Tag Archives: Encryption

Where Are My Bits?

Leave a reply

NO DOUBT ABOUT IT – there is a sea change happening as individuals and companies slowly grasp the upside of cloud computing. But I still get challenged at conferences: “What about the security risk? I have to know that my bits are safe. How do I know these service providers are not going to mine my data and exploit all my information?”

The short answer is that you don’t – no one does. But then again – where are my bits, and where are your bits? In general, we don’t have a clue. Everything from our banking details, passport, national insurance, tax, medical records are stored somewhere, but we don’t know where. And do we care? We don’t give it a thought. Perhaps we should – bankers have proven to be less than honest and many of our institutions seem to excel in losing memory sticks, hard drives and laptops with our private info.

My worst nightmare is that the companies and institutions storing my data have been foolish enough to assign it to one drive, drive set, rack or floor in a single physical location. If they have, they are naive in the extreme, and are putting me at risk along with everyone else.

Perhaps the most paranoid objection voiced goes like this: “I don’t want anyone else’s data on my hard drive.” Such a strong sentiment reflects a lack of understanding that is really worrisome, especially when some of the protagonists are employed in IT departments.

Personally, I hope my bits are mixed in with thousands of others and spread all over the planet on multiple drives backed up in multiple locations. Such a scenario is more secure, and it can be rendered extreme by variable encryption. How come? If someone steals a file, and manages to crack the layered encryption, that person will only have partial documents.

The best the thieves can hope for is a mere glimpse of the full picture. To get to the real meat, they need the context, which is spread across an impossibly large number of drives and locations. This may be an impossible nut to crack with today’s technology.

Like it or not, cloud computing is not going away anytime soon. It is going to grow, and as it does, it will become increasingly secure. Our data will become safer, and all the more so as it becomes more dispersed. And yet, I hear sensible people demanding that their in-house data has to be held on a company server, in a company building, on company soil, always to be under the company eye and control.

Why do people think this way? Perhaps it is just habit, or more about the illusion of control. Such thinking is delusional – none of us can control our own data, let alone that of our companies. The internet, servers and service providers are leaky buckets with data seeping out and in. The good news is that it is unpredictable and difficult to read. The real problem is one of trust and reputation. Who do you trust? Your bank, ISP, Google, HP, Apple or IBM ?

You might want to contemplate running with several providers simultaneously – that way, you can control some of the dispersement and add another layer of security. Reliability, resilience and security seldom come cheap but it is vital to spread data across the internet in a parsed format. But do we do it ourselves, or do we let others do it for us? I prefer the latter course, through a trusted intermediary.

To me, this is no different to keeping money under my mattress, using a bank, or carrying cash. It all about resource management and using service industries that organise bits on our behalf while saving us time and money.

Paradoxically, the last people to figure all this out might be those CIOs and IT departments stuck in business and operating modes cast in the 1960s. The cloud is coming and there are great advantages to be had – but we have to accept the challenge of change.

Author: Peter Cochrane
Source

Post-Virtualization Security

Leave a reply

As the second law of thermodynamics tells us, all things trend toward chaos and this is no less true with a virtual environment. Sprawl can have a real security impact, and it takes discipline and planning to control sprawl — discipline and planning that won’t occur without someone from the security team actively monitoring the problem and formulating strategies for how to address the issue.

Virtualization has been one of the most rapidly and widely adopted technologies in recent memory. It’s huge, and it’s here to stay.

And as security professionals know, setting up a virtual environment securely isn’t easy. Significant effort goes into tasks like evaluating off-premise service providers, ensuring regulatory compliance, and standing up technical controls like monitoring and encryption. But in the excitement to stand up the new environment and get security to an acceptable “target state,” organizations sometimes don’t address security hygiene long-term. In other words, security is in high gear while the environment spins up, but it doesn’t lay the groundwork for what happens once things are chugging along.

This represents an area of concern because setting up a secure environment is only the first step. As the second law of thermodynamics tells us, all things trend toward chaos — this is no less true with a virtual environment. Stand up a virtual environment today and walk away from it and you’ll wind up with an unmanaged security nightmare tomorrow. As technical staff create new VMs, modify existing VMs, create “orphan” snapshots, and take other action in the environment, the environment slowly moves away from the defined, “secure” state into a less known one. This has a security impact.

So for organizations laying out challenges and focus areas for the new year, now’s a good time to think through your planning for how to keep the virtual environment secured. Ideally, you’ve been doing this all along as you first started tackling virtualization. But if (like most) you haven’t, doing it now is a smart move.

The Sprawl

For virtualized data centers and private cloud Test Drive the Public Cloud for $1. Windows & Linux Cloud Hosting. Click Here. deployments, keeping the number of virtual hosts within defined parameters can be challenging. VMs tend to proliferate and collect over time because of “one-off” or ad hoc VMs created without a clear plan for decommissioning. Add time and employee attrition to the mix, and you can be left with a large population of undocumented VMs that lack clear purpose and that staff are uncomfortable removing because they’re not sure who will be impacted.

On the operations and performance side, sprawl is a well-known problem. But the security side of it isn’t always addressed. For example, sprawl can have a regulatory impact. The PCI virtualization guidance tells us that if a VM is in scope of PCI, so also is the hypervisor. This means that uncontrolled proliferation can have unintended consequences — like if a test and QA VM moves into the CDE without appropriate controls. Even without the regulatory impact, dangers abound, such as technical security considerations like patch management, logging, anti-malware, etc.

It takes discipline and planning to control sprawl — discipline and planning that won’t occur without someone from the security team actively monitoring the problem and formulating strategies for how to address the issue. The further environments drift from the documented secure state, the more work is required to bring the environment back in line. This means that security organizations should be actively monitoring inventories of VM assets. They should be working with the technical teams to control expansion now while the problem is small rather than waiting for the problem to become unmanageable later on down the road.

Impacts to Existing Controls

Secondly, as we all probably realize by now, existing security controls don’t always translate well to virtual environments. Consider as one example what happens to network traffic monitoring tools like IDS when conversations between virtual images happen within the hypervisor (backplane communications) as opposed to over the network. For most security professionals, this failure to translate means they’ve needed to deploy new security tools to address shortcomings in the existing tool set.

