SpeechTEK 2009: Securing Cloud Telephony Aug2009
2 likes507 views
The document discusses security concerns in cloud telephony, emphasizing the complexities of VoIP security compared to traditional TDM security. It addresses various aspects of cloud architecture, including network connectivity, availability guarantees, and security policies. The speaker, Dan York, highlights the importance of ensuring confidentiality, integrity, and availability in managing telephony systems.
SpeechTEK 2009: Securing Cloud Telephony Aug2009
- 1. SpeechTEK 2009 Securing Cloud Telephony Dan York, CISSP Director of Conversations, Voxeo Best Practices Chair, VoIP Security Alliance (VOIPSA) dyork@voxeo.com
- 3. Security concerns in telephony are not new… Image courtesy of the Computer History Museum
- 4. Nor are our attempts to protect against threats… Image courtesy of Mike Sandman – http://www.sandman.com/
- 5. Privacy Availability Compliance Confidence Mobility Cost Avoidance Business Continuity
- 10. TDM security is relatively simple... PSTN Gateways TDM IVR Switch Physical Voicemail Wiring
- 11. VoIP security is more complex Operating Desktop PSTN E-mail Systems PCs Gateways Systems Network Web Firewalls Switches Servers Standards Voice over IVR Wireless Instant IP Devices Messaging Directories Internet Databases Physical Voicemail Wiring
- 12. Confidentiality Integrity Availability
- 13. Voice Application Diagram HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 14. Voice Transport HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 15. Voice Transport Voice Phone Browser PSTN (on svr) Voice Phone PBX Browser PSTN TDM (on svr) Voice Phone IP-PBX Browser PSTN SIP (on svr) SIP Voice Phone Service Browser PSTN Internet/WAN Provider (on svr) SIP Voice Phone Browser Internet/WAN (on svr) SIP
- 16. Voice Transport - SIP Voice Phone Browser PSTN (on svr) Voice Phone PBX Browser PSTN TDM (on svr) Voice Phone IP-PBX Browser PSTN SIP (on svr) SIP Voice Phone Service Browser PSTN Internet/WAN Provider (on svr) SIP Voice Phone Browser Internet/WAN (on svr) SIP
- 17. Voice Authentication HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ??? Who are you talking to?
- 18. Voice Biometrics Voice Auth Biometrics Svr HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 19. Web Transport HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 20. App/DB Server Transport HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 21. Server Security HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 22. Management Interfaces HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 23. APIs HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 24. Local Storage / Logging HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 25. Call Recording HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 26. Web Interaction - Authentication Web Svr HTTP Voice App/DB Web Phone Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 27. Web Interaction - XSS/Injection Web Input validation? Svr HTTP Voice App/DB Web Phone Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 28. External Interaction HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets ? Java XML ??? App/DB Svr
- 29. Moving Into The Cloud
- 30. Location - Single network/server HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 31. Location - Distributed HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
- 32. Location - Distributed HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
- 33. Location - Into the cloud HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or PHP perl python CCXML ruby servlets Java XML ???
- 34. Location - Distributed/Cloud HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
- 35. Location - Distributed/Cloud HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML
- 36. Location - Hybrid HTTP Voice App/DB Web Phone Audio Browser ? (on svr) Svr Svr VoiceXML or CCXML HTTP Voice App/DB Web Browser ? (on svr) Svr Svr VoiceXML or CCXML
- 37. Can You Trust The Cloud To Be There?
- 38. Location/network questions • What level of network connectivity do you have available? • What kind of availability guarantees / Service Level Agreements (SLAs) do you have in place? • What kind of geographic redundancy is built into your underlying network? • What kind of network redundancy is built into your underlying network? • What kind of physical redundancy is built into your data centers? • What kind of monitoring do you perform? • What kind of scalability is in the cloud computing platform? • What kind of security, both network and physical, is part of the platform? • What kind of security policies and procedures are in place? • What kind of patch management plans? • Will firewall traversal be necessary (for instance, for a SIP trunk) and if so, how? • How scalable is the solution? • Do you have appropriately-trained and available staff?
- 39. Distributed Architectures Web App/DB Svr Svr Web App/DB Voice Svr Svr Browser (on svr) Phone Audio App/DB Voice Svr Browser (on svr) MR CP ASR
- 40. Geography
- 41. Confidentiality Integrity Availability
- 42. Thank you! Dan York, CISSP Director of Conversations, Voxeo Best Practices Chair, VoIP Security Alliance (VOIPSA) dyork@voxeo.com