SIP Trunking, Unified Communications, and Security: What You Need to Know

By Erik Linask, Group Editorial Director  |  October 01, 2010

This article originally appeared in the October 2010 issue of Unified Communications magazine

SIP trunking and Unified Communications (News - Alert) are often discussed in separate conversations but, the simple fact is that the former is a key component in many implementations of the latter. This means, of course, an opportunity for vendors of those particular technologies to collaborate to grow their businesses, but it also means they are also tightly connected when it comes to security and risk.

The security implications of IP Communications are not new – they have been a discussion point emanating from security solution vendors from the very beginning. But, when it comes to adopters, as Joel Maloff (News - Alert) of Maloff NetResults noted, even a year ago, “it was like talking to the wind,” when it came to voice network security.

The issue, as Ingate President Steve Johnson (News - Alert) also recently pointed out, is that for a century, voice security was a non-issue. Voice came into businesses and was delivered to endpoints on its own infrastructure – there was no intersection with data traffic, where security was already a concern. That siloed thinking is changing, though, according to Maloff, with businesses becoming more aware of the need to implement appropriate security solutions to protect their voice traffic and converged networks.

Still, he predicts that, if he were to ask 200 people at one of the sessions he is moderating at next month’s SIP Trunking-Unified Communications Summit in Los Angeles if they have a written information systems and network security plan that addresses VoIP, which they have looked at within the past four months and which has been signed off on by management and is being actively utilized, he will get 10 honest “yes” responses.

That’s scary. At least it should be.

The reason is simple. In addition to not having had to deal with voice security for 100 years, there have been no major horror stories about businesses being adversely impacted by an attack via IP telephony. On the other hand, a virus or worm delivered across data networks that shuts down businesses and governments becomes the focal point of all major news organizations. So the question many businesses ask is, “If I haven’t heard of anyone being harmed by it, why should I spend thousands of dollars on something I may never need?”

Maloff, who holds a master’s degree in Information Systems Security, disagrees, suggesting that, unless they have taken the appropriate measures, businesses can’t know what has been happening in their networks. He has written network security policies for several organizations that have implemented a variety of VoIP and UC solutions, and believes firmly that unless businesses have a clearly articulated set of policies for which they also have a defined implementation plan, the different solutions and components live in security vacuums. Unified communications and SIP trunking security, he says, must be part of a well-considered overall strategy, with all potential issues having been considered so there are no hidden vulnerabilities.

Such a strategy, designed to protect a business’ information resources, must come from the top levels of organizations, not just the telecom or IT managers.

“Security should be treated by the enterprise not as a tactical infrastructure issue, but as a strategic issue, because there are corporate secrets that must be protected and compliance regulations that must be adhered to,” he says. “The decision to manage security of a business’ intellectual property should not be the sole decision of a technician sitting in a room with no windows.”

The questions that must be answered before an effective, holistic security strategy can be implemented include understanding who has access to what, who needs to be prevented from having access, how can network access and resources and risks be monitored and managed. These issues are among the many Maloff hopes will be addressed at a Town Hall Meeting style session at the SIP Trunking-Unified Communications Summit, which is collocated with ITEXPO West, Oct. 4 to 6.

There are plenty of vendors with reliable UC solutions available, and an equally impressive number of SIP Trunking providers, not to mention the companies that provide the security solutions to protect businesses from network-related risk. Each of these groups will be represented at this session, but Maloff highlights the fact that, while these vendors are in a position to provide solutions, it is up to the enterprise to recognize first that there are issues that must be addressed. Until then, even the best solutions will put business networks at risk.

“There’s an old saying, ‘If you don’t know where you’re going, any road will take you there,” he says. “It’s important for each organization to understand what they’re doing and how they’ve deployed their solutions before they can determine how to achieve an acceptable level of risk.”

Maloff’s point is that, while there isn’t necessarily an imminent threat, we do know there are individuals and groups with bad intentions who, at some point, could put a business’ assets at risk unless they have properly planned how to address security risks. VoIP and UC adoption is only going to grow and, as it does, the one thing that is certain is that cyber criminals will seek to take advantage of vulnerabilities in those solutions.

“I’m hopeful this is the kind of discussion we’ll have on this panel,” he says. “There is no such thing as an impenetrable system, only an acceptable level of risk, and that’s what we’re looking for.”

The SIP Trunking-Unified Communictions Summit kicks off at 9 a.m. on Monday, Oct. 4, with “The State of SIP Trunking,” and will include live demos, case studies, and a session dedicated to selling SIP Trunking. The highlight of the event, the Town Hall Meeting, which brings together many of the topics from other sessions, begins at 1 p.m. on Monday, Oct. 4.

“I am really looking forward to making this an interactive event and getting into the issues of how SIP, more broadly Unified Communications, and security relate to one another – it’s not all that well understood yet,” adds Maloff.

Make sure your business is not among the more than 50 percent of SIP trunking adopters that Maloff generously estimates have not included VoIP and SIP trunking in their network security policies. Be part of this Town Hall Meeting, which will include Dan York from VOIPSA, representatives from Iwatsu, Ingate, Intertex Data, ShoreTel, Dialogic (News - Alert), Broadvox, and Mitel, along with analyst David Yedwab.

Erik Linask is Group Editorial Director of TMC, which brings news and compelling feature articles, podcasts, and videos to 2,000,000 visitors each month. To see more of his articles, please visit his columnist page.

Edited by Tammy Wolf