This strategy is great in that it meets immediate needs, but it doesn’t address what happens over the long term. Consider that the virtual environment is expanding (in most cases rapidly) while the legacy physical environment is contracting. The budget for controls is usually constant. Consider how these two data points play out a year from now — and two years from now. Budgetary support is likely to shift. In fact, it’s not hard to envision a scenario wherein we need to start scaling back existing security controls that address only the legacy environment. Doing that cleanly takes planning and preparation on the part of the security organization. For example, it may take a year or more to shift how current controls are managed and operated in order to allow them to spin down cleanly without impacting existing staff.

Data Expansion

As the last item to consider, security organizations often don’t appreciate the tremendous rate of data growth that can occur in a virtual environment. Pretty much everything you do in the virtual environment has a storage impact. There’s the data you’d be collecting and managing anyway, but also sprawl adds to it, planned growth, snapshots used for QA or patching, etc. Data volume can explode in a very short period of time.

This matters to security professionals because of the way certain controls operate relative to data volume — specifically, controls that operate linearly over data like DLP file searches and encryption.

As an example of why this matters, take the example of bulk data encryption. Encrypting a terabyte is trivial. Encrypting an exabyte? Well, that may not even be possible depending on how the data is used. There are some controls that need to be addressed while data sizes are still manageable. It behooves security professionals to think this through now rather than waiting until the volume has expanded beyond what a given control can manage.

Spending some time thinking through the ongoing maintenance and hygiene of a virtual environment is a useful exercise. So in laying out plans for 2012, keep in mind that the work doesn’t stop once the environment is in place — it continues throughout the entire lifecycle of that environment.

Author: Ed Moyle
Source

Securing VoIP Enterprise Networks

Leave a reply

VoIP-over-VPN technology protects the privacy of corporate voice communications in industrial networks, while delivering the cost-saving and technology benefits of Voice-over-IP.

By reducing or eliminating phone charges, consolidating infrastructure, and streamlining network operations and maintenance, Voice over Internet Protocol (VoIP) offers tremendous cost-savings for oil and gas companies and other industrial sectors. As with any new technology, however, there can be a down-side.

Most VoIP gateways compromise communication security by transporting VoIP and data traffic without encryption, making the information susceptible to interception by snoopers, hackers, and so forth. Because of such security concerns, many enterprises that handle highly-sensitive information have been reluctant to cash in on the benefits of deploying VoIP technology in their networks.

Standards for voice encryption, such as SRTP and SIP TLS, are emerging. These techniques encrypt the voice as the analog signal is converted to digital form in the coder-decoder (CODEC). But the standards are still under development and are not yet ready for the commercial market. VoIP-over-VPN, in contrast, offers a secure solution for converged digital voice and data communications today.

VoIP gateways with VoIP-over-VPN offer companies that handle sensitive information a way to move forward and implement secure, converged VoIP and Data networks.

VoIP-over-VPN Technology for Secure Encrypted Voice

A VoIP VPN combines Voice-over-IP and Virtual-Private-Network technologies to offer a method for delivering secure voice. Because VoIP transmits digitized voice as a stream of data packets, the VoIP VPN solution accomplishes voice encryption simply and elegantly. The technique applies existing standard data-encryption mechanisms inherently available in the collection of protocols used to implement a VPN.

The VoIP gateway-router first converts the analog voice signal to digital form, encapsulates the digitized voice within IP packets, then encrypts the digitized voice using IPSec, and finally routes the encrypted voice packets securely through a VPN tunnel. At the remote site, another VoIP router decodes the voice and converts the digital voice to an analog signal for delivery to the phone.

Other advantages

Security is not the only reason to pass Voice-over- IP through a Virtual Private Network, however. Session Initiation Protocol, the preferred VoIP protocol is notoriously difficult to pass through a firewall because it uses random port numbers to establish connections. A VPN solution avoids this firewall issue when configuring remote VoIP clients. The VPN virtually moves users inside the same local network as the VoIP server.

Author: Antoine Abi Antoun
Source

Desktop Virtualization Improves Security

Leave a reply

One of the main reasons for deploying desktop virtualization is the security advantages it can provide, such as keeping sensitive data off the endpoint, according to Citrix.

And Citrix is practicing what it preaches at its Ft. Lauderdale, Fla., headquarters where employees, for example, use the Citrix virtualization product Citrix Receiver for smartphones and tablets.

Citrix Receiver brings full-fledged desktop apps to smartphones and tablets

“It’s required to access some systems such as SAP,” says Kurt Roemer, chief of security strategy at Citrix. “And we don’t have to roll out an SAP client. It’s up to date and the exact configuration. You’re just interacting with the application.”

While businesses all operate in different circumstances, there are general aspects of desktop virtualization that hold appeal to IT departments that have fought unending battles to try and keep unwanted applications off user desktops, patch applications, and cope with the stray malware eruptions.

“It gives IT back control,” Roemer says. “It allows for risk-based access, and the decision on whether to allow the data to be taken offline.” The company managers can set policies related to saving or printing data, for instance. Although for those needing data offline, desktop virtualization doesn’t preclude use of encryption, for example.

Applications made available through desktop virtualization — Citrix offers Xen Desktop, which can run on top of VMware, Microsoft Hyper-V or the Citrix hypervisor — are consistent across the user base and patch updates to them are consistent, even while access to applications is more flexible.

“This is very beneficial for security,” Roemer notes, adding that it allows for flexibility in deciding how to centrally establish management and security controls.

It’s evident from the survey of 1,100 senior IT managers and decision-makers worldwide that was published today that there’s also widespread expectation that desktop virtualization will be used in a complementary fashion with cloud-based services and various security controls.

The survey, “Desktop virtualization and security: a global market research report,” found 91% of the respondents said they already have or will have desktop virtualization implemented by the end of 2013 in their organizations, of which all have at least 500 employees.

In addition, they said they plan to complement desktop virtualization with cloud-based services and additional security measures such as data-loss prevention, identity management, mobile-device management, VPN, threat management and authentication.

According to the survey, which didn’t identify which specific desktop virtualization technologies were being used, 33% have already deployed desktop virtualization to a significant level and a further 58% plan to do so before the end of 2013. The survey, sponsored by Citrix, was conducted by firm Vanson Bourne.

Author: Ellen Messmer
Source

Remove Vulnerability From VoIP Networks

2 Replies

Using the OSI network layer model as a basis, here’s how to derive a simplified three-layer model for SIP-based VoIP and corresponding threats and defenses. The resurgence of interest in VoIP to provide telephone services worldwide is often credited to the use of session initiation protocol (SIP) for signaling. Both residential and enterprise VoIP services are widely deployed. IP telephony may be used either to replace the primary telephone service or to provide additional telephone lines.

