Security measures available through standards and industry safeguards for IP communications are providing a tighter wall of protection than financial organisations have ever had.
The potential of malicious attacks to an IP communications system makes security a critical priority for organisations that manage confidential voice and data communications over an IP network.
This is particularly true for financial organisations. Compliance mandates like Payment Card Industry, designed to strengthen security, privacy and controls around sensitive information, have created the unintended consequence of a shift in activity away from conventional attacks to resources perceived to be less protected.
But rest assured, the security measures available for IP communications systems and voice over IP (VOIP) are the most advanced safeguards the telecoms industry has ever developed.
Along with paving a migration path for VOIP, open standards such as the Internet Protocol (IP) and Session Initiation Protocol (SIP) actually provide a solid foundation for IP communications security.
In particular, SIP is a rigorous standard for user authentication and message encryption in a VOIP environment, and is also the most regulated tool for security thanks to the Internet Engineering Task Force (IETF).
In conjunction with new and updated IP technologies, the IETF continually introduces, amends and strictly monitors SIP security specifications established in industry-wide Request For Comment (RFC) records. For example, RFC 2617 was introduced to support SIP digest authentication that prevents unauthorised access to a SIP proxy's services.
Standards themselves provide extremely effective security measures for a VOIP configuration, as does focusing the security strategy on: * Fraud prevention. As much as possible, the IP communications system should be configured to prevent fraud or malicious use. * Security and continuity system-wide. Should an attack occur, IP servers, data servers, phones and other devices must remain functional to provide required business continuity and keep the door open to the organisation and employees. * Confidentiality protection. Again as much as possible, the system should preserve the privacy of audio plus any stored data.
Fraud prevention
Financial organisations may have multiple initiatives related to fraud detection, but fraud prevention is also essential.
While SIP and associated RFCs help guard against denial-of-service attacks, hijacking, redirection, man-in-the-middle attacks and similar breaches, maximising security levels depends largely on how an IP communications system is configured.
A simple rule of thumb: Any solution that requires building security into multiple hardware systems (a PBX, IVR system, Web server, third-party middleware, etc) actually multiplies the points of attack for unauthorised users, whereas a system singularly configured for security at its core minimises such entry points.
Security, continuity system-wide
Financial organisations may have multiple initiatives related to fraud detection, but fraud prevention is also essential.
Dave Paulding is Interactive Intelligence's regional sales manager for UK and Africa.
Lending to the security-at-its-core approach is the new breed of all-in-one IP communications application suites. Because such solutions pre-integrate applications on a single platform for all voice and data functions, they easily replace "multipoint" hardware systems, reduce the number of access points for potential attacks, and inherently streamline security down to their central underlying platform.
An added benefit is that software-based systems make it possible to extend security mechanisms to all critical points between an IP network and the desktop. In essence, SIP on a VOIP network gives financial organisations a backbone to deploy virtual private networks, virtual LANs, access lists, authentication, Transport Layer Security and Secure Real-time Transport Protocol mechanisms from the network to their IP communications system's application server, gateway, data servers and phone devices.
This is particularly important for financial organisations with branch-based retail delivery operations or virtual contact centres that include branch associates or remote workers. Conversely, most IP communications solutions from proprietary vendors incorporate SIP only at the network level, not throughout the system.
Further considering that an IP communications server acts as just another business application server on an IP network, organisations can implement security more completely for information systems, database applications, e-mail servers, disaster recovery sites, etc - an IT connectivity model for security that better equips a financial organisation to remain functional should a network outage or attack occur.
Confidentiality protection
Finally, to safeguard customers and their information, industry standards such as IPSec - a collection of IP security measures for authentication and encryption - and TLS can be incorporated alongside SIP-based encryption to prevent eavesdropping on phone calls, data tampering, message forgery and so on.
Properly implemented, these measures make SIP-supported VOIP far more secure than traditional telephony, where anyone with standard telephony repair equipment can listen to calls and intercept customers' information.
* Dave Paulding is Interactive Intelligence's regional sales manager for UK and Africa.
Share