VoIP security is beginning to get a lot of attention. But is its visibility warranted? In June, Gartner called VoIP security concerns "over-hyped" and urged IT executives not to hold off on VoIP deployment because of such concerns.
Yet at the Black Hat conference in Las Vegas late last month, noted researcher and security guru Phil Zimmerman - inventor of the encryption protocol Pretty Good Privacy (PGP) - introduced an architecture to deliver encryption to VoIP phones, positioning it as part of an overall requirement to secure critical infrastructure.
Who's right? Are VoIP security vulnerabilities overblown, or do IT executives need to be concerned?
My take: Yes, and yes. I tend to group security vulnerabilities into two classes: privacy issues and denial-of-service (DoS) issues. In other words, bad guys might see (and abuse) your data and resources, or they might make your resources unavailable to you.
VoIP privacy concerns encompass things such as eavesdropping and what used to be called toll fraud. In other words, someone might listen to your calls, or hack into and make calls from your IP PBX.
VoIP DoS issues encompass IP telephony-specific concerns such as Spam over Internet Telephony as well as vulnerability to overall data network security breaches, including client or server slowdowns; or freezes caused by viruses or spyware, distributed DoS attacks and the like, which make the IP telephony system unavailable to users.
Taking these threats in order, eavesdropping is less of a concern for IT managers than for the general public, simply because most enterprise VoIP users rely on private (and relatively protected) IP networks rather than the Internet. IT executives still need to be concerned about the possibility of internal espionage; a tech-savvy employee, consultant or other third party has ample access to the IP infrastructure. And protecting the IP PBX from getting hijacked by third parties is a concern. (One reason IT executives often express skepticism about Windows-based servers is that they're perceived as more vulnerable to assault.)
But the real concern, in my book, is protection against DoS. Rolling out VoIP in the absence of a proven data security architecture is basically rolling the dice - it's a matter of time before your network goes down, taking VoIP with it. According to recent Nemertes benchmarks on security best practices, most companies are actively working to beef up their basic security, but many have a long way to go. Enhancing basic infrastructure components such as anti-malware, firewalls and VPNs are among the top-funded security initiatives for these firms (more than 80% said these initiatives were among their top three priorities). The bottom line: If you're rolling out VoIP, make sure your data security is up to snuff.