Cost reduction was always one of the primary goals of VoIP and UC Converged voice and data infrastructure saves on maintenance, power, and capital SIP trunks are often cheaper that similar TDM solutions allowing sharing of voice and data trunks Sipera UC-Sec appliances simply and securely enable unified communications
With the extension of Unified Communications comes connections to untrusted, high risk networks As in the data world years ago, the router-based access control lists and data firewalls addressed trust and risk More complex UC attacks can circumvent data security measures Enterprise UC assets including the IP-PBX and phones must be protected Business policies must also be enforced and compliance monitored As an example, allow encrypted VoIP on the network, but disallow unencrypted VoIP and IM traffic As an example, blacklist SPAM phone calls, but whitelist emergency calls Authenticating users and devices ensures resources are used properly preventing toll fraud Providing two-factor authentication with RSA tokens (similar to data VPNs) assures proper usage As an example, strong authentication helps protect against man-in-the-middle and spoofing attacks Encryption is key to ensuring privacy Proper privacy implements key exchange standards, TLS signaling encryption, and SRTP media encryption Offload encryption from UC assets like Cisco Call Managers ensures call capacity is unaffected Deployment of VoIP / UC presents many challenges Configuring and managing remote phones Creating pin-holes and managing complex deep packet inspection rules on data firewalls Automatically traversing remote (home) firewalls and NAT systems for plug-and-play teleworker configuration
The Issue of SecurityThe reality is that in tandem with all the benefits and flexibility SIP trunking provides, it has distinct and more intensive security requirements than TDM. A TDM PSTN gateway provides an explicit demarcation point between the enterprise network and service provider combined with engrained security features. When SIP trunks are implemented, security concerns arise. It is extremely difficult for a malicious external user to traverse the network interconnection and access the enterprise network through the traditional TDM trunk while it is fairly easy to do so when the interconnect point is IP. Because SIP trunks offer direct IP connectivity to the enterprise network, they are inherently more unsecure than the TDM trunks. At the same time, one TDM trunk contains one call while a one megabit link could contain thousands of SIP calls, which increases the risk of a denial of service attack and the damage that may be caused. These kinds of problems can be solved by implementing an E-SBC, something interoperable with in all variations of SIP and with sufficient intelligence to facilitate the secure interactions of the various devices. Such an E-SBC could, for example, solve deployment issues, prevent attacks and deliver value to the enterprise in the process. Such a mediating device wouldessentially ensure that the requirements of enablement, control, protection, demarcation and ROI are met.
Key point: Some concerns are more relevant to the UC Cloud than others, these are the most frequently discussed. Less control: Uncomfortable with the idea of their information on systems they do not own in-house. Cloud computing changes some of the basic expectations and relationships that influence how we assess security and perceive risk. In the cloud, it’s difficult to physically locate where data is stored. Security processes, once visible, are now hidden behind layers of abstraction. Even the most basic tasks, such as applying patches and configuring firewalls, may become the responsibility of the cloud operator, not the end user. While the intent of security remains the same - to ensure the confidentiality, integrity, and availability of information - cloud computing shifts control over data and operations. This forces us think about security in terms of the cloud provider, the custodian of our information, and how they ultimately implement, deploy, and manage security on our behalf.Data Security: A shared, multi-tenant infrastructure increases potential for unauthorized exposure. Especially in the case of public-facing clouds. Data will be Stored in multi-tenant environments, spanning multiple layers in the cloud stackAccessed by various parties of different trust levels(users, tenants, privileged cloud admins)Located in various geographiesEnforced by variouscontractual obligations and SLAsGoverned by various regulations and industry best practicesSecured by multiple technologies and services Reliability: They are worried about service disruptions affecting the business. Compliance: Regulations may prohibit the use of clouds for certain workloads and data. Security Management: How will today’s enterprise security controls be represented in the cloud?Public clouds maximize concerns. Hybrid & private clouds resonate with clients in demand of higher assurance.
