Simplicity is becoming a major selling point – especially when it comes to IT security. As organisations wake up to the huge additional requirements associated with the new General Data Protection Regulation (GDPR) that comes into force in 2018, any solution that can minimise complexity is compelling.
The use of Software Defined Networking to deliver a raft of essential security functions, from firewalls to intrusion detection, via a Virtual Network Function (VNF) model is testament to the growing recognition of the value of an out-sourced, yet on-premise, solution. However, the majority of these White Box services from Managed Service Providers (MSP) have a significant flaw: a lack of Voice over IP (VoIP) security.
As GDPR compliance becomes a priority, Paul German, CEO, VoipSec, explains the importance of the Virtual Network Function (VNF) based Session Border Controller (SBC) to lock down voice networks and deliver a complete, strength in depth White Box security solution.
Data Security Imperative
The introduction of GDPR in May 2018 is beginning to raise concerns for organisations – especially those mid-market companies that simply do not have the in-house expertise or skills required to meet the new, stringent requirements for safeguarding personally identifiable customer data.
In response, growing numbers of Managed Service Providers (MSPs) are offering White Box solutions to the market, providing an on-premise but outsourced solution for all of an organisation’s security needs – from firewalls to routers, intrusion detection to email security. Leveraging software-defined networking (SDN) to orchestrate services, this Virtual Network Function (VNF) model is extremely cost-effective; with no need for the MSP to provide on-site engineering support, new services can be downloaded and configured within minutes, rather than the days or weeks typically required.
This model also offers organisations a neat stepping stone to a wholesale shift to cloud-based IT, providing the chance to gain the benefits of offloading specific network functions that are both costly and difficult to manage whilst also gradually writing off asset value and gaining the required trust in the cloud to support a wholesale migration.
Missing VoIP
To date, however, these White Box VFN solutions have had one major flaw: a complete lack of VoIP security. Where is the value of spinning up routers, firewalls, email security and anti-virus when an essential component of the strength in depth security model is overlooked? Global losses attributable to telecoms fraud are estimated at US$29.2bn annually – and the UK is the third most prevalent country for the origination of fraudulent calls according to the CFCA 2017 Global Fraud Loss Survey.
Just consider the incredibly sensitive customer data that is now discussed and shared via VoIP networks – from the identifying information provided at call centres onwards. In addition to the risk of toll fraud, unsecured VoIP networks are vulnerable to hackers listening in and collecting this customer data, or using this network to gain access to the applications and databases used within the call centre. Furthermore, hackers could use an unsecured VoIP connection as a way into the MSP’s network via the White Box, creating a far broader vulnerability.
Strength in Depth
So what is the answer? To be fair, with the hardware-based Session Border Controllers (SBC) required to secure a VoIP connection needing on-site deployment, until recently most MSPs have taken the decision that the cost and complexity of securing VoIP was too high. More recently, however, that model has shifted towards software-based SBCs that can be upgraded in response to new security risks.
Even more interestingly, there has also been a move towards cloud-based SBC deployments that leverage community collaboration to combat escalating threats, from toll fraud to telephony denial of service and voice mail hacking attacks. With this software-based model, SBCs can now also be deployed as a Virtual Network Function – and for MSPs that means the risk versus cost equation has changed fundamentally. With VFN based SBCs less complex, less expensive and able to be spun up alongside all the other security components of the White Box solution, it is now both fast and cost-effective to secure the VoIP network.
Extended VFN
In the current climate, companies cannot afford to be distracted from essential business operations by complex compliance demands. And, given the potential fines for non-compliance to GDPR, ignoring the risks of unsecured personally identifiable data is also not an option.
For MSPs facing up to customer demands for a simple GDPR solution, plus the escalating risks associated with the changing threat landscape, a cost-effective VFN option is becoming compelling. MSPs leveraging the VFN model to deliver a White Box solution that takes away all the issues of deployment and upgrade have a strong proposition – but it is essential to address every aspect of the security risk: and that includes VoIP.
Paul German, CEO at Certes Networks
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.