There was a really interesting article that caught my eye on ComputerWeekly.com on Friday. I've been busy over the weekend and had some time to think about it a bit and want to share both the article and some thoughts I had. What really caught my eye was the title - Be careful you don't get more than you pay for with VoIP. Most of us don't expend too much caution on averting getting more than we pay for, so what the heck are they talking about?

Voice over IP (VoIP) and IP telephony (IPT) have been the hot tickets in the IT industry for some time now.

The basic pitch is that if your company converges its voice and data requirements onto one (IP-based) network, you will cut dramatically the cost of your firm’s voice calls, as well as take advantage of a whole host of current and future business applications that will surely enhance business. What small to medium sized business (SMB) could put up a strong argument against that?

Before, however, you embark into VoIP or IPT thinking that it’s basically a licence to cut costs, security of your network has to be considered extremely carefully. Indeed it may well be that the modus operandi of some of the leading VoIP and IPT systems are totally counter intuitive to your security protocols.

These days IPT not only encompasses the world of fixed, wired communications, it now covers wireless as well. Each domain has its own security problems. With all IP networks, spam, viruses, denial of service attacks, Trojans etc are a real threat to all businesses and SMBs in particular. Research by Computer Weekly, has shown that only 18% of UK SMBs had not experienced some attack of some form. With IPT, these threats are now extended to a company’s voice service, opening up the prospect of compromise, even breakdowns, in complete communications set ups. For many companies, large and small, a successful attack on an IPT service is a potential business show stopper.

The article points to Skype as the current market leader in VoIP. Really? Maybe. Certainly Skype is a leader in consumer VoIP for peer -to-peer calling, but in the enterprise business world, Skype is often banned by policy and not widely embraced by most large companies. I've yet to find a large enterprise that embraces and widely supports using Skype for any business VoIP traffic. This article goes on to point out why - it's peer-to-peer technology. Peer-to-peer solutions raise the hackles of corporate security staff everywhere. They open dangers to malicious software entering the corporate network without ever being seen by the firewalls, intrusion detection systems and anti-virus engines protecting the enterprise. A business-class VoIP service, either self-managed or hosted by a reputable provider, may be the best business solution.

The article really sums the issue up accurately - without clearly thought-out and well managed services—by whatever source—the cost of lax security may dwarf any advantages from cheaper calls.

If you're embracing VoIP purely to cut costs, you might only look at the cost of VoIP deployment. VoIP is a convergence technology that brings voice and data together in new enabling ways. New applications are enabled. New approaches to businesses become possible. New business processes can be created. But, new security concerns are raised, and potential new risks enter the scene.

This points to just how critical it is to perform a comprehensive readiness assessment prior to implementing a corporate VoIP solution, There's a danger in viewing readiness assessment as a task to address the ability of the network to support the requisite QoS issues for supporting call quality. These are typically bandwidth, throughput, error rate and jitter. But a vital part of the readiness assessment is a security design review component.

If you don't thoroughly evaluate the security posture of both the network as a whole and the security posture your company takes, you may indeed be getting far more than you bargained for with VoIP. And it could be something you don't really want to deal with in reactive mode after it's too late.

Technorati Tags
VoIP
IP Telephony
Voice Over IP
VoIP security
VoIP firewalls
Skype