NAT (network address translation) traversal. NAT traversal is the process by which IP address information is modifiedinside of IP header messages and because IP traffic is routed by headers, devices need to be able to look into packetsand read the embedded NAT addressing information. Yet traditional firewalls can’t do this. Consequently, to permit externaltraffic to enter the network, service providers often require the enterprise to “open up” the firewall in ways that compromisesecurity, reduce network control at the application layer, and prohibit the effective implementation of routing policies forSIP-based traffic. Given the plethora of threats facing networks today, such openness is unacceptable. Changes to the firewall will open holes for attacks from external sources such as hackers, malicious users and spammers. According to the Communication Fraud Control Association (CFCA), the body that monitors communication fraud, the crime of ‘Phreaking’ (hacking into a PBX and using it to route calls) actually costs UK businesses $2 billion to $2.4 billion per year. Authorities estimate that telecoms fraud caused by security gaps cost businesses nearly $80 billion per year. Other common attacks include Denial of Service (DoS)/Distributed Denial of Service (DDoS message floods and fuzzing, stealth DoS, and spoofing attacks. A DoS attack on a VoIP system, to give an example, floods a phone with spoofed requests that overwhelm the phone’s protocol stack and disables the device. A low volume variation on this kind of attack can cause VoIP phones to ring continuously.
Key message: Security doesn’t change when you move to the cloud, but the way in which we integrate, deploy, and manage security does. Point 1) Cloud is about not knowing the details. We don’t care about the underlying infrastructure, we care about the business services running on top of the cloud – physical machines, networking gear, and in some cases operating systems, middleware and applications are irrelevant to the customer. However, security is about knowing all the details (patch levels, networking protocols, application code, etc.). Cloud providers must offer customers the ability to see what’s behind the curtain and give information about what security tools are in place.Point 2) Nothing here is new. We’ve dealt with many of these problems before in Strategic Outsourcing, SOA, etc. Security remains the same - it's about providing confidentiality, integrity, and availability. In most cases, security technologies and the products they construct will remain the same when applied to cloud environments - encryption, access control, intrusion prevention, isolation, etc. However, the speed in which cloud services can be assembled and terminated (often without the Security Admin’s knowledge or permission) offers some new challenges for security vendors and cloud providers alike.
The SIP trunk E-SBC security device should provide for all of the following to ensure the four requirements of enablement, control, protection and demarcation are met:VoIP threat prevention: comprehensive SIP and media protection VoIP policy compliance: fine-grained policy enforcement Secure Access: firewall/NAT traversal and encrypted signaling and media proxy (TLS and SRTP) Demarcation: clear line of defense and termination for SIP trunks within the enterprise. This VoIP security device deploys at the edge of the enterprise network within the DMZ, between the network’s internal and external firewalls to ensure complete protection. The device performs border control functions such as firewall / NAT traversal, access management and control based on unified Communications policies, and intrusion preventionfunctionality to defend against denial of service, spoofing, stealth attacks and voice spam.The E-SBC is the safe SIP trunk choice for enterprise. The E-SBC:• Serves as the demarcation point for the enterprise VoIP and UC network and enforces fine-grained security policies.• Protects against SIP and RTP threats by blocking them at the enterprise perimeter.• Is proven in SIP trunk deployments involving all major VoIP and UC manufacturers and across all verticals.• Performs firewall/NAT traversal to simplify the deployment of SIP trunks.• Is upgradable to support the advanced UC Security functionality, safe VoIP and UC to any device over any network.
UC-Sec appliances offer comprehensive security for voice over IP (VoIP) and unified communications, enabling enterprises to take full advantage of the cost savings and productivity opportunities VoIP and UC offer over any network to any device. With UC-Sec, enterprises can safely deploy new UC applications, including:• Softphones, Wi-Fi , and dual-mode smartphones• E-mail, voice, video, and instant messaging integrationEnterprises are also able to simply and easily extend rich communications to home and remote work configurationsincluding teleworkers, mobile workers with remote IP phones, partners, the supply chain, and customers with SIP trunks.Most Importantly Business are now empowered to manage primary core competencies.
Cost Savings: Operational and CapitalAllows for Consolidation: to one ISP/ITSP, one Data CenterSimplicity: works with installed IP-PBX and telephonesEfficiency: Efficient use of bandwidth
UC Cloud Computing Security
• •BDPA DALLAS •May 24th Program Meeting •UC Security - Cloud Computing •Dean Jones, Engagement Manager •Infrastructure As A Service (IAAS)
The Cost of Unsecured Hosted and Private UC Environments. One Successful Toll Fraud Attack $40,000
A crisis of complexity. The need for progress is clear. Global Annual Server Spending (IDC)300 Power and cooling costs Management and admin costs250 New system spend200 Uncontrolled management150 and energy costs100 50 Steady CAPEX spend$0B To make progress, delivery organizations must address the server, storage and network operating cost problem, not just CAPEX Source: IBM Corporate Strategy analysis of IDC data 5 Cloud Computing
Reports: Security Pros Shift AttentionFrom External Hacks To Internal ThreatsMajority of IT and security execs say insider vulnerabilities worry them most.Mar 09, 2009 | 08:08 AMBy Tim WilsonDarkReadingIts official: Todays security managers are more worried about insiders leaking sensitivecorporate data than they are about outsiders breaking in to steal it.http://www.darkreading.com/insiderthreat/security/vulnerabilities/showArticle.jhtml?articleID=215801195
Perimeter defense is essential – But it doesn’t guard data against the human factorLost or Intellectual property exposed to competitorsstolen Sensitive customer data compromiseddevices Competitive information leaked to the mediaExposed Extracts pulled for processing and reportingbusiness Circulating data across organizationsprocesses Workarounds during system outagesMalicious Malware deployed within the networkinsiders Intentional misuse of company information Identity theft and Industrial espionageCareless use Viruses unwittingly downloaded at homeof the Unsecured archives or copies of datacorporate Uncontrolled circulation of classified documents or personal e-mail messagesnetwork
Increased collaboration brings increased complexity and increased risk.Foes, Gremlins, andBananaPeels Coffee Shop Hotels Home Business Inadequate, disjointed Partners Supply technology management Chain
Many companies expend resources on the network without achieving the expected results.• A piecemeal approach to network security and updates leads to an overly complex infrastructure – Time-consuming to pinpoint causes of performance problems, especially for newly added voice and video applications that impact traditional mission-critical applications – Difficult to determine the best way to optimize costs and performance – Hard to estimate future expenditures and justify current costs – Almost impossible to predict capacity requirements accurately• Through 2011, enterprises will waste $100 billion buying the wrong networking technologies and services3 – Unnecessary technologies – Excess bandwidth – Unwarranted upgrades 3 Gartner, Gartner’s Top Predictions for IT Organizations and Users, 2007 and Beyond, Daryl C. Plummer and others, December 2006.
Ponemon Institute’s Security Breach Studies• Ponemon Institute’s released two separate reports, ”The First Annual Cost of Cyber Crime Study” (PDF), which was sponsored by ArcSight, “The Leaking Vault” (PDF) released today by the Digital Forensics Association, both showing troubling findings for companies’ finances:• a median cost of $3.8 million for an attack per year, including all costs, from detection, investigation, containment, and recovery to any post-response operations.• out of 2,807 publicly disclosed data breaches worldwide during the past five years, the cost to the victim firms as well as those whose information was exposed reached $139 billion.• nearly half of all of the reported breaches came from a laptop, which in 95 percent of the cases is stolen• hacks led to the most stolen records during 2005 to 2009, with 327 million of the 721.9 million covered in the report, although hacks represent only about 16 percent of the data breaches• Web-borne attacks, malicious code, and malicious insiders are the most costly types of attacks, making up more than 90 percent of all cybercrime costs per organization per year• A Web-based attack costs 143,209 USD; malicious code, 124,083 USD; and malicious insiders, 100,300 USD.
