Application of Encryption in Internet Calling
It is hard to avoid the subject of security when talking about any enterprise technology. With security breaches making headlines almost every day, organizations are concerned about securing their networks. Much of the public spotlight falls on securing data from unauthorized access. High profile incidents in the past have demonstrated the ease with which criminals gain access to corporate networks. Encryption can help with this.
Threat Model
There are four main ways to eavesdrop on traditional landlines. The easiest is to listen to conversations using an extension on the same line. The second method is to use eavesdropping equipment anywhere along the phone line. The third option is to get access to the main telephone switch. It is often used by law enforcement officials, and most countries have legislation for this specific purpose. The final method is to eavesdrop on the main trunk lines.
Many people assume that internet calling faces the same threats. It could not be further from the truth. Internet call systems route voice & video calls over data networks, like email. It means that the threat model for internet calling has more in common with IP networks. Eavesdroppers can listen to conversations from anywhere in the transmission path. Calling endpoints (handsets, computers, and mobile devices) are vulnerable as well.
These data packets travel over corporate data networks, through undersea backbone cables, and over the unsecured Internet. Any person or organization in the transmission path can intercept the data packets. It includes Internet service providers, corporations, and criminals who hack their way into those computers. After the Snowden revelations, we know that governments can and do eavesdrop on conversations as well.
The Role of Encryption
Encryption plays an important role in securing internet calling systems. Your voice calls are vulnerable to interception at multiple points by various entities. Some phone calls will be innocuous — customer service calls, tech support calls, routine sales calls etc. But many phone calls involve confidential or sensitive business data. All that information is available to anyone with technical know-how, appropriate access (legal or otherwise) and the right equipment.
Encrypting your voice calls means that intercepting calls is a waste of time for anyone. Without the decryption keys, hackers will only hear gibberish. They won’t have a way of getting the data they were after. Encryption offers pretty good value for any business. You have a reasonable guarantee that all conversations remain confidential between the parties involved.
However, not all service providers offer encryption and not all clients insist on it. Why? Encryption demands a price. Encrypting all your phone calls puts an additional burden on your bandwidth. Since bandwidth is expensive, organizations have a strong incentive to ignore security concerns. It can increase latency and decrease packet transfer speeds. It is hard enough to direct data streams across firewalls and routers. Encryption adds another layer of complexity to the network.
Encryption Won’t Solve All Your Security Problems
On the one hand, we have organizations that pay little attention to encryption. On the other hand, we also have providers that tout encryption as the only solution you will need. It is important to keep in mind that encryption will not secure your phone calls completely.
Even with encryption in place, criminals can use several other methods to get into your network and steal data. For instance, no amount of encryption can prevent viruses or Trojans on your computers from recording phone calls placed on the machine. If an employee leaves their account credentials in plain sight, anyone can access their account and make changes. Hackers can log legitimate users out of their own accounts and prevent administrators from tracking their footsteps.
Similarly, your phone system is vulnerable to Distributed Denial of Service attacks. Hackers can get access to other parts of your network through the IP. Your phone calls are protected but not other corporate data in such an attack. Any current or former employees who have physical access to servers can also access confidential data.
Criminals can perpetrate telecom fraud by making unauthorized or even spam calls from your system to international numbers. Companies have become liable for thousands of dollars worth of unauthorized phone calls made over a weekend. Encryption is of no help in any of the above scenarios.
In the end, it boils down to the simple fact that organizations need to treat internet calling systems on a par with other computing infrastructure. The precautions that work for securing computers, mobile phones, servers, and other network equipment are needed for these systems as well. Businesses have to secure their equipment, data, and transmissions at all times.
