In this talk at SpeechTEK 2009 in New York City, Dan York, discussed:
As voice and self-service applications move increasingly into the cloud and to IP communications, what do you need to be concerned about with regard to the security of hosted solutions? If you grow to trust the cloud, how can you be sure it will be there for you? What protections can you put in place? What backup plans can you establish? What questions should you ask potential hosted/cloud vendors? In this session, security professional Dan York will walk you through the basic risk areas of voice-over-IP security, explain how those relate to both hosted and hybrid configurations and leave you with a concrete list of questions to consider in considering hosted/cloud options.
Generative AI for Technical Writer or Information Developers
SpeechTEK 2009 Securing Cloud Telephony
1. SpeechTEK 2009
Securing Cloud Telephony
Dan York, CISSP
Director of Conversations, Voxeo
Best Practices Chair, VoIP Security Alliance (VOIPSA)
dyork@voxeo.com
2.
3. Security concerns in telephony are not new…
Image courtesy of the Computer History Museum
4. Nor are our attempts to protect against threats…
Image courtesy of Mike Sandman – http://www.sandman.com/
5. Privacy Availability
Compliance Confidence
Mobility Cost Avoidance
Business Continuity
11. VoIP security is more complex
Operating Desktop PSTN
E-mail
Systems PCs Gateways
Systems
Network Web
Firewalls
Switches Servers
Standards
Voice over IVR
Wireless
Instant IP Devices
Messaging
Directories
Internet
Databases
Physical
Voicemail
Wiring
13. Voice Application Diagram
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
14. Voice Transport
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
15. Voice Transport
Voice
Phone Browser
PSTN
(on svr)
Voice
Phone PBX Browser
PSTN TDM
(on svr)
Voice
Phone IP-PBX Browser
PSTN SIP
(on svr)
SIP Voice
Phone Service Browser
PSTN Internet/WAN
Provider (on svr)
SIP
Voice
Phone Browser
Internet/WAN
(on svr)
SIP
16. Voice Transport - SIP
Voice
Phone Browser
PSTN
(on svr)
Voice
Phone PBX Browser
PSTN TDM
(on svr)
Voice
Phone IP-PBX Browser
PSTN SIP
(on svr)
SIP Voice
Phone Service Browser
PSTN Internet/WAN
Provider (on svr)
SIP
Voice
Phone Browser
Internet/WAN
(on svr)
SIP
17. Voice Authentication
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
Who are you talking to?
18. Voice Biometrics
Voice Auth
Biometrics Svr
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
19. Web Transport
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
20. App/DB Server Transport
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
21. Server Security
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
22. Management Interfaces
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
23. APIs
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
24. Local Storage / Logging
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
25. Call Recording
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
26. Web Interaction - Authentication
Web
Svr
HTTP
Voice App/DB
Web
Phone Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
27. Web Interaction - XSS/Injection
Web Input validation?
Svr
HTTP
Voice App/DB
Web
Phone Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
28. External Interaction
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
? Java
XML ???
App/DB
Svr
30. Location - Single network/server
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
31. Location - Distributed
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or
CCXML
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or
CCXML
32. Location - Distributed
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or
CCXML
33. Location - Into the cloud
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or PHP
perl python
CCXML ruby
servlets
Java
XML ???
34. Location - Distributed/Cloud
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or
CCXML
HTTP
Voice App/DB
Web
Phone Audio Browser ?
(on svr) Svr Svr
VoiceXML
or
CCXML
38. Location/network questions
• What level of network connectivity do you have available?
• What kind of availability guarantees / Service Level Agreements (SLAs) do
you have in place?
• What kind of geographic redundancy is built into your underlying network?
• What kind of network redundancy is built into your underlying network?
• What kind of physical redundancy is built into your data centers?
• What kind of monitoring do you perform?
• What kind of scalability is in the cloud computing platform?
• What kind of security, both network and physical, is part of the platform?
• What kind of security policies and procedures are in place?
• What kind of patch management plans?
• Will firewall traversal be necessary (for instance, for a SIP trunk) and if so,
how?
• How scalable is the solution?
• Do you have appropriately-trained and available staff?
39. Distributed Architectures
Web App/DB
Svr Svr
Web App/DB
Voice Svr Svr
Browser
(on svr)
Phone Audio
App/DB
Voice Svr
Browser
(on svr)
MR
CP
ASR