For businesses, Voice over Internet Protocol (VoIP) offers several advantages the most obvious of which lies in cost savings. As the convergence to Internet-based telephony continues, it’s worth considering the potential threats to sensitive data and business intelligence that occur online. This guide will help you develop and implement a strategy for keeping your business VoIP systems secured.
Identify the Risks
Before you can proceed with security measures and techniques, it’s essential to know what it is you’re trying to guard against.
Many users are still unaware of the possible consequences of transmitting sensitive call data across the public internet. When voice data is sent over the net, it remains unencrypted – unless specific measures are taken to scramble it, first. Hackers now have a formidable arsenal of tools that can make gaining access to unencrypted networks an easy task.
Begin by establishing what you want to achieve
by putting VoIP security in place. You’ll probably want to keep your VoIP service running continuously, without disruptions. You’ll need to protect sensitive customer information and business data, including call transcripts and transaction records. And you’ll want to prevent unauthorised users from making calls, and gaining access to your network.
Knowing the type of person or organisation that poses a threat – and their motivations for attacking – is also a must.
At one level, there are some attackers who simply want to gain access to VoIP services because of the convenience and cost benefits they offer. By piggybacking on your system, they’ll be able to enjoy free international and long-distance calls and data transmissions.
Disgruntled insiders or ex-employees may want to disrupt a VoIP network so that the downtime costs the company money, and damages their reputation.
Organised assaults on a VoIP system may be initiated to gain access to confidential information (from a business and its customers), along with telephone numbers, IP addresses and so on. These may be sold on to competitors, or used to redirect calls for other purposes.
Secure It In Transit
As with general web traffic, a major safeguard for VoIP data in transit is encryption
, or scrambling of the information so that it can’t be easily deciphered or read.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the prevailing standards for data encryption, and will be familiar to web users from the padlock icons that appear when these protocols are in place.
Connections on VoIP can be secured by imposing TLS on Session Initiation Protocol (SIP) transmissions during control sessions. Communications on the network between clients and servers are secured through encryption against message tampering and so-called “man-in-the-middle” attacks (interception of the data transmitted). Unless both sides of a dialogue (client and server) agree on the TLS connection with its associated encryption keys, no transmission takes place.
Secure It In Real Time
You can go a stage further, by encrypting streams of voice data, in real time. Secure Real-Time Transport Protocol (SRTP) does this, and is typically used to provide security for media transmissions (streaming video, audio, etc.). VoIP networks can use it to encrypt voice calls in transit, and when combined with header compression, there’s minimal effect on the Quality of Service (QoS).
Data files, videoconferences and the like enjoy additional protection, as SRTP guards against manipulation of multimedia content as it’s being streamed. This replay protection prevents words from being substituted or key images swapped out – which could have potentially damaging consequences.
SRTP does impose an overhead, and a slight delay to the transmission of voice packets. But, with the increasing level of online attacks and threats, it’s worth considering to beef up your security measures.
Ensure Network Security
As well as your data, it’s essential to also guard the elements comprising your network infrastructure. Firewalls, antivirus suites, gateway protection and other tools for network security should be put in place, if they aren’t there already. The majority of attacks come because the business network is not properly secured, so you should ensure that yours is by implementing a layered security policy or investing in Managed Security from your IT provider.
To guard against outages and downtime, redundancy (standby power supplies, backup servers, data backups etc.) should be built into your VoIP network. Servers and essential hardware should be securely sited, and locked down as appropriate.
Software should be regularly updated and patched, and intrusion-detection systems should be used to regularly monitor your system hardware. Threat conditions change over time, so it’s important to conduct security audits on a regular basis.
Be Secure In-House
Network security and encryption measures aside, your VoIP system
won’t be truly safe without the participation of your own people. Human error is always a given, and there may be corrupt or disgruntled parties to add to the mix. So you’ll need to make sure your in-house security is sound.
This means setting a policy for strong passwords (which should be changed by everyone, on a regular basis), dual-layer authentication (access control requiring confirmation with an external or mobile phone profile), and the like.
There may be regulatory compliance issues to take into account, as well. For example, any VoIP system which transmits customer credit card details must use data encryption that satisfies the Payment Card Industry Data Security Standards.
VoIP can be a great boon to business, but you’ll need to maintain vigilance and take the necessary steps to ensure that your system remains secure.