Cloud Security Breach Examples• Google Doc allowed shared permission without user knowledge – http://www.google.com/support/forum/p/Google+Docs/thread?tid=2ef115be2ce4fd0e&hl=en• Salesforce.com phishing attack led to leak of a customer list; subsequent attacks – http://voices.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html• Vasrev.com Webhost hack wipes out data for 100,000 sites – http://www.theregister.co.uk/2009/06/08/webhost_attack/• Twitter company files leaked in Cloud Computing security failure – / http://www.infosecurity-us.com/view/2554/twitter-company-files-leaked-in-cloud-computing-security-failure• DDoS attack that downed Twitter also hit Facebook – http://www.computerworld.com/s/article/9136340/DDoS_attack_that_downed_Twitter_also_hit_Facebook?source=CTWNLE_nlt_security_ 2009-08-07
Cloud: Consumption & Delivery Models Optimized by Workload “Cloud” is: Cloud enables: • A new consumption Self-service and delivery model inspired by consumer Sourcing options Internet services. Economies-of-scale Cloud Services Cloud Computing Model “Cloud” represents: Multiple Types of Clouds will co-exist: The Industrialization of Private, Public and Hybrid Delivery for IT Workload and/or supported Services Programming Model Specific 15 Cloud Computing
Is cloud computing really new? Yes, and No.Cloud computing is a new consumptionand delivery model inspired by consumerInternet services. Cloud computing exhibits Usage Tracking Web 2.0the following 5 key characteristics: •On-demand self-service •Ubiquitous network access End User Focused •Location independent resource pooling Service Virtualization •Rapid elasticity Automation & SOA •Pay per useWhile the technology is not new, the enduser focus of self-service, self-managementleveraging these technologies is new. Cloud Computing
Today there are three primary delivery models that companies are implementing for cloud Enterprise Public Traditional Private Clouds Enterprise IT Cloud Hybrid Cloud Private Cloud Hybrid Cloud Public Cloud IT activities/functions are provided “as Internal and external IT activities/functions are provided a service,” over an intranet, within the service delivery “as a service,” over the Internet enterprise and behind the firewall methods are integrated, with Key features: Key features include: activities/functions – Scalability – Scalability allocated to based on – Automatic/rapid provisioning – Automatic/rapid provisioning security – Standardized offerings – Chargeback ability requirements, criticality, – Consumption-based pricing. – Widespread virtualization architecture and other – Multi-tenancy established policies.Source: IBM Market Insights, Cloud Computing Research, July 2009. Cloud Computing
Cost savings and faster time to value are theleading reasons why companies consider cloud To what degree would each of these factors induce you to acquire public cloud services? Pay only for what we use • Hardware savings Reduce costs Software licenses savings • Lower labor and IT 77% support costs • Lower outside maintenance costs Take advantage of latest functionality • Faster time to value Simplify updating/upgrading • Speed deployment 72% • Scale IT resources to meet needs Improve Improve system reliability • reliability Improve system availability 50% Respondents could rate multiple drivers itemsSource: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090 UC Cloud Computing
Managing Cloud Adoption• Cloud economics can be compelling – Small companies will adopt as reliable, easy-to-use services are available – Scale economics are within reach of many enterprises• Client migration will be work load driven – Trade-off is value vs. risk of migration – Workload characteristics are critical – New workloads will emerge as cloud makes them affordable (e.g. pervasive analytics, Smart Healthcare)21 Cloud Computing
Elements that Drive Cloud Efficiency andInfrastructure Economics Virtualization of Drives lower capital Leverage Hardware requirements Utilization of Virtualized environments Infrastructure only get benefits of scale if they are highly utilized Clients who can “serve Self Service themselves” require less support and get servicesLeverage Labor Automation of Take repeatable tasks and Management automate Standardization of More complexity = Workloads less automation possible = people needed
Enterprise Benefits from Cloud Computing Capability From ToServer/Storage 10-20% Cloud accelerates 70-90% Utilization business value Self service None across a wide Unlimited variety ofTest Provisioning Weeks domains. Minutes Change Months Days/Hours Management Release Weeks Minutes Management Fixed costMetering/Billing Granular modelStandardization Complex Self-Service Payback period Years Monthsfor new services Legacy environments Cloud enabled enterprise Cloud Computing
Clients told us their implementation strategies —public or private Cloud, present or future — for 25 specific workloads Analytics • Data mining, text mining, or other analytics • Data warehouses or data marts Development and testing • Transactional databases • Development environment Analytics • Test environment Development Business Services and Test • CRM or Sales Force Automation • e-mail • ERP applications Business • Industry-specific applications Infrastructure Services • Application servers • Application streaming Collaboration • Business continuity/disaster recovery Infrastructure • Audio/video/web conferencing • Data archiving • Unified communications • Data backup • VoIP infrastructure • Data center network capacityCollaboration • Security Desktop and devices • Servers • Desktop • Storage • Service/help desk • Training infrastructure • WAN capacityDesktop and Devices Source: IBM Market Insights, Cloud Computing Research, July 2009.
