Q: We’re migrating our contact center to VoIP and know SIP is the way to go. However, we’re concerned about security — mostly to protect our customers, but also for the IP-based communications solution we’re implementing. What security measures should we be aware of and how can we maximize them?

A: The potential of malicious attacks to an IP communications system makes security a critical priority for most contact centers, as well as for healthcare providers, financial institutions, government agencies, public companies and other organizations that manage confidential voice and data communications over an IP network. But rest assured, the security measures available for IP communications systems and voice over IP are the most advanced safeguards the telecom industry has ever developed.

Along with paving a migration path for VoIP, open standards such as the Internet Protocol (IP) and Session Initiation Protocol (SIP) actually provide a solid foundation for IP communications security. In particular, SIP is a rigorous standard for user authentication and message encryption in a VoIP environment, and is also the most regulated tool for security thanks to the Internet Engineering Task Force (IETF). In conjunction with new and updated IP technologies, the IETF continually introduces, amends and strictly monitors SIP security specifications established in industry-wide Request For Comment (RFC) records. For example, RFC 2617 was introduced to support SIP digest authentication that prevents unauthorized access to a SIP proxy’s services.

So to answer your question, standards themselves provide extremely effective security measures for a VoIP configuration, as does focusing your security strategy on:

Fraud prevention. As much as possible, your IP communications system should be configured to prevent fraud or malicious use.

Security and continuity system-wide. Should an attack occur, IP servers, data servers, phones and other devices must remain functional to provide required business continuity and keep the door open to your organization and employees.

Confidentiality protection. Again as much as possible, your system should preserve the privacy of audio plus any stored data.

Fraud Prevention
While SIP and associated RFCs help guard against denial of service (DOS) attacks, hijacking, redirection, man-in-the-middle attacks and similar breaches, maximizing security levels depends largely on how an IP communications system is configured. A simple rule of thumb: Any solution that requires building security into multiple hardware systems (a PBX, IVR system, Web server, third-party middleware, etc.) actually multiplies the points of attack for unauthorized users, whereas a system singularly configured for security at its core minimizes such entry points.

Security And Continuity System-wide
Lending to the security-at-its-core approach is the new breed of all-in-one IP communications application suites. Because such solutions pre-integrate applications on a single platform for all voice and data functions, they easily replace “multi-point” hardware systems, reduce the number of access points for potential attacks and inherently streamline security down to their central underlying platform.
An added benefit is that software-based systems make it possible to extend security mechanisms to all critical points between an IP network and the desktop. In essence, SIP on a VoIP network gives organizations a backbone to deploy virtual private networks (VPNs), virtual LANs (VLANs), access lists, authentication, transport layer security (TLS) and secure real-time transport protocol (SRTP) mechanisms from the network to their IP communications system’s application server, gateway, data servers and phone devices. Conversely, most IP communications solutions from proprietary vendors incorporate SIP only at the network level, not throughout the system.

Further considering that an IP communications server acts as just another business application server on an IP network, organizations can implement security more completely for information systems, database applications, e-mail servers, disaster recovery sites, etc. — an IT connectivity model for security that better equips an organization to remain functional should a network outage or attack occur.

Confidentiality Protection
Finally, to safeguard customers and their information, industry standards such as IPSec — a collection of IP security measures for authentication and encryption — and TLS can be incorporated alongside SIP-based encryption to prevent eavesdropping on phone calls, data tampering, message forgery and so on. Properly implemented, these measures make SIP-supported VoIP far more secure than traditional telephony, where anyone with a butt set can listen to calls and intercept customers’ information.

Though system attacks might always be a concern for any contact center that moves voice and data over an IP network, the good news is that the measures available through standards and industry safeguards for IP communications are providing a tighter wall of protection than businesses have ever had.

Tim Passios is Director of Product Marketing for Interactive Intelligence Inc. and has more than 16 years experience in the contact center industry. Interactive Intelligence is a leading provider of IP business communications software and services for the contact center and the enterprise, with more than 2,500 installations in nearly 70 countries. For more information, contact Interactive Intelligence at [email protected] or (317) 872-3000.