speechtek 2009: securing cloud telephony aug2009
DESCRIPTION
In this talk at SpeechTEK 2009 in New York City, Dan York, discussed:As voice and self-service applications move increasingly into the cloud and to IP communications, what do you need to be concerned about with regard to the security of hosted solutions? If you grow to trust the cloud, how can you be sure it will be there for you? What protections can you put in place? What backup plans can you establish? What questions should you ask potential hosted/cloud vendors? In this session, security professional Dan York will walk you through the basic risk areas of voice-over-IP security, explain how those relate to both hosted and hybrid configurations and leave you with a concrete list of questions to consider in considering hosted/cloud options.TRANSCRIPT
![Page 1: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/1.jpg)
SpeechTEK 2009
Dan York, CISSPDirector of Conversations, VoxeoBest Practices Chair, VoIP Security Alliance (VOIPSA)[email protected]
Securing Cloud Telephony
![Page 2: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/2.jpg)
![Page 3: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/3.jpg)
Security concerns in telephony are not new…
Image courtesy of the Computer History Museum
![Page 4: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/4.jpg)
Nor are our attempts to protect against threats…
Image courtesy of Mike Sandman – http://www.sandman.com/
![Page 5: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/5.jpg)
Privacy
Compliance
Cost Avoidance
Availability
Business Continuity
Confidence
Mobility
![Page 6: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/6.jpg)
![Page 7: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/7.jpg)
![Page 8: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/8.jpg)
![Page 9: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/9.jpg)
![Page 10: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/10.jpg)
TDM security is relatively simple...
TDMSwitch
PSTNGateways
PhysicalWiringVoicemail
IVR
![Page 11: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/11.jpg)
Voicemail PhysicalWiring
DatabasesDirectories
E-mailSystems
WebServers
VoIP security is more complex
OperatingSystems
Firewalls
DesktopPCs
Voice overIP
NetworkSwitches
WirelessDevices
IVR
PSTNGateways
InstantMessaging
Standards
Internet
![Page 12: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/12.jpg)
ConfidentialityIntegrityAvailability
![Page 13: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/13.jpg)
Voice Application Diagram
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
![Page 14: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/14.jpg)
Voice Transport
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?
PHPperl python
Java???
ruby
XMLXML
servlets
VoiceBrowser(on svr)
Phone Audio
![Page 15: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/15.jpg)
Internet/WAN
Internet/WAN
PSTN
Voice TransportVoice
Browser(on svr)
Phone
PSTN PBXPhoneVoice
Browser(on svr)
TDM
PSTN IP-PBXPhoneVoice
Browser(on svr)
SIP
PSTNSIP
ServiceProvider
PhoneVoice
Browser(on svr)
SIP
VoiceBrowser(on svr)
Phone
SIP
![Page 16: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/16.jpg)
Voice Transport - SIP
PSTNVoice
Browser(on svr)
Phone
PSTN PBXPhoneVoice
Browser(on svr)
TDM
Internet/WAN
Internet/WAN
PSTN IP-PBXPhoneVoice
Browser(on svr)
SIP
PSTNSIP
ServiceProvider
PhoneVoice
Browser(on svr)
SIP
VoiceBrowser(on svr)
Phone
SIP
![Page 17: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/17.jpg)
Voice Authentication
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
Who are you talking to?
![Page 18: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/18.jpg)
Voice Biometrics
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
VoiceBiometrics
AuthSvr
![Page 19: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/19.jpg)
Web Transport
PHPperl python
Java???
ruby
XMLXML
servlets
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
![Page 20: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/20.jpg)
Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
VoiceBrowser(on svr)
HTTP
VoiceXMLor
CCXML
App/DB Server Transport
App/DBSvr?Web
Svr
![Page 21: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/21.jpg)
Server Security
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
![Page 22: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/22.jpg)
Management Interfaces
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
![Page 23: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/23.jpg)
APIs
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
![Page 24: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/24.jpg)
Local Storage / Logging
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
![Page 25: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/25.jpg)
Call Recording
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
![Page 26: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/26.jpg)
Web Interaction - Authentication
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone
PHPperl python
Java???
ruby
XMLXML
servlets
WebSvr
![Page 27: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/27.jpg)
Web Interaction - XSS/Injection
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone
PHPperl python
Java???
ruby
XMLXML
servlets
WebSvr
Input validation?
![Page 28: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/28.jpg)
External Interaction
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
App/DBSvr
?
![Page 29: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/29.jpg)
Moving Into The Cloud
![Page 30: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/30.jpg)
Location - Single network/server
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
![Page 31: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/31.jpg)
Location - Distributed
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
![Page 32: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/32.jpg)
Location - Distributed
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
![Page 33: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/33.jpg)
Location - Into the cloud
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
PHPperl python
Java???
ruby
XMLXML
servlets
![Page 34: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/34.jpg)
Location - Distributed/Cloud
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
![Page 35: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/35.jpg)
Location - Distributed/Cloud
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
![Page 36: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/36.jpg)
Location - Hybrid
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?Phone Audio
VoiceBrowser(on svr)
WebSvr
HTTP
VoiceXMLor
CCXML
App/DBSvr?
![Page 37: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/37.jpg)
Can You Trust The CloudTo Be There?
![Page 38: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/38.jpg)
Location/network questions
• What level of network connectivity do you have available?• What kind of availability guarantees / Service Level Agreements (SLAs) do
you have in place? • What kind of geographic redundancy is built into your underlying network? • What kind of network redundancy is built into your underlying network? • What kind of physical redundancy is built into your data centers?• What kind of monitoring do you perform? • What kind of scalability is in the cloud computing platform? • What kind of security, both network and physical, is part of the platform? • What kind of security policies and procedures are in place?• What kind of patch management plans?• Will firewall traversal be necessary (for instance, for a SIP trunk) and if so,
how?• How scalable is the solution?• Do you have appropriately-trained and available staff?
![Page 39: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/39.jpg)
Distributed Architectures
VoiceBrowser(on svr)
WebSvr
App/DBSvr
Phone Audio
VoiceBrowser(on svr)
ASR
WebSvr
App/DBSvr
MRCP
App/DBSvr
![Page 40: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/40.jpg)
Geography
![Page 41: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/41.jpg)
ConfidentialityIntegrityAvailability
![Page 42: SpeechTEK 2009: Securing Cloud Telephony Aug2009](https://reader033.vdocument.in/reader033/viewer/2022042714/555a70d7d8b42ae7218b5331/html5/thumbnails/42.jpg)
Thank you!
Dan York, CISSPDirector of Conversations, VoxeoBest Practices Chair, VoIP Security Alliance (VOIPSA)[email protected]