speechtek 2009: securing cloud telephony aug2009
DESCRIPTION
In this talk at SpeechTEK 2009 in New York City, Dan York, discussed:As voice and self-service applications move increasingly into the cloud and to IP communications, what do you need to be concerned about with regard to the security of hosted solutions? If you grow to trust the cloud, how can you be sure it will be there for you? What protections can you put in place? What backup plans can you establish? What questions should you ask potential hosted/cloud vendors? In this session, security professional Dan York will walk you through the basic risk areas of voice-over-IP security, explain how those relate to both hosted and hybrid configurations and leave you with a concrete list of questions to consider in considering hosted/cloud options.TRANSCRIPT
SpeechTEK 2009
Dan York, CISSPDirector of Conversations, VoxeoBest Practices Chair, VoIP Security Alliance (VOIPSA)[email protected]
Securing Cloud Telephony
Security concerns in telephony are not new…
Image courtesy of the Computer History Museum
Nor are our attempts to protect against threats…
Image courtesy of Mike Sandman – http://www.sandman.com/
Privacy
Compliance
Cost Avoidance
Availability
Business Continuity
Confidence
Mobility
TDM security is relatively simple...
TDMSwitch
PSTNGateways
PhysicalWiringVoicemail
IVR
Voicemail PhysicalWiring
DatabasesDirectories
E-mailSystems
WebServers
VoIP security is more complex
OperatingSystems
Firewalls
DesktopPCs
Voice overIP
NetworkSwitches
WirelessDevices
IVR
PSTNGateways
InstantMessaging
Standards
Internet
ConfidentialityIntegrityAvailability
Voice Application Diagram
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Voice Transport
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?
PHPperl python
Java???
ruby
XMLXML
servlets
VoiceBrowser(on svr)
Phone Audio
Internet/WAN
Internet/WAN
PSTN
Voice TransportVoice
Browser(on svr)
Phone
PSTN PBXPhoneVoice
Browser(on svr)
TDM
PSTN IP-PBXPhoneVoice
Browser(on svr)
SIP
PSTNSIP
ServiceProvider
PhoneVoice
Browser(on svr)
SIP
VoiceBrowser(on svr)
Phone
SIP
Voice Transport - SIP
PSTNVoice
Browser(on svr)
Phone
PSTN PBXPhoneVoice
Browser(on svr)
TDM
Internet/WAN
Internet/WAN
PSTN IP-PBXPhoneVoice
Browser(on svr)
SIP
PSTNSIP
ServiceProvider
PhoneVoice
Browser(on svr)
SIP
VoiceBrowser(on svr)
Phone
SIP
Voice Authentication
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Who are you talking to?
Voice Biometrics
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
VoiceBiometrics
AuthSvr
Web Transport
PHPperl python
Java???
ruby
XMLXML
servlets
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
VoiceBrowser(on svr)
HTTP
VoiceXMLor
CCXML
App/DB Server Transport
App/DBSvr?Web
Svr
Server Security
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Management Interfaces
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
APIs
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Local Storage / Logging
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Call Recording
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Web Interaction - Authentication
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone
PHPperl python
Java???
ruby
XMLXML
servlets
WebSvr
Web Interaction - XSS/Injection
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone
PHPperl python
Java???
ruby
XMLXML
servlets
WebSvr
Input validation?
External Interaction
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
App/DBSvr
?
Moving Into The Cloud
Location - Single network/server
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Location - Distributed
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
Location - Distributed
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
Location - Into the cloud
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Location - Distributed/Cloud
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
Location - Distributed/Cloud
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
Location - Hybrid
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?
Can You Trust The CloudTo Be There?
Location/network questions
• What level of network connectivity do you have available?• What kind of availability guarantees / Service Level Agreements (SLAs) do
you have in place? • What kind of geographic redundancy is built into your underlying network? • What kind of network redundancy is built into your underlying network? • What kind of physical redundancy is built into your data centers?• What kind of monitoring do you perform? • What kind of scalability is in the cloud computing platform? • What kind of security, both network and physical, is part of the platform? • What kind of security policies and procedures are in place?• What kind of patch management plans?• Will firewall traversal be necessary (for instance, for a SIP trunk) and if so,
how?• How scalable is the solution?• Do you have appropriately-trained and available staff?
Distributed Architectures
VoiceBrowser(on svr)
WebSvr
App/DBSvr
Phone Audio
VoiceBrowser(on svr)
ASR
WebSvr
App/DBSvr
MRCP
App/DBSvr
Geography
ConfidentialityIntegrityAvailability
Thank you!
Dan York, CISSPDirector of Conversations, VoxeoBest Practices Chair, VoIP Security Alliance (VOIPSA)[email protected]