Privacy Compliance: An emerging security issue around Unified Communications
Enterprise VoIPplanet.com has been covering unified communicationswith growing interestfor more than two years now, as the telecommunications industry struggled to find a reasonably consistent definition of what it was, the technologies matured, and the world began to sit up and take notice of the business process improvements it brought.
Now, it's fair to say, the acceptance battles have been won, and it's full steam ahead for deployment. Except . . . there are some issues coming to light now that haven't commanded much mindshare heretofore.
Case in point: security.
For example, it's great that we now have smartphones that can send and receive a variety of enterprise communications media out in the world, but how do we secure these endpoints beyond the enterprise firewall? We recently published a story about the efforts of Sipera Systems to do just that (see the story here).
In a follow-up conversation with Sipera's vice president of marketing and product management, Adam Boone, we had an opportunity to explore some of the other security related issues concerning UC.
Boone summed up what turned out to be the main thrust of the briefing in this way: "Compliance and privacy regulations and controls are becoming increasingly important to unified communications, and how you deploy them. We have many customers who have chosen our solutions specifically because, when they move to UC, they need to be able to demonstrate privacy compliance and prevent information leakage and guard proprietary information, and that sort of thing," he elaborated.
For example, while it's undoubtedly wonderful, both in terms of communications and technology, to be able to establish multi-party desktop-to-desktop videoconferencing sessions without expensive or elaborate proprietary setups, compliance with privacy regulationsespecially in healthcare, financial services, and educationis a legal requirement that must be met.
Not only does this call for security in the sense of strong, application-level encryption, it requires the ability to log and archive sessions.
"If I'm an enterprise, and I'm planning to move to VoIP or IP video or any form of these communications, I'm not relieved of the requirement that I keep patient data private or student data private or consumer data private," Boone explained. "And of course credit cards: I have to keep them encrypted, controlled. I have to archive them and log them according to certain laws."
While, in the TDM world, each separate, often proprietary, networkvoice, data, sometimes video had its own security solutions in place, in the 'new' (IP) world, that's much harder to achieve.
"In UC, you're mingling a lot of the traffic from different applications," Boone pointed out. "In the old world where I might have a separate network for voice, a separate network for data, a separate network for my video systems, in the new world, that's all merged onto one network and it's often mingled. Different applications will be mingled in one V-LAN or one segment of the network."
One problem, among many, is identifying the portion of the aggregate network traffic that must be handled specially for compliance.
"There may be a ton of traffic traversing your network links," Boone said, "but there might be only one or two applications in that traffic that you really need to worry about monitoring or logging or archiving.
"This is where we come into play. What our [UC-Sec] appliances are doing is deep packet inspection, and we can literally seein real timethose applications as they move through the network."
Take instant messaging, which is used more and more for official enterprise communications:
"You need to be able to show that any confidential information that's shared across IM is logged. We can do that for [customers]. The way we do that is, we pick out of the [total traffic] stream the instant messaging as it's flowing through, and fork that off into the archiving or recording appliance. They don't need to take every single bit of trafficwhich could be a huge amountand try and record all that or sort through it. They can pick out just the instant messaging traffic," Boone concluded