Privacy Compliance: An emerging security issue around Unified Communications

By Ted Stevenson | Apr 8, 2010 | Print this Page
http://www.enterprisenetworkingplanet.com/unified_communications/Privacy-Compliance-An-emerging-security-issue-around-Unified-Communications-3875506.htm

Enterprise VoIPplanet.com has been covering unified communications—with growing interest—for more than two years now, as the telecommunications industry struggled to find a reasonably consistent definition of what it was, the technologies matured, and the world began to sit up and take notice of the business process improvements it brought.

Now, it's fair to say, the acceptance battles have been won, and it's full steam ahead for deployment. Except . . . there are some issues coming to light now that haven't commanded much mindshare heretofore.

Case in point: security.

For example, it's great that we now have smartphones that can send and receive a variety of enterprise communications media out in the world, but how do we secure these endpoints beyond the enterprise firewall? We recently published a story about the efforts of Sipera Systems to do just that (see the story here).

In a follow-up conversation with Sipera's vice president of marketing and product management, Adam Boone, we had an opportunity to explore some of the other security related issues concerning UC.

Boone summed up what turned out to be the main thrust of the briefing in this way: "Compliance and privacy regulations and controls are becoming increasingly important to unified communications, and how you deploy them. We have many customers who have chosen our solutions specifically because, when they move to UC, they need to be able to demonstrate privacy compliance and prevent information leakage and guard proprietary information, and that sort of thing," he elaborated.

For example, while it's undoubtedly wonderful, both in terms of communications and technology, to be able to establish multi-party desktop-to-desktop videoconferencing sessions without expensive or elaborate proprietary setups, compliance with privacy regulations—especially in healthcare, financial services, and education—is a legal requirement that must be met.

Not only does this call for security in the sense of strong, application-level encryption, it requires the ability to log and archive sessions.

"If I'm an enterprise, and I'm planning to move to VoIP or IP video or any form of these communications, I'm not relieved of the requirement that I keep patient data private or student data private or consumer data private," Boone explained. "And of course credit cards: I have to keep them encrypted, controlled. I have to archive them and log them according to certain laws."

While, in the TDM world, each separate, often proprietary, network—voice, data, sometimes video —had its own security solutions in place, in the 'new' (IP) world, that's much harder to achieve.

"In UC, you're mingling a lot of the traffic from different applications," Boone pointed out. "In the old world where I might have a separate network for voice, a separate network for data, a separate network for my video systems, in the new world, that's all merged onto one network and it's often mingled. Different applications will be mingled in one V-LAN or one segment of the network."

One problem, among many, is identifying the portion of the aggregate network traffic that must be handled specially for compliance.

"There may be a ton of traffic traversing your network links," Boone said, "but there might be only one or two applications in that traffic that you really need to worry about monitoring or logging or archiving.

"This is where we come into play. What our [UC-Sec] appliances are doing is deep packet inspection, and we can literally see—in real time—those applications as they move through the network."

Take instant messaging, which is used more and more for official enterprise communications:

"You need to be able to show that any confidential information that's shared across IM is logged. We can do that for [customers]. The way we do that is, we pick out of the [total traffic] stream the instant messaging as it's flowing through, and fork that off into the archiving or recording appliance. They don't need to take every single bit of traffic—which could be a huge amount—and try and record all that or sort through it. They can pick out just the instant messaging traffic," Boone concluded