Clients cite "push factors" for and "barriers" against cloud adoption for each workload type Barriers Higher propensity Data privacy or regulatory and for cloud compliance issues Fluctuating demand High level of Internal Highly standardized control required applications Accessibility and Modular, reliability are a independent concern applications Cost is not a concern Unacceptably Lower propensity high costs for cloud Push factors Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090
IT needs to become smarter about…… delivering “services” and service management Standardized processes Service management systems provide visibility, control and automation Lower operational costs and higher productivity… optimizing workloads Rate and degree of standardization of IT and business services Complex transaction and information management processes Rapid return-on-investment and productivity gains… deployment choices New models are emerging for the enterprise Self-service, economies-of-scale, and flexible sourcing options New choices of deployment – define these new models Analytics Collaboration Development Desktop and Infrastructure Business and Test Devices Services
Focus on Managing Services End to End Service Management Architectural and process level integration that delivers business aligned Visibility, Control and Automation of all Data Center Elements Modular, Self- Modular, Self- Legacy Environment : contained, Scalable NON – IBM Solutions contained, Scalable Workload Delivery Requiring workload Workload Delivery Platform connectivity Platform Service Service Service Management Management Management WORKLOAD A WORKLOAD B WORKLOAD C + + + +Mobility Facilities Production Technology CommunicationsInfrastructure Infrastructure Infrastructure Infrastructure Infrastructure
3 options to deploy workloads – providing you the choice to meet your business needs! Smart Business Services – cloud services delivered. 1. Standardized services on the cloud – Public Cloud. 2. Private cloud services, built and/or run by Private Cloud. Smart Business Systems – purpose-built infrastructure. 3. Integrated Service Delivery PlatformAnalytics Collaboration Development Desktop and Infrastructure Business and Test Devices Services
What do we mean by UnifiedCommunications and Collaboration? Web Conferencing Messaging Video Conferencing Voice Mobile InstantE-Mail MessagingCalendaring Call Management Communities Unified Communications + Collaboration = UC² with the added power of mobility
Renovate & Innovate• How do we address the immediate pressure to cut costs, reduce risk and complexity?• How do we Innovate to take advantage of new opportunities?How can we do both at the same time?• We focus on delivering services in new ways - lowering cost while increasing speed and flexibility!
Benefits of Unified Communications• UC benefits come from extending the UC network Extended Workforce Suppliers, Partners• New modes of collaboration – Extended workforce – Suppliers Remote Phones SIP Trunks – Partners Enterprise – Clients• Corporate policies IP-PBX – Business continuity UC Assets – Privacy compliance, auditing – Green initiatives Internal Phones SIP Trunks• Cost reduction Employees, Departments Clients – Converged infrastructure – SIP trunks
Challenges of Extending UC• IP PBX & phone protection Extended Workforce Suppliers, Partners• Policy and compliance Internet Hacker Infected PC enforcement• Device and user authentication Remote Phones SIP Trunks• Signaling and media privacy• Deployment Enterprise – Phone configuration and management IP-PBX – Corporate firewall configuration UC Assets – Remote firewall traversal Internal Phones SIP Trunks Employees, Departments Clients Rogue Employee Spammer
Additional Security Concerns• The significant security concerns for this type of deployment are mainly SIP/SCCP/H.323 call control and application level attacks along with:• Attacks originating from a peering network• End user Spam attacks• Border control and traversal issues• Handling of domain policies
High-level Cloud Security concerns Data Security Less Control Migrating workloads to aMany companies and governments shared network andare uncomfortable with the idea of compute infrastructure their information located on increases the potential for systems they do not control.Providers must offer a high degree unauthorized exposure. of security transparency to help Authentication and access put customers at ease. technologies become Reliability increasingly important. High availability will be a key concern. IT departments will worry about a loss of service should outages occur. Mission critical applications may not run in the cloud without strong availability guarantees. ComplianceComplying with SOX, HIPPA, PCI DSS, FERPA Security Management Providers must supply easy,and other regulations may visual controls to manage prohibit the use of clouds firewall and security for some applications. settings for applications and Comprehensive auditing runtime environments in the capabilities are essential. cloud.
