With more and more integration of the voice world into the network, companies are finally waking up to the idea that VoIP brings rewards, but also risk. When the network was down and voice lived in the analog world, you could still talk to your customers and let them know you were having a few problems, but likely could assist them fully very soon. Now days, with VoIP riding the same network as email and other applications, if the network is down – likely so are the phones.
That, in itself is a risk many organizations are not used to. They just seem to be coming to terms with the other issues that surround VoIP confidentiality, integrity and availability. For a long time, VoIP has been becoming “main stream”, but now security around VoIP seems to be on everyone’s mind too.
This is a good trend. VoIP is a very cool and rich technology, and one that levels the playing field for many organizations. It brings with it some exciting capabilities and powerful features. I think as organizations grow their understanding of VoIP risks, technical issues and security requirements – it can only help with better, safer, more effective VoIP adoption.
So, if you are considering a VoIP deployment, or you already have one – make sure you include steps for risk assessment, vulnerability testing and an in-depth review of the architecture, processes and procedures involved with both management and security. Taking the time to include security considerations into the decision and testing matrices will probably save you quite a bit of time, effort and money down the road – not to mention the savings of any incidents that you will prevent!
I completely agree with you on the need to think through risk assessment, vulnerability testing, and architecture review. A thorough analysis of real-time asset valuation, identification of network trust zones, and understanding of threats associated with each asset become important steps in deploying VoIP securely with minimal impact on business continuity. All of these steps become more critical in the context of unified communications where multiple modes of communicatons (e.g., Email, mobile phone, desk phone, video etc) are supported over a common infrastructure.