1 INFORMATION RISK MANAGEMENT Voice over IP Decipher and decide Understanding and managing the technology risks of adoption ADVISORY
2 If you only have time to read one page: Context Voice over Internet Protocol (VoIP) and Internet Protocol (IP) Telephony are less than a decade old, replacing traditional telephone networks and overturning a century-old convention. There is a distinct lack of long-term implementation experiences from which to obtain precedents for VoIP and IP Telephony. Implementation of VoIP and IP Telephony must be driven by the organisation's business strategy, not technology imperatives. Although the desire for cost savings and efficiencies is driving most VoIP and IP Telephony implementations, the savings are not always as substantial as anticipated. Business expansion and 'future-proofing' are additional and more compelling driving factors. Risks With VoIP, voice traffic becomes data and is therefore exposed to confidentiality, integrity and availability threats. VoIP and IP Telephony implementations carry the risk of any major IT project - inadequate benefits realisation, misalignment with strategic objectives and cost overruns. IT management, operational and technical controls are essential in managing VoIP and IP Telephony-related risks. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The views and opinions expressed herein are those of the authors and do not necessarily represent the views and opinions of KPMG International.
3 Contents Introduction 2 Defined and differentiated 4 Context 6 Consider the risks 9 Next steps 16 Glossary of terms 18 Contact us 19
4 Introduction VoIP and IP Telephony are revolutionising the way businesses communicate. These technologies are providing capabilities for additional business services, enhanced productivity and competitive advantage, while offering streamlined customer service. In the Asia Pacific region alone, industry estimates suggest that within the next few years, VoIP could represent more than 80 percent of business telephony. There is no shortage of expert groups, emerging service providers and press coverage devoted to promoting the benefits of VoIP and IP Telephony. For many organisations, questions remain unresolved on such issues as: the business benefits; the technology; the drivers for change; the costs; maturity of the market; and the right time to adopt. A question many organisations are not contemplating is 'what is the impact on my risk profile?'. An increasing number of organisations are considering the potential of implementing these technologies. In the future, we will see a maturing market for VoIP and IP Telephony as the business applications develop, and both drivers and business imperatives become clearer. There will be more reasons to adopt the technologies and in many cases it will be a competitive necessity. The information presented in this paper will provide you with guidance when contemplating the implementation of VoIP and IP Telephony for your organisation. Egidio Zarrella Global and Asia Pacific Partner in Charge Information Risk Management KPMG in Australia
5 Risks are inevitable in the early phases of adoption of any new or upcoming technology, largely due to limited precedents or past experiences. As the technologies mature and organisations become more dependent on them, certain risks including security will increase as vulnerabilities and opportunities for misuse are identified. The risks associated with adopting VoIP and IP Telephony require appropriate consideration to present a sound business decision prior to implementation. That is, these technologies must be aligned with the organisation's strategic business plan. Applying measures to minimise the risks of implementation will facilitate the realisation of potential benefits. Regulatory and shareholder expectations are driving governance principles in the Asia Pacific region. This is compelling organisations to comprehensively consider their risks, particularly those related to IT. The security and associated risks with the implementation of VoIP and IP Telephony must figure strongly in a well-structured business case for adoption. In an unforgiving market, the consequences of a major security incident can be substantial in terms of business interruptions, loss of customer confidence or cost through fraud or missed opportunities. Peter McNally Asia Pacific Leader Security, Privacy and Continuity Information Risk Management KPMG in Australia
6 4 Voice over IP - Decipher and decide Defined and differentiated When considering VoIP and IP Telephony, it is fitting to acknowledge their potential to overturn the expectations of more than 100 years of traditional telephone communication. Before adopting new technologies, a clear understanding of the differences between existing and potential telephony options is essential. Here, we define and differentiate between traditional and available technologies. Traditional VoIP/IP Telephony Circuit switched Packet switched Over a century old Less than a decade old Third generation technology 1 First generation technology Wide user base Expanding user base Well understood No long-term experiences Requires specialised knowledge to maintain Uses widely understood IT management concepts Proven quality of service Potential quality of service issues Traditional voice networks Public Switched Telephone Networks (PSTN) and PABXs are the traditional circuitswitched voice infrastructure dedicated to providing a high level of reliability and quality of service. Building, maintaining and operating these networks incurs significant infrastructure cost, in addition to specific carrier reliance for the provision of PSTN services. 1 Manual exchanges, automatic exchanges and digital exchanges
7 Voice over IP - Decipher and decide 5 Available technologies The wide adoption of IP has fostered the acceptance and reduced the cost of alternative communication methods, including video conferencing and instant messaging. It is also revolutionising how voice services are delivered through the introduction of VoIP and IP Telephony applications. It is important to differentiate the two: VoIP is the practice of encoding spoken words into digitised packets (data segments) and transporting them over data network connections (packet switched) IP Telephony applications refers to the applications that utilise VoIP. These can include the simple applications that facilitate the making of a telephone call, through to integrated applications with customer relationship management systems (CRM).