IP telephony offers some dramatic benefits over traditional or plain old telephone systems (POTS), such as reduced operating costs, portability and accessibility. IP telephony has its share of problems. To date, most of the focus has been on such challenges as voice quality, latency and interoperability. Security of the VoIP network is only now being recognized as an important issue to be addressed.

Multiple security threat models exist in current implementations of SIP-based VoIP networks. These threats are further aggravated because in order to allow similar access as the public switched telephone network (PSTN), VoIP networks are often implemented over the public Internet, which is a potentially hostile environment.

The very same reasons that make SIP so popular, e.g., its similarity to hypertext transport protocol (HTTP), are also the reasons for its vulnerability. This can lead to similar problems such as identity theft, impersonation, denial of service (DOS), hijacking and theft of services, and violation of privacy and confidentiality. The good news is that many of the security mechanisms for SIP-based VoIP can be the same as those used for HTTP. The challenge is simply to make these mechanisms SIP- and VoIP-friendly. In addition, SIP and its extensions provide for a number of intrinsic security features that can be used to harden implementations.

VoIP Overview

In addition to transmitting voice, a basic telephone system transmits many signals such as off-hook, on-hook and dual tone multi-frequency (DTMF) tones for dialed digits, etc. It also needs to maintain the state of the call, and generate a dial tone, ring-back and other tones. It can be said that there are two distinct streams of information on the wire: the signaling and the voice.

In PSTNs, some of the signaling travels in-band along with the voice up to the central office where it is sent over the Signaling System 7 (SS7) network. The SS7 network is not accessible to the public. Therefore, the PSTN is relatively secure. In VoIP telephony, voice is carried by real-time protocol (RTP) and the signaling by one of the many signaling protocols such as H.323, MGCP or SIP. Both of these transport streams are sent over the public Internet or on networks connected to the public Internet. This leaves the VoIP telephone network vulnerable.

Due to the nature of the IP network, in order to use it for telephony, additional requirements must be met by a VoIP device such as:

  • User authentication: The phone is no longer physically connected to the PSTN and needs to be authenticated
  • Address translation: Translating phone numbers into IP addresses and vice-versa
  • Routing: Locating and routing to the correct service gateway for the destination phone
  • Feature translation: Transparently translating advanced phone features such as call waiting, call hold, call forwarding, etc.
  • Caller ID: Generation of and decoding and transmission of caller ID over IP
  • Call detail records: Generation and transmission of billing information for PSTN and VoIP services
  • Legal: Access to emergency services and provision for intercept by law-enforcement agencies

In addition to just providing a transparent translation of telephone services, any VoIP device (since it is connected to the Internet) should provide for mechanisms to protect from toll fraud, eavesdropping and call hijacking among other things, and maintain message integrity. This is in addition to standard network security to protect against DoS and DDoS attacks.

 

 
Figure 1. How SIP fits into the VoIP Protocol soup

SIP was not designed to provide for all of these requirements, and it is not the only protocol that the communicating devices will need. The purpose of SIP is just to make communication possible. The communication itself must be achieved by another means (and possibly another protocol). Since SIP is an IETF specification, it is designed to use other existing IETF protocols to fill in the gaps.

VoIP threat assessment model

Starting from the basic OSI Reference Model and the Department of Defense (DoD) or TCP/IP reference model, the SIP-based VoIP network can be analyzed by a layered approach. Threats and therefore countermeasures can also be mapped to the layers of the network reference models. With this layered analysis strategy, it becomes immediately apparent that each layer has different security threats.

 

 
Figure 2. The layered approach to threat assessment.

A defense strategy can also follow this layered approach. This eases deployment and leads to the three-layer security model as follows:

  • Infrastructure security layer: Protect and secure the network infrastructure
  • Network services security layer: Protect and secure end-users, access and service enablers
  • Application security layer: Protect and secure SIP-based VoIP and other network applications

Based on general network security precepts, each security layer then needs to be evaluated on the basis of the following parameters:

  • Authentication: Confirm the identity of communicating entities, whether individuals, devices, services or applications. Authentication guards against impersonation or replay of previous communications.
  • Authorization: Cross-checks identity for role and access. This prevents unauthorized access to services, access to stored information, toll fraud, etc.
  • Accountability/Audit: Keeps track of usage and security services. This helps in early detection and recovery from threats and attacks.
  • Availability/Reliability: Redundancy, perimeter protection and hardening ensure that authorized users continue to have access to network devices, services and stored information despite an ongoing attack such as a DoS attack.
  • Confidentiality: Encryption of communication streams prevents unauthorized intercepts and eavesdropping. In addition, encryption can be coupled with access control to protect stored information.
  • Integrity: Prevents unauthorized modifications, deletion, creation or replication of data. Typical mechanisms are based on hashing algorithms such as HMAC, MD-5 and SHA-1. This also helps in early detection of unauthorized activity.
  • Non-repudiation: Proof that communications actually happened. Required for forensic evidence purposes.
  • Privacy/Anonymity: Privacy tackles issues like phone number harvesting, call pattern tracking, etc. that violates the privacy of the user. Anonymity, on the other hand, allows a user to communicate without revealing their identity and is usually contrary to most security policies.

Security mechanisms at the infrastructure layer are normally provided by the broadband access provider. For example, cable networks may authenticate subscribers by MAC address, or DSL networks may use PPPoE, which incorporates a password mechanism for authentication.

At the network services layer, the access and service enablers are typically protected by the broadband service providers and by the backbone network providers. End-users however, are typically not protected and left to their own devices. Most industry security schemes consider end-points as un-trusted.

Broadband access routers are increasingly prevalent at the customer premises end. These routers incorporate network address translators (NATs) that, besides helping to conserve IP address space, are sometimes used along with packet filtering to provide basic firewall functionality. The security provided entirely depends on the correct configuration of these devices. Service providers that provide CPE equipment that is customized and locked to their networks address this issue to some extent, as they can manage the customer equipment and impose some modicum of security. This trend is seen in a large percentage of broadband access networks.

The CPE for the SIP-based VoIP service is usually a terminal adapter (TA) that connects downstream from the broadband access modem or router and provides an analog phone interface to a regular phone instrument. This VoIP device, in most cases, is not a part of the managed broadband access network. In the case of VoIP, there are two distinct transport streams that need to traverse the firewall and NAT, namely the core signaling transport and the media transport paths. Simple firewalls will not let VoIP traffic through, since they do not know which ports to open for the voice traffic and at what time. In the interest of security, it is not practical to always leave open a large range of ports.

