Counting the Security Costs of Cheap Calls
The decision to move to SIP trunking appears straightforward: reduced costs, greater scalability, improved disaster recovery options and access to the productivity benefits enabled by Unified Communications (UC). But, as ever in the world of technology, the truth about SIP trunking is a little more complex than it may appear at first glance. How much up-front investment is required to migrate from the existing ISDN trunk? How big is the hardware investment? How scalable is the solution? And, critically, is it secure?
Despite the fact that no business would deploy email or any web application without security, this latter area is too often overlooked by companies looking to move to SIP. The result is a ticking time bomb for businesses, with threats ranging from denial of service to toll fraud (also known as call jacking); and the liability lies squarely with the business, not the provider.
SIP trunking is a compelling business option – but not at any price. Paul German, CEO & Founder, VoipSec, outlines five essential considerations for organisations to ensure the cost benefits of SIP trunking are not outweighed by the security risks.
Realising Financial Benefits
Without doubt the primary reason for any business to move to SIP trunking is financial. The ability to use one or more SIP trunks to connect different business locations, provide customers with low cost calls irrespective of international location and create peer to peer relationships with key business partners can drastically reduce annual call costs. In addition, SIP is highly scalable, supporting business peaks and troughs, and facilitates effective disaster recovery planning. But despite the headline ‘quick and simple’ message from both resellers and providers, moving to SIP is not as straightforward as just switching on the new service, there are costs and security risks to consider. So what are the essential issues to understand?
- Making the Change: The first consideration has to be whether SIP trunking is even an option for the business, given the current communications infrastructure. Is the current voice system configured to support only ISDN, or does the PBX also have an IP network interface for SIP? If there is an IP interface, is it enabled – or is there an additional license fee to pay? Determining whether SIP is a viable option given the existing infrastructure is an essential first step.
- Determining Capacity: Moving from ISDN to SIP creates a far more flexible and scalable model. The physical configuration of ISDN – either the two channel Basic Rate or 30 channel Primary Rate – is hugely constraining for businesses, offering no scalability to support business change. SIP trunking in contrast is essentially flexible, enabling a business to change the number of channels on the fly in response to demand. This bursting facility means there is no need to over scale up front – however it is important to check the provider’s timings on scaling up or down on the capacity required. While some can turn on new channels within minutes; more traditional providers still adhering to ISDN business processes will take several days. A business looking to truly exploit bursting needs to take this into consideration.
- Adding Hardware: If the existing PBX does not support SIP there are two options – invest in a new PBX or look for a vendor offering SIP to ISDN gateway. Either way, the minimum cost will be around £750. If there is an IP interface on the PBX, no additional hardware will be required. But just consider: with this approach the SIP trunk, essentially public source IP, is going straight into the business, and creating a significant security risk. VoIP connections can be secured using a Session Border Controller (SBC) which acts as a voice firewall. However, traditionally these voice firewalls have been expensive solutions that require dedicated hardware implementation – and have, as a result, been deployed to protect the provider not the end business user.
- Understanding VOIP Security: To understand the security risks associated with SIP trunking companies need to consider a few essential questions. Would email or the web be deployed across the business without security? Clearly not. So, why deploy VoIP – which is essentially another web application, without security? The next question is: would the business rely on a service provider to deliver security on its behalf? Right now many providers are fudging the issue by saying that if they are secure, their customers are secure. But look at the contract – does the provider offer full liability? In the event of a breach that results in toll fraud, denial of service or data loss, is the provider going to pay the cost? Sadly, it will not. The onus on the business to ensure the SIP trunk is secure.
- Achieving Secure SIP: The good news is that once a company has recognised the need to secure its VoIP service, the solution is straightforward. The latest generation of cloud based, freemium voice firewall products can be downloaded and installed within minutes, providing the critical first step in securing the voice network without impacting the compelling SIP trunking cost benefits. Essentially these virtual SBCs provide businesses with the essential first tier in voice security, providing the foundation for the defense in depth model that has been applied to secure data networks over the last decade. Once in place, an organisation has the option with certain vendor solutions to enhance security through the definition of user specific policies and application level security – a key requirement once a business has decided to add the benefits of UC or embarked upon a peer to peer relationship with a key business partner.
Conclusion – Future Proofing
In the rush to gain the compelling cost benefits offered by SIP trunking, too many organisations are forgetting the basics of IT deployment. The value of VoIP is clear – reduced costs, improved portability, business agility and disaster recovery. But the risk of unsecured VoIP calls is huge, and growing as the threat landscape evolves. And where is the comeback when the inevitable happens? Not from the providers. Not from an insurer – just as motor insurers no longer cover cars with keyless entry, companies that deploy SIP trunking without considering security will discover that business cyber insurance is worthless.
Vendors are pushing the simplicity of SIP trunking; but there are issues to consider. To gain the benefits and safeguard the business, security must be an integral component of any SIP trunking deployment.
Paul German is founder & CEO of VoipSec, a business founded with the mission to simplify the complicated and costly area of VoIP (Voice Over Internet Protocol) security.
Paul has over 18 years’ experience in the areas of unified communications, voice and network security, having worked with a broad range of organisations including Cisco and most recently leading the EMEA business for Sipera Systems until its acquisition by Avaya in 2011. He brings a unique combination of business acumen and technical depth to every project with which he engages, and is passionate about making innovative technologies readily available to businesses of all size to improve security and overall performance.