There is a perception in many enterprises that firewalls and security measures are only needed to protect vast sources of stored corporate or consumer data. Voice after all is inherently secure right? Not exactly. It wasn’t too long ago that someone with a modified police scanner could eavesdrop on cordless phone conversations. If you happened to be on the phone giving your credit card info as someone lurked outside– jackpot! – for them. Clearly times have progressed, but so has the sophistication level of hackers, so far it appears that only responsible parties (i.e. governments) have taken to recording phone conversations -PRISM anyone? Enterprises need to realize the potential exposure and dangers of running unencrypted voice traffic.
Vendors may have made it a little more difficult but the same technique is used by hackers today when it comes to voice over IP networks. As we saw in the TJX case, resulting in over $171.2 million dollars of losses, the hackers simply found an open Wi-Fi network at a retail store in Florida and managed to install packet sniffing software in Massachusetts.
Much like the Twitter data breach in Q1 which enabled hackers to take advantage of earnings reports before they were released, and dropped the shares 18.18% before NASDAQ could halt the trading, all that was used was the scrapping of non-encrypted traffic.
Packet sniffing software is all you really need on a voice network to do what you used to be able to do with a police scanner, but now at a much larger scale. Hackers don’t want to drive through neighborhoods; they sit back and let the data come to them.
Of course if enterprises deployed secure voice communications within their network it would render the sniffed traffic virtually useless.
Where encrypted voice traffic is needed the most.
So where should enterprises focus their efforts? How about where it matters the most, the contact center; think about the number of times credit card numbers are spoken, touch toned, security questions are asked and answered and critical personal identifiable information (PII) is exchanged. And yet, voice traffic is mostly completely un-encrypted.
I’ve had several meetings lately regarding our Voice Biometric test automation and our end-to-end encrypted voice over IP testing. It never ceases to amaze me why companies fail to adopt encrypted voice throughout the enterprise while at the same time embracing voice biometrics in the contact center.
Hurdles to overcome adoption
While companies are starting to recognize the threat and need, they are not sure where to begin. Indeed many see encrypted voice traffic creating the following issues.
1) It complicates troubleshooting. You think you have one-way audio problems now??? Just wait until you have 5000 devices exchanging certs and negotiating Session Description Protocol info with a different vendor’s equipment. By the way, that’s a three way call transfer you’re trying to troubleshoot…good luck.
2) Vendors don’t performance test their interoperability with another vendor’s equipment. The plain fact is, it’s hard to implement encrypted voice and no one is really sure how it will work under intense call volumes and with thousands of call flows in the existing complex dial plans that organizations have now deployed. Sure the phones support it, the gateways support it, and I’m sure the IT guys have implemented it…for themselves, but not everyone else?
3) You’re not really talking to the business you think you are. Thanks to everything ‘moving to the cloud’ so has your data, your voice conversation and your interaction with that friendly representative, who is probably not even an employee of who you thought you were calling and the touch-tone or speech system you’ve given your credit card to, isn’t even owned by the same company that you thought you were calling. Organizations will need a way to thoroughly test a system from end-to-end, regardless of where that “end” is!
Market Demand will Drive Compliance
When dealing with security and more specifically security breaches, it is almost never about if, but rather when and how to limit the damage. So the question isn’t will contact centers and enterprises embrace secure voice communication, but when. Hopefully before it is too late. No one wants to be known for being the next TJX or Target. And now that CEOs are losing their jobs, it’s not just an IT issue but a business issue.
Some of the innovative and industry leading companies that we work with are already well into deploying secure voice environments – so we know who will not be headline news, but there are still a lot more out there.
Testing Interoperability at SCALE is a requirement before enablement.
When Empirix launched its Gen6 platform, not only did it support generic SRTP and TLS, it also supported it from an Avaya H.323 and SIPs perspective, to help aid forward thinking finical institutions and health care providers who are driving the change to support End-to-End encrypted voice in the contact center. In an upcoming blog I will relate some things you should be thinking about when deploying secure voice environments. In the meantime, if you are out in Denver at the IAUG meeting, swing by and say hello, booth 403…. Or come by my presentation 1406…