Data security in a converged network (Part 1)

Computerworld - Technology that allows voice over IP (VOIP) has been available for a number of years, but it has only recently been widely accepted in business. There has been a strong and growing value proposition for the replacement of traditional private branch exchange (PBX) systems with VOIP. The technology has matured considerably, and the benefits of return on investment, communications flexibility and the concept of "one network" are powerful drivers for companies to deploy VOIP today.

One of the most significant issues around the deployment of VOIP systems has been security. In the wake of Sept. 11, 2001, security is no longer an optional line item when ordering any high-tech system. There has been a lot of discussion around VOIP security, and there seem to be more questions than answers.

In this three-part series, some of the most common security questions and answers about VOIP will be presented. This article is intended to be vendor-neutral; therefore, specific products won't be discussed, but I will explain the major security concepts and issues when deploying a VOIP system.

What's the difference between a threat, a vulnerability and a risk?

While this question isn't specific to convergence, it's important to understand the differences among them.

• A threat is an external security issue represented by a natural or man-made attack. For example, a lightning bolt is a natural attack, since the lightning can threaten the safety and security of a data network. Likewise, an external intruder is a man-made threat that attempts to compromise a network.


• A vulnerability is a specific degree of weakness of an individual computer or network exposed to the influence of a threat. For example, if you haven't applied the latest security patch to the operating system of your Web server, then you have a vulnerability because that computer system is exposed to potential intruders.


• A risk is the degree of probability that a disaster will occur in light of the existing conditions, and the degree of vulnerability or weakness present in the system. The key difference between a threat and a risk is that a threat is related to the potential occurrence of a security issue, whereas a risk is the probability of an incident occurring based on the degree of exposure to a threat. Risk, for security purposes, is usually calculated in dollars and cents.

Does VOIP introduce any new security vulnerabilities to an enterprise network?

VOIP, by itself, represents a new "vector" for potential security issues but does not introduce any vulnerabilities that haven't been seen before. Some experts have argued that digitizing voice and placing it on a data network makes voice communications more accessible and easier to intercept. I would have to agree with this point. In a traditional, analog environment, physical access to a switch or wiring closet is usually necessary to intercept communications between two parties. By placing voice traffic on a data network, one could intercept a voice communication by capturing the associated packets as they traverse a large network. Attackers have already developed easy-to-use tools that are widely available.

There are other concerns about VOIP from a risk management perspective, such as keeping all your eggs in one basket. For example, if your data network was to experience a critical failure, you would be without voice and data communications. The impact to your business could be greater if there was a prolonged outage of both systems. Therefore, you need to ensure that your organization has adequate business continuity and disaster recovery plans.

