Converged Security

Imagine yourself at the largest, most prestigious business and technology show of the year. Top executives competing for Executive of the Year are asked a crucial question, “What are the two most important issues of the decade?” The answers given most often are “World Peace” and “Convergence.” This anecdote conveys the significance of convergence to our organizations. Now possible are previously unattainable voice, data, video and other applications that affect all aspects of computing and have the potential to yield immense benefits. As professionals of the same ilk as our Executive of the Year, we know that security is a critical factor in the success of the shift to convergence. In today’s world of zero day attacks, we recognize that racing to new applications with exposures such as untested code or unprotected networks is too great a risk. A deliberate and integral approach to converged security is required.

The following article describes a four-quadrant model, which provides a framework for converged security across the organization. The framework encompasses technology and business aspects of security necessary to address the ramifications of evolving converged technologies. This article is the first in a three part series focusing on voice and data security as enterprises realize savings and new functionality.

The pervasiveness of voice throughout the organization is a fundamental presumption of the model, which includes the many forms of voice processing and controls. A second assumption is that the shift to convergence is evolutionary. Architecturally, data becomes the core infrastructure and it integrates with updated legacy voice systems.

An organization is subject to new and additional threats as the technology, applications and business processes evolve and expand. Voice and data convergence in its simplest and most common initial implementation, carries voice calls over a data network, which is subject to a plethora of data threats. Security best practices methodology continually assesses the risks to the organization based on identified threats. Lessons learned over the past decades make possible the potential for better quality security and reduced risk as organizations move into new areas such as voice and data. Alternatively, organizations that ignore threats to voice and data are set for more than ‘double trouble’. Vigorousness and organized efforts by industry, vendors and implementers to minimize risks are essential as organizations strive to take advantage of convergence today and throughout the future.

Increases in efficiency and productivity are leading drivers of voice and data convergence. Cost benefits of a consolidated flexible data network such as VoIP can be significant. Unified platforms make possible applications such as integrated voice, email and text messaging and automated speech self-service. Business priorities determine an organization's technology and security investment spending. As organizations move to new converged solutions, security integrated from the beginning can save 2 to 3 times the cost to add security later on. It is important to establish a baseline from inception so that organizations can measure the effectiveness of security and the return of their investment. At a minimum, the value of the investment in converged security prevents a projected amount of loss and preserves the reputation of the organization imperative to voice and data applications such as CRM. Additional security investments can potentially enable further profit and convenience for the organization depending on the particular voice and data project.

Management of voice and data security extends from policy makers to individuals within the organization. Converged information technology and security are part of corporate governance where accountability and internal controls are enforced. Development and maintenance of policies and procedures, regular training, security audits and assessments are required best practices. Corporate, regulatory and legal policy dictate established practices effecting areas such as voice mail and voice recording retention.

A management challenge exists to monitor and maintain service levels, which include high availability and quality even during disaster. Consistent with the article’s recommended approach, we make use of more flexible technology and best practices to address this challenge. As technology matures, integrated security and management efficiencies are possible through unified management tools, combined platforms, flexible technology and consolidated efforts amongst others.

As convergence ushers in a new era of computing, it introduces novel architectures. Organizations give up the inherent security of separate, closed, proprietary voice legacy systems engineered for high availability. To improve upon previous voice security, an evolution that exploits the benefits and flexibility of open data systems and networks is required while simultaneously reducing associated risks. The industry strives for end-to-end security. Unlike analog voice networks of the past, an end-to-end digital voice solution on a converged infrastructure is feasible. Protection end-to-end becomes possible, calling for multi-vendor voice and data solutions since not any one vendor can provide end-to-end security from device to data.

Secure connectivity is a critical aspect of end-to-end security, which prevents eavesdropping and third party interception. In a converged infrastructure, we use proven industry technology such as secure protocols, encryption and virtual private networks, especially in high-risk wireless smart phone applications. Access control, identity and authorization management facilitate secure access to the organization according to device, ID and application and determine associated privileges. This is essential to minimize risks associated with threats such as unauthorized access to call processing and voice mail systems, service theft and toll fraud, social engineering, rogue smart phones and compromised data.

We rely on security architecture best practices and principles as converged security grows from its current early form. One principle is that open systems and standards are more secure highlighting the need for voice and data security standards. The implementation of heterogeneous security systems, hardware and operating systems with redundancy is a guiding principle of threat management. This reduces the impact of one type of attack including Denial of Service attacks that attempt to overload the network or voice/data system components. Defense in Depth layers security throughout the organization filtering out access based on risk. Layered defense enables the organization to segment for various levels of security across applications such as public voice portals, business-to-business and internal applications.

The prevalence of voice combined with the comprehensiveness of converged architectures affects all aspects of secure computing from the cable up through the application. New integrated applications need to make use of basic application security principals such as the separation of presentation, business, and data layers and consider security throughout the entire lifecycle of the application. Voice and data security impacts many additional components including endpoint devices, call processing and voice mail systems, firewalls, intrusion detection systems with event correlation, network forensics, router blocks and out-of-band management.

Security is a balance of risks to the organization. Today’s risks signify that security be approached as its own function and not just an addition. The converged security model presented here provides a framework to methodize security as a function. Entities can use the model with its four quadrants to help organize the complexities of security and maintain their own unique balance. The following articles delve further into the technology and business specifics of voice and data security using the converged security model as a guideline.