Assuring Security in a Hyper-connected World
Disruption is happening all around us in the incredibly fast-moving world of real-time communications. Prime examples include the movement to telco cloud, full network functions virtualization environments, and software-defined networking inside enterprises. Other examples of disruption include the embedding of voice and video messaging into business applications, as well as the rise of artificial intelligence (AI), Internet of Things (IoT), biometrics, and more.
Yet even as we change the channels, connecting and communicating in so many creative ways, we know one of the biggest disruptors of all is likely to be challenges presented by cybercrime.
Do the math, and you'll see the disruption is inevitable. The more connected we are as people and as people interacting with things and systems, the more opportunities there are for invasions of our privacy, identity, and assets.
The expansion of the "attack surface" is growing as fast as the number of endpoints, clouds, mobile apps, Web apps, and the application programming interfaces that glue a lot of software together.
And while the media has devoted a ton of emphasis and coverage to massive breaches of databases connected over what enterprises thought were secure data networks, it's paid less attention to one of the fastest-growing areas of vulnerability -- attacks on voice and video applications.
VoIP services aren't immune to data theft. In 2015, one major breach compromised 70 million records across 37 states and went largely unreported. The breach affected 14,000 phone recordings, including confidential attorney-client conversations.
The Communications Fraud Control Association says international revenue-sharing fraud (one of the most prevalent types of telecom fraud) costs global service providers nearly $11 billion annually. This type of activity consists of fraudsters utilizing illegal resources to gain access to an operator's network in order to bring traffic to phone numbers obtained from an international premium rate number provider.
The value of extracting information by listening in is growing in parallel, considering the increased ease of conversing via over-the-top messaging platforms along with the rise in conference calls, including those during which enterprise professionals discuss confidential strategies, transactions, and deals.
And so are "pivot attacks" in which hackers use voice or video systems to tunnel into databases or to initiate malware or ransomware attacks.
Think about contact centers where live agents take credit card and other personal information over the phone. Cybercrime is a multitrillion-dollar global industry on its own, not because cybercriminals are stupid or underfunded. They're increasingly sophisticated and make their own capture nearly impossible as they understand how to make their own communications deeply dark.
Think about healthcare records, which privacy regulations like HIPAA in the U.S. and similar laws globally aim to protect. Making healthcare more available and far less expensive through telemedicine applications has enormous value, but unlocking that value will be challenging when voice, video, and messaging between physicians and patients can be hacked because the security software hasn't been built into the real-time communications platforms and networks.
Think about trading; negotiating the exchange of equities, derivatives, bonds, currencies, commodities, and more; and the movement to blockchain systems, which are starting to displace traditional currencies with cryptocurrency. Talk about disruptive! Who are the new "Barbarians at the Gates" when our global financial exchanges are having to adapt to innovation in real time, reduce their operational costs, improve quality and transparency, and comply with tighter regulations, including the upcoming General Data Protection Regulation (GDPR) going live in the EU next May?
Voice, video, and messaging security today and forever will require building security into applications, not just relying on traditional encryption and firewalls. Given that enterprises are driving everything forward digitally, information and communications are part of everything we do -- and just as networking can no longer be an afterthought, enterprises are moving from cloud and mobile-first strategies to "security first."
The world is moving rapidly toward new security paradigms, including "authenticate first, connect second" (rather than the other way around). But this and other approaches can't slow down performance or increase cost. In addition, they must comply with much stricter privacy laws, which vary from region to region and country to country, and be built to last.
New services must be secured within the context of our new architectures, and strong enough to withstand not only attacks, but massive fines that will be levied against any enterprise or enterprise partner that doesn't comply and experiences a privacy breach.
In the case of GDPR, the highest-level parent company can be fined 4% of its total annual revenue. So, for example, a technology giant could acquire a small IoT company and sell a smart product controlled by Alexa voice activation, but for whatever technical reason makes it possible for a cybercriminal to steal private information. The technology giant's risk is in the billions for the fine alone, not to mention the cost in reputational harm.
There should be no quality voice, video, or other messaging service in the future without security as part of its DNA, and as part of its ability to co-exist with applications.
Enterprises and service providers can disrupt and be disrupted unless they put security first inside of everything they offer.