1 2 3 Next » Recommend Digg Twitter ShareThis Email Print Send Feedback Reprints Additional Resources POLL RESULTS Leading IT Pros Weigh In on Top IT Issues Accelerate your knowledge of the IT world you inhabit by viewing the results of a series of polls taken by your IT peers. These polls of 100+ IT professionals each are available for full viewing. They cover key topics such as virtualization, processor performance, green IT, cloud computing and many others. Be a part of the buzz. WHITE PAPER For Best Results, Think Beyond the Box Technology is complex. Keeping it running productively shouldn't be. To that end, you want to minimize the number of solutions needed in-house to simplify operations, maintenance, and support. Kodak offers a best-practices model. One company provides support for both scanner and software, for fast problem resolution without vendor finger-pointing. Download now! WHITE PAPER Accelerating the Path to Demand Intelligence with a Demand Signal Repository Utilizing demand intelligence improves the precision of pricing, product assortments, channel/store placement, and promotion, which are all essential for sustainable revenue management performance. Learn more, download this free whitepaper today. White Papers & Webcasts Centralized Data Backup and Your WAN Is your organization prepared to tackle the massive challenge of protecting your data in a cost effective and timely manner? With a growing...   Why Compliance Pays This OnDemand webcast explores the relationship that firms with best compliance records have higher revenue, greater customer retention, lower financial losses from data... An All-in-One Approach to Web Security Granting web access to employees poses challenges to IT administrators and introduces unique security risks. Even as companies have perfected their security techniques...   Best Practices for Managing Business Risks from the Use of IT (Source: Symantec) Based on exhaustive benchmarks conducted by the IT Policy Compliance, this session highlights the relationship between business risks and use of... The Hidden Dangers of Spam Beyond the well-understood productivity drain that spam inflicts on businesses, threats posed by illicit email circulating through a network are causing many security...   Managing And Protecting Your Ever Increasing Mobile Assets (Source: Absolute Software) Your users are becoming more mobile each day. This is great for productivity - yet challenging for IT control. Natalie... Open Source Security Myths Dispelled (Source: Astaro) Open Source Software is computer software whose source code is available to the general public. This openly viewable nature...   Sun OpenSSO Enterprise Webinar (Source: Sun) This webinar replay discusses Sun OpenSSO Enterprise innovation--the single, open-source solution that helps your business solve the challenges around internal access... Best Practices for Backing Up VMware® with Veritas NetBackup™ VMware® is used by enterprises large and small to increase the efficiency and cost-effectiveness of their IT operations. With this in mind, Symantec...   Agile Enterprise Content Management (ECM) for Rapid ROI (Source: IBM) Content rich business processes are a core feature of daily operations at just about any organization today. Very often these essential... All White Papers | All Webcasts Computerworld Reports An Interactive eBook: Enterprise Security The Business Case for Server Virtualization Computerworld Technology Briefing: Intelligent Users Use Business Intelligence All Computerworld Reports Sign up to receive updates on the latest Security resources   White Papers Centralized Data Backup and Your WAN The Hidden Dangers of Spam Best Practices for Backing Up VMware® with Veritas NetBackup™ Symantec Security Compliance Brochure Improving Results for Legal Custody of Information Risk Readiness and Redundancy: PCI Compliance Automation Managing Spend on Information Security and Audit for Better Results How Controlling Access to Privileged Accounts Can Keep Insider Threat from Hurting Your Bottom Line From Trust to Process: Closing the Risk Gap in Privileged Access Control Archiving Technical Overview An All-in-One Approach to Web Security Open Source Security Myths Dispelled IT Compliance Interactive Tools Solution Overview: Symantec Control Compliance Suite 9.0 Information Security Brief by Enterprise Strategy Group EMA's 2008 Survey of IT Governance, Risk and Compliance Management in the Real World Butler Group Technology Audit: E-Mail and Web Security SaaS Symark PowerBroker: Root Access Risk Control for the Enterprise How to Protect Business from Malware at the Endpoint and the Perimeter Case Study: The Ritz London Sponsored Links HP StorageWorks products-control, consolidation and confidence. 64-page prescriptive guide to security, compliance, and IT operations. Looking to add Unix/Linux functionality to Windows? FREE guide to saving up to 95% on network hardware costs. Start saving today! Enhance your career with a Boston University online Master's in CIS Find IT jobs in the Healthcare industry on Dice.com Network Tools Made By Engineers for Engineers Live Webcast: Building a More Productive Organization  A User Perspective With the NEW KODAK i700 Series Scanners get full speed at 300dpi! ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience Introducing: Project Icebreaker Introducing the new HP ProLiant G6 server family Wait for the upturn, or get ready for it with Capgemini's Technovision study. Download it here. Instantly know your IT service state - anytime, anywhere @ AccelOps.net Try the best rules engine free! Decisions.FICO.com Learn How to Create a High Performance Workplace Thrill Dad this Fathers Day and save up to 66% plus 4 FREE Caramel Apple Tartlets from Omaha Steaks. ESET NOD32 with ThreatSense(R) - Get your free trial now! Join the conversation about the hottest IT trends with Computerworld on Twitter. Create business data you can believe in with data governance Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.