An article in CRN argues that many users do not understand the risks of Internet telephony. The author, the CEO of a security consultancy, is right to be concerned about the complexities and potential security risks of Internet telephony and we totally agree that the Internet is riddled with security holes.
However, the article’s title – VoIP not so safe – is misleading. VoIP doesn’t mean Voice over the Internet. It means Voice over Internet Protocol. It’s a technology that can be delivered insecurely over the Internet, or securely over a private Cloud. In fact, if you want a secure, reliable, dependable voice service, avoid any provider who uses the Internet.
What is Voice?
While VoIP is a protocol, “voice” is so much more. It’s a business-critical system that not only embraces a full range of technologies (analogue, digital as well as IP) but delivers a service that affects every employee in your organisation.
Questions of security should, therefore, centre around the whole voice service. The danger of VoIP is that if you see it only from a network perspective then you only see half the picture. Or if you think of VoIP as a PBX replacement then you don’t recognise the new risks of running over an IP network.
Yes you might secure the network, but what about all the other elements of the full voice service? Change management, call fraud, availability, resilience, etc – they’re all components of the service. Poorly installed and managed voice systems can cause outages. Worse, they can create security holes, which have a direct impact on availability, in turn affecting employees – who have zero tolerance for telephone downtime – and their productivity.
These concerns should be taken seriously. Securing the network in no way protects an organisation from poor change management or substandard systems monitoring. The possibilities for human error in managing voice systems are virtually limitless. Surveys from the Information Technology Process Institute have found that on average 80% of unplanned downtime is self-inflicted (with 80% of the time spent resolving the unplanned downtime spent determining what had changed.)
Checklist for a voice provider
The potential for getting it wrong is why it makes sense to choose an experienced business IP telephony service provider to secure and administer your voice system. Not only do you get a good technical service but you also get access to their expertise in managing voice systems security.
- Do they host their voices service on a 24/7 managed MPLS connection or are they just an Internet VoIP provider?
What is their track record? Follow-up references.
- What operational experience of running a phone system do they have? A supply and fit service is simply not good enough.
- If they’re offering a managed service, ask for a tour of the facilities to make sure that they follow at least the same level of security and change management practices you do.