Industry, Government, Risk & Corporate ComplianceNumerous mandates for privacy apply to UC deployments as well as data protection• FDIC VoIP Guidelines• FERPA: Family Educational Rights and Privacy Act• GLBA: Gramm-Leach-Bliley Act – consumer data protection• FTC Safeguards for consumer protection, enforcing GLBA• HIPAA: The Health Insurance Portability and Accountability Act• PCI DSS: The Payment Card Industry Data Security Standard
Cloud Security 101: Simple Example TODAY TOMORROW ? ? ? ? ?We Have Control ? Who Has Control?It’s located at X. Where is it located?It’s stored in server’s Y, Z. Where is it stored?We have backups in place. Who backs it up?Our admins control access. Who has access?Our uptime is sufficient. How resilient is it?The auditors are happy. How do auditors observe?Our security team is engaged. How does our security team engage? Lesson Learned: We have responded to these questions before… clouds demand fast, responsive, agile answers.
What is a SIP Trunk? Definition: • SIP Trunk is a service offered by Enterprise PSTN an ITSP (Internet Telephony Service Provider) that connects a companys IP-PBX to the MGW telephone system (PSTN) via PBX Internet using the SIP VoIP standard. IPCS SIP Trunk ITSP ISP (Source: wikipedia.org) LAN Extending VoIP: Internet • With IP-PBX enterprise’s have converged data and Voice over LAN, SIP trunk allows enterprises to do the same over WAN/Internet
SIP Trunk Requirements Threat protection • What about toll fraud, Spam, DoS • Who has access to my PBX Enterprise PSTN • Monitoring of security incidences Policy enforcement • Need to change Fire Wall policy? PBX • Control services and features Access control SIP Trunk ITSP IPCS • Who, from where, when LAN Privacy Internet • Who has access to my private communication Deployment issues • Will it work • Change, upgrades • Voice Quality • Visibility QoS/SLA
Return on Security Investment• Return on Security Investment factors – Single Loss Expectancy (SLE) • Dollar amount assigned to event – Annualized Rate of Occurrence (ARO) • Estimated frequency of event – Annualized Loss Expectancy (ALE) • SLE x ARO = ALE
Theft of Service Assumptions• Large Enterprise with 500 SIP trunks – 50% average utilization• Without SIP trunk security – Billing rate 2¢ / min – Event forces theft of 20% of average utilized trunks – SLE = 20% x 250 x 2¢ = $ 1/min – ARO = 365 days x 24 hours x 60 min = events/year – ALE = 365 x 24 hours 60 min x $1 = $525,600• With UC Security -protected SIP Trunk – VOIP Vulnerability Assessment – Best practices – Comprehensive UC security
Theft of Service Business CaseUnprotected SIP Trunk Protected SIP TrunkItem Qty Unit Cost Total Cost Item Qty Unit Cost Total CostCapital Cost (list price) Capital Cost (list price) VOIP Sec Asses 2 weeks $10,000 $20,000 UC-Sec 2000 HA 1 pair $65,950 $65,950 UC-SEC EMS 1 $7,495 $7,495 Installation 1 $3,000 $3,000Total Capital Cost $0 Total Capital Cost $96,445Monthly Service Theft Cost Monthly Maintenance CostTheft 30*24*60 $1 $43,200 UC-Sec Maint. 1 yr / 12 $13,190 $1,099 = 43,200 EMS Maint. 1 yr / 12 $1,499 $125Total Monthly Theft Cost $43,200 Total Monthly Maintenance Cost $1,224 Pay Back Period: 3 months and IRR > 75% With No VoIP/UC Security In place Annualized Loss Expectancy = $525,600
