Posted by Eric Krapf, Editor | Jul 9, 2008

On his blog, renowned security expert Bruce Schneier recently picked up on an article about a Verizon Business study questioning the conventional wisdom that the major security threat to enterprises comes from within, not from without. Schneier explains why this makes sense, and why it's also a highly constricted view of the problem in any event:

The whole insiders vs. outsiders debate has always been one of semantics more than anything else," he writes. "If you count by attacks, there are a lot more outsider attacks, simply because there are orders of magnitude more outsider attackers. If you count incidents, the numbers tend to get closer: 75% vs. 18% in this case [the Verizon study]. And if you count damages, insiders generally come out on top--mostly because they have a lot more detailed information and can target their attacks better.

He concludes: "Both insiders and outsiders are security risks, and you have to defend against them both. Trying to rank them isn't all that useful."

In practice, I've never heard of an enterprise behaving as if outsiders weren't a significant threat, though I've certainly sat through many marketing presentations in which I was reminded that insiders were the real problem. I think everybody intuitively grasps Schneier's last point, that making the inside/outside distinction isn't that useful an exercise, since you know you're going to have to protect against both. Obviously, security is an exercise in risk management, in deciding how much weight to give what kinds of threats. But I think most enterprise managers grasp the idea that a catastrophic breach can originate on either side of the demarc.

Interestingly, Verizon actually broke the data breaches into categories based on three sources of the compromise: Insiders, outsiders and partners. In the comments on Schneier's blog, one of the report's authors wrote that, "When you multiply likelihood and impact, partners represented the greatest risk," and added, "we often found partner-facing controls to be non-existent."

This is obviously a factor to keep in mind as enterprises begin dissolving the perimeter of their communications infrastructure as they move toward Unified Communications. The vision is one where the core of the communications system is accessible via a range of mobile endpoints, devices connecting over the Internet, and presence-enabled contact/buddy lists that may be extended not just to colleagues within the enterprise, but to partners as well. Given the findings of the Verizon study, UC security will be every bit as complex as security in the wider IT infrastructure.

We continue to hear that, while vulnerabilities have been reported, actual attacks specifically targeting the enterprise VOIP infrastructure remain somewhere between rare and nonexistent. Various structures remain in place today to protect the enterprise, the most effective of which is probably the continued isolation of IP telephony into site-based islands connected over dedicated carrier services. As long as this continues to be the case, the broader issue of UC security may not be critical.

But part of the emerging UC discipline within enterprise organizations is the growing realization that specialists from virtually every division of IT must come together to understand how the integration of communications and business applications, running over a converged IP network, will affect the many stakeholders in the process. This inter-disciplinary, inter-departmental effort will have to extend to security, and will have to be more comprehensive than the current threat picture might suggest.