At the application layer, the threat and countermeasures become quite complex. This layer is the most vulnerable layer and different types of threats are becoming increasingly common. There is still a lot of work to be done before standard interoperable mechanisms are put in place to harden an application such as SIP-based VoIP. A collaborative, industry-wide effort is required.

The first step in that direction was taken in October 2005. The Voice over IP Security Alliance (VOIPSA), an industry consortium of VoIP and information security vendors, providers and thought leaders, released the first draft of their VoIP Security Threat Taxonomy, which attempts to identify and qualify the various threats in preparation for standardizing the mechanisms used as countermeasures.

Hardening the VoIP network

A VoIP network relies on the basic IP infrastructure for multiple services such as domain name service (DNS), trivial file transfer protocol (TFTP), file transfer protocol (FTP), etc. SIP-based VoIP networks rely on the DNS mechanism for many types of services related to telephony such as electronic numbering (ENUM). In addition, the use of the service record (DNS SRV) in the DNS server to identify SIP services enables server load balancing and redundancy. This achieves better network reliability during peak traffic and also provides resilience against DOS attacks.

However, DNS has itself been identified as one of the vulnerable systems in the TCP/IP infrastructure. It is vulnerable to many types of transaction attacks including cache poisoning, domain hijacking and man-in-the-middle redirection. Open recursive DNS servers are actively being used as DDoS reflectors, providing a huge amplification factor for such attacks. DNS security extensions (DNSSECs), designed to alleviate some of these shortcomings, are still not widely deployed.

Hence, many SIP-based VoIP implementations are designed to use private DNS. Private DNS breaks the hierarchical tree structure of the DNS and does not allow recursive queries. Instead, private DNS uses a standalone server or servers to provide exclusively VoIP-related DNS services for SIP clients within the managed network. All other DNS requests continue to be serviced by the standard DNS network of servers.

VoIP telephones could be mis-configured by the end-user, either while attempting firmware updates or when adjusting parameters of operation, leading to vulnerabilities or loss of service. Early SIP-based VoIP devices commonly used TFTP to update firmware or configuration files. TFTP is not a very sophisticated or secure mechanism for file transfer, and using it for updating critical files could lead to compromising either the fundamental operating firmware or the configuration of the SIP device.

Modern SIP-based VoIP devices use the more secure FTP or secure HTTP (HTTPS) for firmware updates, and XML over HTTPS for remote configuration by the service provider. In addition, the ability to modify firmware or SIP parameters is usually blocked by the service provider, thus leading to greater reliability of the firmware updates and SIP configurations.

Such a mechanism for configuration and updating also provides service providers with the ability to provision devices based on rate structures such as local or long-distance plans, etc. In addition, it also allows the service provider to hide SIP configuration and dial plans, information that could potentially be used by hackers to steal services.

Author: Vinay R. Rao
Source

Cloud Computing’s Security Strengths

Leave a reply

Cloud computing has flunked a security test, reports Tim Wilson at Dark Reading. That probably doesn’t surprise you. Conventional wisdom says clouds are inherently insecure.

But are they? Or are clouds actually more secure than conventional IT environments? A growing number of technologists are making that argument. And they’re not cloud vendors or marketers or startups who have placed their bet on the cloud. They’re some of the senior-most technology officials in government, including those from intelligence agencies and the military, which might be the last place you’d expect to hear such talk.

The list of execs touting the security advantages of the cloud has grown to include federal CIO Steven VanRoekel; Gen. Keith Alexander, head of both the National Security Agency and U.S. Cyber Command; CIA CTO Gus Hunt; NIST security researchers Peter Mell and Dr. Ronald Ross; and former NSA director Adm. Mike McConnell.

Their comments on cloud security are often accompanied by the caveat, “if you do it right.” In other words, cloud security only happens through a combination of vigilance, best practices, and technology, including encryption, patching, and monitoring.

The shift to the cloud is an opportunity to rethink security from the ground up, to re-architect networks and data centers in a way that closes existing gaps. The feds are helping agencies do this with a growing body of guidance such as NIST’s 68-page document on cloud security and controls required as part of the forthcoming FedRAMP security authorization program.

CIA CTO Hunt talks about periodically and automatically moving workloads and reimaging machines as a way of creating a “polymorphic attack surface” that confuses would-be attackers, as they won’t know what’s running on which physical server at any point in time.

Hunt’s not some IT lightweight, and the CIA can’t afford to be cavalier about the security of its data and systems. “We’re paranoid for a reason,” Hunt told the audience at InformationWeek’s GovCloud 2011 event in October. “They really are out to get us. And I’m not kidding about this, when secrets leak out, people die.”

Alexander says cloud computing can improve patching across a network and bring other benefits. “You have better visibility and situational awareness,” he said at a recent event hosted by the Defense Advanced Research Projects Agency. “More importantly, if you were to watch how we push out [patches] today, you would laugh or cry because it takes months. We need a dynamic way to do it, and the cloud lets us do it much quicker.”

These concepts apply primarily to private, not public, clouds. Even so, NIST’s Mell, one of the creators of the FedRAMP program, has argued that entrusting data to the world-class engineers at Amazon, Google, and Microsoft may be more secure than hosting the data in your own data center.

Not everyone is ready to buy into this line of thinking, of course. At a recent cybersecurity event in Baltimore, some attendees scoffed at Alexander’s take on cloud security. Their counterargument: Consolidation and virtualization might make an IT environment more manageable, but they also create a bigger target for social engineering and other forms of attack.

And NIST, despite the optimism of its cloud researchers, offers its own words of warning. “The cloud computing environment presents unique security challenges,” NIST writes in its recently released “cloud roadmap” document. “The architecture, potential scale, reliance on networking, degree of outsourcing, and shared resource aspects of the cloud computing model make it prudent to reexamine current security controls.” Prudent? That’s too soft. IT pros that don’t pay close attention to security controls in the cloud are putting their organizations at extreme risk.

Done right, however, clouds may be more secure than old-style data centers. That’s the view of influential IT leaders within the government’s intelligence, defense, and civilian agencies. Maybe it’s time to think more about the potential security benefits of the cloud, and not just about all that can go wrong.

