UC Security: More ComplexityUC Security: More Complexity

The issue of security for IP telephony is, if not well understood, at least satisfactorily grasped by professionals in the IT/telecom and security organizations today. There's the gamut of potential problems, which will be serious challenge if and when they actually materialize-like spam over IP telephony (SPIT), eavesdropping, voice phishing and the like. And then there are the problems we see in the wild today, which mostly involve exploits against IP "data" networks that affect the voice traffic running on those networks; basically, when a denial of service or other attack brings down the IP network, it now takes voice traffic with it, or at least it can. Experts like Mark Collier of SecureLogix and the VOIP Security Alliance say such exploits are the real danger for now.

The issue of security for IP telephony is, if not well understood, at least satisfactorily grasped by professionals in the IT/telecom and security organizations today. There's the gamut of potential problems, which will be serious challenge if and when they actually materialize-like spam over IP telephony (SPIT), eavesdropping, voice phishing and the like. And then there are the problems we see in the wild today, which mostly involve exploits against IP "data" networks that affect the voice traffic running on those networks; basically, when a denial of service or other attack brings down the IP network, it now takes voice traffic with it, or at least it can. Experts like Mark Collier of SecureLogix and the VOIP Security Alliance say such exploits are the real danger for now.But what about Unified Communications? What unique security challenges could we see when UC starts moving into enterprises?

Ted Ritter of Nemertes Research, who's a CISSP (Certified Information Systems Security Professional), suggests that UC will pose new security and compliance risks because of several factors. Ted will be discussing some of these challenges in a VoiceCon webinar today.

One of the issues he'll touch on is compliance. Since Unified Communications leverages more corporate data, there is greater risk of data leakages that violate corporate privacy policies, Ted points out. Also, expanded rules governing legal discovery mean that voice mails-including those embedded in voice mail as part of unified messaging-may be discoverable in litigation.

Ted's presentation will also touch on the gap between the relatively low incidence of security breaches in early generations of IP telephony, in contrast to the higher risk that's likely to exist in the world of UC. Several factors account for this; I'll start with one that Ted doesn't mention in his slides, but that I think is a legitimate concern: Microsoft will be a much bigger player in the UC future than they've been in IP telephony. Microsoft is the target that hackers most relish going after. You can't ignore this reality.

As Ted Ritter notes, some emerging issues relate to the way that IP telephony has been implemented so far. To date, IPT systems have been deployed largely as islands, connected via dedicated IP pipes or to the legacy PSTN via gateways. In other words, they haven't been Internet-connected.

One of the key assumptions about UC is that the boundaries of the enterprise will be much more fluid, with users' need for mobility and remote connectivity driving several trends that can only jack up the security threat level. Those trends include more connection via the Internet, and more use of softphones.

Ted makes an analogy that I'm interested to hear him flesh out in the webinar. He draws a parallel between UC and Service Oriented Architectures (SOA), the technology with which--it's widely believed--UC will combine to create Communications-Enabled Business Processes (CEBP), which integrates communications into business process apps. Ted's not trying to sketch out an all-encompassing security architecture for CEBP; rather, he's pointing out similarities between UC (or UCC, as Nemertes calls it) and SOA. His bullet points: