Breaking the Barriers to SIP Security
As the benefits of VoIP become ever clearer to businesses of every size, sales of the underpinning SIP Trunking technology continue to grow, providing a great revenue stream for vendors and resellers alike. But how many organisations are fundamentally compromising customer relationships by ignoring the need to add security to the SIP Trunking solution? In an era of near continuous security breaches, SIP trunking is inherently vulnerable. Unsecured environments are at risk of voicemail hacking, denial of service attacks and toll fraud – so why are so many SIP Trunking solution providers wilfully ignoring this key solution requirement?
While the traditional Session Border Controller (SBC) option required to secure SIP Trunks has been both expensive and cumbersome, Paul German, CEO, VoipSec, insists the new generation of low cost, simple to deploy, software based solutions change the game. Those providers that actively add SIP security to their portfolio can gain significant commercial differentiation – and deliver the right, long term customer solution.
Smooth Sell
For any solution provider – whether vendor or reseller – the objective is to minimise any sales inhibitors. And in the SIP Trunking market that inhibitor to date has been security. In a market where the move from ISDN to SIP and Unified Communications (UC) is compelling on the basis of both cost reduction and improved features and control, why would anyone want to rock the boat by mentioning the inherent security risks?
Yet toll fraud and denial of service cost businesses£25.5 billion every year globally – £1.2 billion in the UK alone¹, and the threat landscape is continually evolving. How will the business respond when its hacked clients complain about the lack of security advice? In addition to losing that customer’s business, what happens when the company shares the experience on social media, leading to a drop in overall customer confidence?
In a market where customer retention is a fundamental aspect of business profitability and success, continuing to jeopardise business relationships by avoiding the SIP security issue to keep the sales process simple is a high risk strategy.
Complex Sell
However, at a typical cost of £1,000, there is no doubt that the traditional SBC has undermined the entire SIP Trunking sale. Suddenly what was a straightforward Opex deal with a 12 month ROI now demands Capex sign off and the ROI is pushed out significantly. Add in the additional sales knowledge and expertise plus the engineering experience required for the hardware implementation and is it any wonder that most resellers, VoIP and UC suppliers and vendors simply duck the security issue – unless asked explicitly by a potential customer?
SIP Trunking vendors often fudge concerns by citing their own SBC investment: if they are secure, their customers are secure. But take a closer look at the contract and it becomes very clear that in the event of a breach that results in toll fraud, denial of service or data loss, the provider is not liable for the cost.
VARs, meanwhile, when faced with a switched on customer raising the thorny security issue have had no option but to recommend a customer source its own SBC – at a significant cost – and stuff the proposal full of security caveats. In the vast majority of SIP deployments the onus is still on the customer to ensure the SIP trunk is secure – whether they know it or not. Clearly, the entire process is unsatisfactory for all involved.
Secure Solution Bundle
The good news is that the days of expensive, hardware SBCs are over. The latest generation of cloud based, freemium voice firewall products can be downloaded and deployed within minutes, securing the voice network without impacting the compelling SIP Trunking cost benefits. Essentially these virtual SBCs provide customers with the first tier in voice security, providing the foundation for the defense-in-depth model that has been applied to secure data networks over the last decade.
For SIP Trunk providers it offers the ability to provide the customer with a viable and easy to deploy SBC solution, aligning with the ‘per channel, per month’ cost model typically used. Moreover, the provider can also increase their value offering without risk of damaging the overall ROI for customers moving from ISDN to SIP.
For those reselling SIP Trunk solutions and who want to address the security concerns and risks directly, it is a simple option to bundle a complete package for a fixed monthly fee per channel. There is no additional hardware to be installed on site and the customer’s own IT department can setup and manage it within its existing network environment. And while there is, of course, a small incremental increase in monthly cost per channel that extends the ROI by a few months, the ability to gain market differentiation by addressing SIP security up front should more than compensate the reseller.
The entire process is straightforward for the SIP Trunk provider and the reseller yet delivers significant customer benefits that further enhance but still maintain that critical business relationship.
Security Risk
The fact is that in a constantly evolving threat landscape security has to be considered – this head in the sand approach adopted by many SIP Trunk providers and resellers is simply not good enough given the scale of attack being experienced by UK businesses. With 84% of UK businesses considered to be unsafe from hacking according to NEC, the implications are significant and extend far beyond the obvious financial costs of huge phone bills, data breaches from voicemail hacking or the increasingly common Telephone Denial of Service threats.
Static fit-and-forget security is also not an option due to this ever-evolving threat landscape. In all forms security has had to keep ahead of the hacker and VoIP is no different. As with anti-virus, intrusion protection/detection, web and email security this threat landscape has to be monitored and understood and any newly identified risks mitigated. This should be nothing new; customers deploying SIP Trunks would never consider deploying web or email type services without security, nor would they deploy a new laptop without anti-virus. Actively raising the issue of security is therefore an opportunity for all.
Given the increasing risk, even if the solution providers want to duck the issue, customers are starting to understand their risk and will be demanding answers. It is time for organisations to be readily armed with both understanding and a low cost, proven solution that protect the value of the SIP Trunk whilst enhancing rather than inhibiting the sales opportunity.
¹ NEC Toll Fraud