Author: J. Nicholas Hoover
Source

Virtual Machines Can Boost Cloud Security

Leave a reply

While conventional wisdom says virtualized environments and public clouds create massive security headaches, the godfather of Xen, Simon Crosby, says virtualization actually holds a key to better security.

Isolation — the ability to restrict what computing goes on in a given context — is a fundamental characteristic of virtualization that can be exploited to improve trustworthiness of processes on a physical system even if other processes have been compromised, says Crosby, a creator of the open source hypervisor and a founder of startup Bromium, which is looking to use Xen features to boost security.

If the virtual machine manager (hypervisor) can help isolate functions carried out on a system and thereby reduce the risk that an attack successful against one function can spread, that improves the trustworthiness of those other processes, Crosby says in an interview with Network World.

“I think that when we look back in five years we will actually figure out that the core value of hardware virtualization is security,” Crosby says. “Actually it’s better trust or better isolation, and not all of the grandiose cases we’ve come up with for virtualization today. So that even in the cloud the primary use case for virtualization will, in five years or so, be security and security through isolation.”

Crosby was reluctant to detail how such a system would work because it is at the core of what Bromium is working on, and it doesn’t plan to reveal that until next year. But earlier this year at the Xen Developers Conference, Bromium co-founder and chairman of Xen.org Ian Pratt offered some insight.

Introspection, a feature of Xen that enables virtual machines to be inspected by another trusted VM, could help discover compromises within VMs, he says. Xen can isolate driver domains, which enhances security, Pratt says.

Crosby says this isolation is similar to what XenClient does today, enabling for instance a corporate desktop and a personal desktop on the same machine, keeping their activities securely separate. A person’s possibly risky personal behavior with the machine won’t compromise the corporate functions.

“The key point I’m trying to make is that virtualization technology in general through isolation provides you a different context in which to execute code of different trust levels,” he says.

Isolating processes more finely can boost security in public cloud environments, he says. “I think one will be to create a highly secure cloud system which can be used to deliver multilevel secure systems,” he says.

As an example he points to Intel and McAfee’s DeepSAFE technology, software that sits between the CPU and the operating system on a device, much the way a bare-metal (Type 1) hypervisor does. Its direct link to the hardware gives it a trusted position and a view into events on the machine beyond what the operating system sees, according to McAfee.

“Intel recently announced its Deep Safe technology with McAfee, a Type 1 hypervisor early load, which has a sole purpose to secure the runtime,” Crosby says. “So you start to see the specific use of virtualization security on clients. I think it will eventually be the same on server systems, too. Obviously you’ve got to get the server hypervisor to learn new things.”

He seems to suggest that linking hypervisors to trusted platform modules (TPM) that are integrated within commodity processors could yield security benefits. TMP’s features include storage of encryption keys as well as hardware-assisted encryption, which makes it possible to encrypt all data a business entrusts to a public cloud.

“You can encrypt it at wire speed, and there is no excuse ever for the cloud provider to manage the key,” Crosby says. “So what should happen is when you run an application in the cloud you should provide it with the key and only in the context of the running application as the data comes off some storage service is it decrypted and goes out re-encrypted on the fly. That way if somebody compromises the cloud provider’s interface or if someone walks into the cloud provider and walks off with a hard disk, then you are OK.”

By better securing public clouds, businesses can take full advantage of the reduced costs they offer. If trust in public clouds can be established, the need for private clouds and hybrid clouds and the capital costs they imply will go away. Cloud computing will become an operational expense.

Standing in the way is fear that if data is compromised while in the cloud the event will be career-ending for those who authorize it. Also blocking the way are the demands of regulatory auditors that want businesses to be able to physically locate data. “[Y]ou can’t really state anything to a regulator in terms of the data if you can’t find the hard disk,” he says. “So how is the guy supposed to allow the data out of the data center?”

It could be shown instead that data is secure within a public cloud, meeting regulatory concerns without having to physically locate the disk containing it, Crosby says. “They could do it in a heartbeat,” he says, “if we could actually secure the regulatory frameworks for it and if we could just get the vendors to do the obvious things in terms of adopting security technologies.”

Crosby says Bromium already has a functioning version of its product and will announce it within months. “I think we’re on early in the new year,” he says. “We’re in the stage where we’re sending systems to potential early customers for them to kick around and give us feedback on.”

Author: Tim Greene
Source

The Essentials Of Cloud Computing

Leave a reply

You are not alone if you are confused about cloud computing – recent research has shown that nearly half of those not using cloud computing don’t know what it means. Whether you are worried about security or how you would access your data without internet access read on and see my answers to the common questions which people ask me about cloud computing.

1. Is there a difference between ‘The Cloud’ and ‘Cloud Computing’? Isn’t it just the same as the internet?

Yes ‘The Cloud’ is a common metaphor for the internet but the term ‘cloud computing’ refers to on-demand services supplied over the internet.

2. So what exactly is cloud computing?

The term refers to using and storing data which is not physically kept on your computer but which you access and save online. In addition to pure storage very often a service is also provided. Think of it as doing things over the internet that you would normally only ever have done on your computer such as word processing, storing files, photo editing, project management, etc.

3. What do you mean by ‘services’?

You can think of it as a utility like electricity or gas — where you are the end user, and don’t need to worry about where it comes from or how it gets to you; you only pay for what you use.

Popular micro-business services include:

Cloud storage and back-up such as that offered by Dropbox, SugarSync and Crashplan
CRM, for example by Highrise and Salesforce
Productivity, project management and document sharing such as that offered by Basecamp, Backpack and Huddle
Mailing list management by MailChimp, ConstantContact or Mad Mimi.

4. I’ve heard of Software as a Service (SaaS). Is that cloud computing then?

Yes, absolutely, that is exactly what it is! Contact Management Software is a perfect example of software you would traditionally have used just on your computer. Now with services like Highrise you access the software and your data entirely in the cloud. SaaS lets you access the latest technology without the steep price tag. Instead of investing in expensive hardware or software you can pay for the best of both on demand.

5. Why does everyone keep talking about it? Is it new?

Cloud computing isn’t really all that new (the term was first used in scholarly circles in 1997) but the range of services available to individual and business users is growing rapidly. With cloud computing now seen as a viable alternative to managing your own hardware and software (with the costs and space implications of in-house servers and IT departments) many businesses are actively transferring their whole operation to the cloud. Even for the one-person business new offerings like Office365 – a great solution for business email and productivity on the go – will make cloud working affordable and easily accessible to every size business with monthly prices as low as £4+VAT per month.

