Companies Risk Security Issues with IP Telephony
A lack of protective security measures covering IP telephony products and implementations may be cause for alarm among enterprises, according to a META Group finding. The idea has raised concerns regarding vulnerability to privacy violation, fraud, data theft, and other attacks against users of the technology.
Many corporations have implemented IP telephony solutions as a practical alternative to popular WAN applications, but remain unaware of the potential security issues invited by their deployment. "Most companies don't see the voice as a risk, but instead see toll fraud as being the real security risk," says Elisabeth Ussher, a META Group vice president. Most IP telephony technology remains behind the corporate firewall, she adds, virtually stripped of any protective trunk.
With voice over on the Internet gaining momentum as a cost-effective communication application, early IP telephony deployments are still basic and primarily geared toward voice quality and interoperability issues. The solutions maintain interconnected to the public-switched telephone network, and for the most part are detached from the corporate data infrastructure. This means that they are detached from essential corporate security initiatives as well, a situation that could result in serious repercussions for unlucky companies. "By putting .wav files on a corporate desktop, you can send them anywhere," Ussher says. "Now that you're 'packetizing' voice, it's data, and it should be treated as data," which Ussher says is a factor that companies often overlook.
By merging all their data into a single system, rather than maintaining separate outlets, enterprises are exposing themselves to greater risks of fraud and theft than ever before. Ussher encourages patch-management tactics and the inclusion of voice-system security measures prior to the installation of IP telephony technology. As more organizations expect to rely on IP telephony solutions through 2005, META Group predicts, increased efforts to apply the appropriate security practices will begin to surface.
"Organizations that adopt voice-over IP without a cross-discipline security review are at risk for lost revenue and productivity, including data theft," Ussher says. "Enterprises must consider security in the initial IP-telephony design, and must adopt holistic security policies."