Loss of Service Assumptions• Large enterprise – 25,000 users – 20% using softphones• Assets – 5 Avaya SES SIP servers – 25,000 IP Phones – 5,000 Softphones – Softphone laptops carry company confidential data
Threat Level Assumptions• Threat level or probability of exploit • IP Phones, Softphones – 37 Vulnerabilities discovered – Confidentiality – 7 high threats with exploit probability • 1 medium: Unencrypted snoop >70% per month – Integrity – 5 medium threats with exploit • 2 medium: Spoofing / hijacking probability >50% per month – Availability – 26 low threats with exploit probability • 2 high: Denial of Service, fuzzing <50% per month • 1 medium: QoS degradation• SIP Servers • Softphones only – Integrity – Confidentiality and availability • 1 medium: Spoof Call Server • 2 high: Fuzzing with execute shell – Availability code • 2 high: Denial of Service – Integrity (no high/medium) • 1 medium: Service degradation
Loss of Service ALE CalculationNumber Vulnerability Type Probability of Assets Affected $Loss on single Annualized rate Annualized Loss Exploit occurrence of occurrence Expectancy1 DoS High Server 15 mins, $50,000 7 350,0002 DoS High Server 15 mins, $50,000 7 350,0003 Degradation Medium Server 15 mins, $25,000 5 125,0004 Spoofing Medium Server 15 mins, $35,000 5 175,0005 DoS High IP Phone, 1 hr, $50 35 1,750 Softphone6 DoS High IP Phone, 1 hr, $50 35 1,750 Softphone7 Degradation Medium IP Phone, 1 hr, $25 25 625 Softphone8 Spoofing Medium IP Phone, 1 hr, $500 25 6,250 Softphone9 Hijack Medium IP Phone, 1 hr, $500 25 6,250 Softphone10 Sniffing Medium IP Phone, 1 hr, $500 25 6,250 Softphone11 Buffer overflow, High Softphone Company, $3000, 35 105,000 Shell-code12 Buffer overflow, High Softphone Company, $3000, 35 105,000 Shell-codeTotal 12 7 High, 5 medium ~ $1.2 million
Loss of Service Business CaseUnprotected IP-PBX Sipera-protected IP-PBXItem Qty Unit Cost Total Cost Item Qty Unit Cost Total CostCapital Cost (list price) Capital Cost (list price) VIPER Asses 2 weeks $10,000 $20,000 UC-Sec 50k HA 1 pair $229,850 $229,850 UC-SEC EMS 1 $7,495 $7,495 Installation 1 $3,000 $3,000Total Capital Cost $0 Total Capital Cost $260,345Monthly Service Loss Cost Monthly Maintenance CostLoss 1 $100,000 $100,000 UC-Sec Maint. 1 yr / 12 $30,000 $2,500 EMS Maint. 1 yr / 12 $1,499 $125Total Monthly Loss Cost $100,000 Total Monthly Maintenance Cost $2,625 Pay Back Period: 3 months and IRR > 60% With No VoIP/UC Security In place Annualized Loss Expectancy = $1,200,000
Other Downtime Effects• Impact on stock price • Interest value on deferred billings• Cost of fixing / replacing equipment • Penalty clauses invoked for late delivery• Cost of fixing / replacing software and failure to meet Service Levels• Salaries paid to staff unable to undertake • Loss of profits productive work • Additional cost of credit through reduced• Salaries paid to staff to recover work credit rating backlog and maintain deadlines • Fines and penalties for non-compliance• Cost of re-creation and recovery of lost • Liability claims data • Additional cost of advertising, PR and• Loss of customers (lifetime value of each) marketing to reassure customers and and market share prospects to retain market share• Loss of product • Additional cost of working; administrative• Product recall costs costs; travel and subsistence etc.• Loss of cash flow from debtors