6. But where does my data actually go?

Huge and highly secure data-centers filled with servers. To give you an idea of the scale both in terms of size and investment, look no further than Microsoft’s data center in Chicago. One of the largest built to date, it spans 65,000 square meters, cost $500 million and has the potential to hold 300,000 servers.

7. Isn’t it a slower way of working?

In most cases it won’t affect your day-to-day experience but obviously you are totally dependent on having internet access. If you are going to transfer large amounts of data to the cloud for storage do expect this to take some time (it took me several weeks to upload my family photo archive).

8. And what if I don’t have internet access? I won’t be able to work!

Yes, this is an important consideration, but some browser-based applications will cache a copy of your work in progress on your computer so you can work offline and then sync up to the cloud when you are done. Services like Dropbox and Office365 offer a hybrid approach giving you the best of both worlds.

9. Sounds great, but is it safe?

Can we trust those that hold our data, documents and photos? What if my data gets hacked into? Well, you probably do your banking online so in many ways that decision has been made for you. You can also take comfort in the amount of due diligence which your bank and other global organisations who have chosen to utilise the cloud must have gone through before deciding to make the change.

Data is encrypted during transfer to and from the data centers at the same level of encryption used when you enter your credit card details during online banking. The reputational risk to the main providers of rack space like Amazon, Google and Microsoft is so high that these have well-documented and regularly audited security technologies in place.

I have written elsewhere about password best-practice, which for most people will by far be their weakest link when it comes to the security of their data.

10. So what are the advantages of cloud computing?

It’s cheaper or free: I won’t go into the detail of why it is cheaper for businesses with servers to transfer to the cloud in this post but many great services and storage options for individual users or micro-businesses are free.

You always have the latest version of the software and upgrades are constant and seamless: no need to physically purchase a program and then buy and install upgrades.

Pay as you go: you can spread the cost and ease your cash flow by paying for what you use on a monthly basis.

Its good for the planet: data centers are a much more efficient way of sharing resources, and statistics show that environmental impact of a business converting to the cloud reduces their IT carbon footprint by 90%.

11. But what can it really do for me?

Well for me the silver lining to cloud computing is that it helps me to be more productive – my whole business is in the cloud and I can access what I want where I want it and don’t need to worry about where something is saved or whether it is backed up. From a business point of view I don’t need to physically be in the same place as my documents, emails, address book to keep working. Most services also have a phone app meaning you can access your data and keep working on the go.

Hopefully by now you’ll be sold on the idea of cloud computing and will be wondering how can you best make the most of the cloud in your home and business life – free up time, be more productive and save money. You might have noticed that there are a vast range of cloud-based apps and services out there. I have mentioned just a fraction of the really great ones in this post to get you started – so check them out and let me know what you think.

Author: Francesca Geens
Source

Cloud Computing Data Security

3 Replies

Meeting the requirements for cloud data security entails applying existing security techniques and following sound security practices. To be effective, cloud data security depends on more than simply applying appropriate countermeasures. Taken collectively, countermeasures must comprise a resilient mosaic that protects data at rest as well as data in motion.

While the use of encryption is a key component for cloud security, even the most robust encryption is pointless if the keys are exposed or if encryption endpoints are insecure. Customer or tenant control over these endpoints will vary depending on the service model and the deployment model.

OVERVIEW OF DATA SECURITY IN CLOUD COMPUTING
It is understandable that prospective cloud adopters would have security concerns around storing and processing sensitive data in a public or hybrid or even in a community cloud. Compared to a private data center, these concerns usually center on two areas:

  • Decreased control by the owning organization when data is no longer managed within an organization’s premises
  • Concern by the owning organization that multitenancy clouds inherently pose risks to sensitive data

In both cases, the potential risk of data exposure is real but not fundamentally new. This is not to say that cloud computing does not bring unique challenges to data security.

Control over Data and Public Cloud Economics

In contrast to use of a public cloud, maintaining organizational physical control over stored data or data as it traverses internal networks and is processed by on-premises computers does offer potential advantages for security. But the fact is that while many organizations may enforce strict on-premises-only data policies, few organizations actually follow through and implement the broad controls and the disciplined practices that are necessary to achieve full and effective control.

So, additional risks may be present when data doesn’t physically exist within the confines of an organization’s controlled facility—this is not necessarily the security issue that it may appear to be. To begin, achieving the potential advantages with on-premises data requires that your security strategy and implementation deliver on the promise of better security.

The basic problem is that most organizations are neither qualified to be in the information security business nor are they in that business—they are simply using computers and networks to get their work done! Although secure computing is a desired quality, information security expertise is not a core-competency for most computer users nor is it common in most organizations. Returning to the point:

  • Moving data off premises does not necessarily pose new risks, and it may in fact improve your security.
  • Entrusting your data to an external custodian may result in better security and may well be more cost effective.

Two examples that underscore this are the commercial service offerings to either store highly sensitive data for disaster recovery or assure the destruction of magnetic media. In both cases, many highly paranoid organizations tightly control how they use these services—but the point is that they use external services, and when they do so, they entrust their data to external custodians.

It is important to state that some kinds of data are simply too sensitive and that the consequence of data exposure is too great for some customers to seriously consider using a public cloud for processing. This applies to any information category that entails national security information or information that is subject to regulatory controls, which cannot yet be met by public target cloud offerings. Likewise, it is unlikely that a well-governed organization would release highly sensitive future product plans to any environment where the organization would be uncertain that the information custodian (the CSP) did not enforce the information owning organization’s interests as well as the organization itself would.

In these examples, it is not the case that security needs for these categories can’t be met in a public cloud, rather the cost of providing such security assurance is incompatible with the cost model of a public cloud. If a CSP is to meet these needs that would demand additional controls, procedures, and practices that would make the cloud offering noncompetitive for most users. Consequently, where such data security needs prevail, other delivery models (community or private cloud) may be more appropriate. This is depicted in Figure 1. Note that this situation is a function of generally available and anticipated offerings in the public cloud space. Quite likely, this will change as security becomes more of a competitive discriminator in cloud computing.

FIGURE 1 Meeting security needs: public, community, and private clouds.

One can easily imagine future high-assurance public clouds that charge more for their service than lower-assurance public clouds do today. We might also expect that some higher-assurance clouds would limit access by selective screening of customers based on entry requirements or regulation. Limiting access to such a cloud would reduce risk—not eliminate it—by limiting access if screening is effective.

Organizational Responsibility: Ownership and Custodianship
While an organization has responsibility for ensuring that their data is properly protected as discussed above, it is often the case that when data resides within premises, appropriate data assurance is not practiced or even understood as a set of actionable requirements. When data is stored with a CSP, the CSP assumes at least partial responsibility (PaaS) if not full responsibility (SaaS) in the role of data custodian. But even with divided responsibilities for data ownership and data custodianship, the data owner does not give up the need for diligence for ensuring that data is properly protected by the custodian.

By the nature of the service offerings, and as depicted in Figure 2, a data owning organization can benefit from their CSP having control and responsibility for customer data in the SaaS model. The data owning organization is progressively responsible beginning with PaaS and expanding with IaaS. But appropriate data assurance can entail significant security competence for the owning organization.

FIGURE 2 Owning organization has increasing control and responsibility over data.

Ultimately, risks to data security in clouds are presented to two states of data: data that is at rest (or stored in the cloud) and data that is in motion (or moving into or out of the cloud). Once again, the security triad (confidentiality, integrity, and availability) along with risk tolerance drives the nature of data protection mechanisms, procedures, and processes. The key issue is the exposure that data is subject to in these states.

Data at Rest and in Motion

Data at rest refers to any data in computer storage, including files on an employee’s computer, corporate files on a server, or copies of these files on off-site tape backup. Protecting data at rest in a cloud is not radically different than protecting it outside a cloud. Generally speaking, the same principles apply. As discussed in the previous section, there is the potential for added risk as the data owning enterprise does not physically control the data. But as also noted in that discussion, the trick to achieving actual security advantage with on-premises data is following through with effective security.

Referring back to Figure 1, the less control the data owning organization has—decreasing from private cloud to public cloud—the more concern and the greater the need for assurance that the CSPs security mechanisms and practices are effective for the level of data sensitivity and data value. (But in Figure 2, we saw that the owning organization’s responsibility for security runs deeper into the stack for the owning organization as they move from SaaS to PaaS and again to IaaS.)

If you are going to use an external cloud provider to store data, a prime requirement is that risk exposure is acceptable. Risk exposure varies in part as a function of service delivery as it does for deployment.

A secondary requirement is to verify that the provider will act as a true custodian of your data. A data owning organization has several opportunities in proactively ensuring data assurance by a CSP. To begin with, selecting a CSP should be based on verifiable attestation that the CSP follows industry best practices and implements security that is appropriate for the kinds of data they are entrusted with. Such certifications will vary according to the nature of the information and whether regulatory compliance is necessary. Understandably, one should expect to pay more for services that involve such certifications. One likely trend here is that higher assurance cloud services may come with indemnification as a means of insurance or monetary backing of assurance for a declared level of security. Whatever the future may hold, we can expect that practices in this space will evolve.

Data in Motion
Data in motion refers to data as it is moved from a stored state as a file or database entry to another form in the same or to a different location. Any time you upload data to be stored in the cloud, the time at which the data is being uploaded data is considered to be data in transit. Data in motion can also apply to data that is in transition and not necessarily permanently stored. Your username and password for accessing a Web site or authenticating yourself to the cloud would be considered sensitive pieces of data in motion that are not actually stored in unencrypted form.

Because data in motion only exists as it is in transition between points—such as in memory (RAM) or between end points—securing this data focuses on preventing the data from being tampered with as well as making sure that it remains confidential. One risk has to do with a third party observing the data while it was in motion. But funny things happen when data is transmitted between distant end points, to begin with packets may be cached on intermediate systems, or temporary files may be created at either end point. There is no better protection strategy for data in motion than encryption.

Common Risks with Cloud Data Security

Several risks to cloud computing data security are discussed in this section. None of these are unique to the cloud model, but they do pose risk and must be considered when addressing data security. They include phishing, CSP privileged access, and the source or origin of data itself.

Phishing
One indirect risk to data in motion in a cloud is phishing. Although it is generally considered unfeasible to break public key infrastructure (PKI) today (and therefore break the authentication and encryption), it is possible to trick end users into providing their credentials for access to clouds. Although phishing is not new to the security world, it represents an additional threat to cloud security. Listed below are some protection measures that some cloud providers have implemented to help address cloud-targeted phishing related attacks:

  • Salesforce.com Login Filtering Salesforce has a feature to restrict access to a particular instance of their customer relationship management application. For example, a subscriber can tell Salesforce not to accept logins, even if valid credentials are provided, unless the login is coming from a whitelisted IP address range. This can be very effective in preventing phishing attacks by preventing an attacker login unless he is coming from a known IP address range.
  • Google Apps/Docs/Services Logged In Sessions & Password Rechecking Many Google services randomly prompt users for their passwords, especially in response when a suspicious event was observed. Furthermore, many Google’s services display the IP address from the previous login session along with automatic notification of suspicious events, such as login from China shortly after an IP address from the United States did for the same account.
  • Amazon Web Services Authentication Amazon takes authentication to cloud resources seriously. When a subscriber uses EC2 to provision a new cloudhosted virtual server, by default, Amazon creates cryptographically strong PKI keys and requires those keys to be used for authentication to that resource. If you provision a new LINUX VM and want to SSH to it, you have to use SSH with key-based authentication and not a static password.

But these methods are not always fool proof—with phishing, the best protection is employee/subscriber training and awareness to recognize fraudulent login/ capturing events. Some questions that you might ask your CSP related to protection from phishing-related attacks are:

  • Referring URL Monitoring Does the CSP actively monitor the referring URLs for authenticated sessions? A wide-spread phishing attack targeting multiple customers can come from a bogus or fraudulent URL.
  • Behavioral Policies Does the CSP employ policies and procedures that mandate that a consistent brand is in place (often phishing attacks take advantages of branding weaknesses to deceive users)? Does their security policy prohibit weak security activities that could be exploited? An example would be if they prohibit the sending of e-mails with links that users can click on that automatically interact with their data. Another example would be whether they allow password resets to occur without actively proving user identity via a previously confirmed factor of authentication (that is, initiate a password request on the Web and they confirm the identity of the user based on an out-of-band SMS text message to their cell phone).

Phishing is a threat largely because most cloud services currently rely on simple username and password authentication. If an attacker succeeds in obtaining credentials, there is not much preventing them from gaining access.

Provider Personnel with Privileged Access
Another risk to cloud data security has to do with a number of potential vectors for inappropriate access to customer sensitive data by cloud personnel. Plainly stated, outsourced services—be they cloud-based or not—can bypass the typical controls that IT organizations typically enforce via physical and logical controls.

This risk is a function of two primary factors: first, it largely has to do with the potential for exposure with unencrypted data and second, it has to do with privileged cloud provider personnel access to that data. Evaluating this risk largely entails CSP practices and assurances that CSP personnel with privileged access will not access customer data.

Data Origin and Lineage
The origin, integrity, lineage, and provenance of data can be a primary concern in cloud computing. Proving the origin of information or data has importance in many areas, including patents or proving ownership of valuable data sets that are based on independent analysis of commonly available information sources.

For compliance purposes, it may be necessary to have exact records as to what data was placed in a public cloud, when it occurred, what VMs and storage it resided on, and where it was processed. In fact, it may be equally important to be able to prove that certain datasets were not transferred to a cloud, for instance, when there are sensitivity or EU-privacy concerns about what national borders such data may have crossed.

While reporting on data lineage and provenance may be very important for regulatory purposes, it may be very difficult to do so with a public cloud. This is largely due to the degree of abstraction that exists between actual physical resources—such as disk drives and servers—and the virtualized resources that a public cloud user has access to. Visibility into a provider’s operations in terms of technical mechanisms can be impossible to obtain, for understandable reasons.

Where such requirements exist that the origin and custody of data or information must be maintained in order to prevent tampering, to preclude exposure outside a jurisdictional realm, or to assure continuing integrity of data, it may be completely inappropriate to use a public cloud or even a low-assurance private cloud. One can imagine that if such requirements become increasingly common, cloud-based services will arise to profit from the opportunity. In the absence of a public service and where a private cloud is cost prohibitive, alternative approaches should be considered— easiest among them the use of a hybrid or community cloud.

Source

Four Steps To Secured VoIP

1 Reply

Securing Voice over IP (VoIP) doesn’t have to be a challenge for small and medium-sized businesses (SMBs).

VoIP is basically a phone call over the Internet. It offers the same promises – and pitfalls – as the Internet. The promises are cheap and easy communication over a readily available and easy-to-use public network – the Internet. The pitfalls are the same security weaknesses of that network, which wasn’t originally designed for security – or phone calls, for that matter.

But it’s not as scary as it seems for cash-strapped SMBs with limited IT staffs. Most of the tuning required to secure VoIP involves the same efforts as hardening Internet and Web connections your company probably already has in place. And most of that work can be handled by your existing network staff, even without a dedicated information security department.

Even if your SMB doesn’t host its own Web site or Internet service, like a larger enterprise, it still has connections to the Internet through conventional routers. Handling VoIP for them should be a snap.

Security comes first

Before delving into the four best practices for securing VoIP and how to apply them to SMBs, be aware of the overall security issues around VoIP.

There are three major security concerns around VoIP, and they’re the same security issues as those for IP traffic, in general.

The three issues are:

1. Lack of authentication.
2. Spoofing, and exposure of unencrypted data.
3. Unwanted traffic similar to email spam, which in the VoIP world is called SPIT, or spam over Internet telephony.

VoIP can also serve as an entry point into your company, just like any other Internet connection, for viruses, spyware and malware. But this isn’t a specific problem of VoIP. Denial-of-service (DoS) attacks are also possible via VoIP but, again, this is a general IP protocol issue and not just a VoIP concern.

IP traffic isn’t authenticated. It moves freely over the Internet and can come from anywhere. This is a problem inherent in the TCP/IP protocol. For VoIP, it means a malicious user could fake, or spoof, your company’s IP address and appear on the caller ID of an unsuspecting customer. This tactic is known as VoIP phishing, which, like its email counterpart, is meant to entice customers to give up confidential account information over the phone to thieves posing as your company employees.

IP traffic moves in the clear by default. It can be easily picked up by conventional packet sniffers like Wireshark (formerly Ethereal), dsniff, Ettercap and their ilk. Any conversations on your new shiny VoIP phones can be eavesdropped by sniffing unencrypted traffic traveling over the Internet. Unlike regular phone lines, which require some effort to tap through the phone company, VoIP can potentially expose your SMB to the whole world just by being on the Internet.

And, just as spam is delivered via email, junk voicemail messages can be pumped into your company through VoIP, clogging your SMB’s phones with SPIT. This is in addition to a DoS attack against your company, just like any other from the Internet, through your VoIP connection.

So, what’s an SMB to do to protect itself from the dangers of VoIP? Here are four suggestions:

1. First, run all your VoIP traffic through a separate Internet connection and separate voice and data traffic into their own network segments. Use a VLAN to separate voice and data. This can prevent an attack via the data stream from the Internet leaking into your voice system, using your VoIP network to attack your primary network. Set up separate servers dedicated just to VoIP traffic and firewall them apart from the rest of your network. For VoIP connections between different buildings, use a virtual private network (VPN) to authenticate users to prevent spoofing.

2. Second, avoid cheap VoIP systems that can be installed on an ordinary desktop or workstation. As tempting as it might be to a cost-conscious SMB, these systems are highly insecure since they can be easily compromised and used as a back door into your network. Go for a real VoIP system from a major provider like Vonage Holdings Corp. or Avaya Inc., which integrates with your existing routers and can be handled by your existing network staff.

3. Third, encrypt any VoIP traffic to keep it confidential and prevent eavesdropping by network sniffers. VoIP encryption is getting better but it can just as easily be set at the router or gateway level and then tunneled through IPSec. This should put less of a strain on your SMB staff members, who may already be setting up these types of connections for your VPN.

4. Lastly, put VoIP servers in a secure physical location, as you would for your other networking equipment. Ideally, if space permits, the equipment should be in its own equipment room separate from that other networking equipment.

Like the rest of your network servers, baseline security controls should be in place for your VoIP system.

Here’s how:

* Make sure all routers and servers hosting your VoIP system have been hardened and all unnecessary services turned off and ports closed.
* Restrict access to VoIP servers to only system administrators and log and monitor all access.
* Use intrusion detection systems to monitor malicious attempts to access your VoIP network.
* Employ a defense-in-depth of strategy with multiple layers of security, including dedicated VoIP-ready firewalls.

Implementing VoIP is not as scary, or as much of a burden, as it seems. Most of the tasks for securing VoIP can be handled by your existing IT staff, since it is already integrated into your network.