8 6 Voice over IP - Decipher and decide Context To date, almost all VoIP investments were strictly for toll-bypass cost savings. While this still drives most investments, we are seeing more business justification from other benefits, says Sage Research President Kathryn Korostoff 2. The drivers Business benefits can be achieved from the adoption of VoIP and IP Telephony if the decision to implement is business driven rather than technology driven. Project success is dependent on having a clear understanding of the business needs and strategic organisational goals that can be satisfied by new IP Telephony applications. Since the commercial availability of VoIP, cost reduction has been the major driver. Using data lines instead of the PSTN enables toll-bypass between an organisation s sites. However, many organisations have been able to postpone the implementation of VoIP by negotiating volume discounts on their traditional telephone service. In addition to toll-bypass, there are many cases of cost savings being demonstrated by factors such as: reduced maintenance; reduction in the number of PSTN access points; standardised infrastructure; and simplified administration. For most large organisations, however, these cost savings alone will not provide a compelling argument for adoption compared to the risks of change and implementation. For organisations considering the change, potential cost savings need to be balanced against: A Japanese financial institution incurred higher than budgeted costs after conducting a pilot implementation of the technology at one of its sites. The additional costs revolved around additional bandwidth, handsets and upgrading cabling. Associated costs of replacing or updating data network infrastructure including servers, switches, routers and cabling (especially older cabling installations) Extra bandwidth required (Local Area Network (LAN), Wide Area Network (WAN), internet) Additional devices to be managed in its data network (such as handsets). Real business benefits can be achieved when the organisation can identify new service offerings, new channels or improvements in customer service that might otherwise not be possible. In anticipation of killer applications entering the market, some organisations are implementing VoIP as a means to future-proof their telephony infrastructure. With maturity of the applications, the drivers for VoIP and IP Telephony will become clearer and finding a compelling business case will probably be as easy as justifying a corporate website today. 2 Intelligent Asia, Artid=21631&catid=5&subcat=55, 16/08/04
9 Voice over IP - Decipher and decide 7 Some of the other common drivers today are: Improved productivity enabled by integrated collaboration tools VoIP and IP Telephony implementation must be linked to clear business benefits. Standardisation across the organisation Consolidation of operational support and functions. For example, the functions of end-user management are simplified to mostly keyboard tasks. VoIP and IP Telephony make the implementation of complex features easier and more flexible than traditional telephony. Examples of some features are outlined in the table below. Features in practice Description Unified messaging Integration of several communication modes (such as , telephone, instant messaging, fax) to enable sending and receiving from a single interface Mobility IP Telephony allows organisations to further harness Virtual Private Network (VPN) technology to improve workforce mobility, as phone numbers follow staff wherever they log in Integration with CRM VoIP allows a caller to be recognised by their number and have the information on-screen in the call centre before the call is answered. Whilst this technology is currently available with traditional PABX, it is easier with VoIP Integration with Enterprise Integration of IP handsets with Enterprise Resource Planning (ERP) Resource Planning (ERP) applications (such as systems SAP) for improved billing and call monitoring. This enables organisations to internally charge departments for phone usage Mr Tim Gadsby, Manager Telecommunications & Security Services at Australia s Challenger Financial Services, stated that the core driver of the VoIP project was the requirement of a flexible telephony system over a number of sites to meet the physical expansion of the business. Lastminute.com is using an IP Telephony-based application (VoiceXML) in the United Kingdom to process thousands of accommodation bookings with no human interaction. This application allows real-time information to be communicated to callers by telephone, based on individual customer queries 3. 3 Communications Convergence, 04/08/02
10 8 Voice over IP - Decipher and decide The market The market for VoIP and IP Telephony is being led by the U.S. The Asia Pacific region is also demonstrating aggressive adoption. Current market activity includes the following developments: A few years ago they said it was a toy. Now, the biggest companies in the U.S. are adopting the technology. 4 Mr Fu Chi-chung, Vice President, Seednet (Internet Service Provider), Taiwan. Enterprise IP phone shipments in Japan are expected to grow at percent per year from 2004 to Implementation is usually a phased approach and mainly based around pilot programmes at one site Based on discussions with a number of clients, many organisations in the Asia Pacific region only consider implementing VoIP when traditional PABX systems have reached their end-of-life The rapid uptake of broadband in countries like Korea 6 provides an attractive framework for the deployment of VoIP and IP Telephony direct to consumers. 4 New Voice over Internet technology, <http://www.voipbox.de/archive.php?blogid=1&y=2004&m=07>, 31/07/04 5 Enterprise VoIP in Japan Accelerates with Broadcom's IP Phone Chips, 6/08/04 6 Leaders or Laggards - Australia's Broadband Future, KPMG, 2004
11 Voice over IP - Decipher and decide 9 Consider the risks There is extensive information available from numerous sources including vendors, researchers and the media, regarding the benefits of VoIP and IP Telephony. However, there is a distinct absence of information detailing the risks and associated risk management practices. As a result, organisations preparedness for these new technologies is inadequate. Risk management of projects such as VoIP is crucial considering there are no longterm experiences to draw upon. Without adequate risk management, VoIP implementations can result in reputation damage, a negative impact on customer service or affect the bottom line. The overriding risk is that the implementation of VoIP and IP Telephony will not meet the requirements of the business. Organisations need to understand the impacts that these technologies have on their business processes, and then match them to the business strategy. Discussions with our member firms clients and recent project examples of VoIP project failure demonstrate that organisations require a greater focus on risk management as the level of technology sophistication increases over time (refer to diagram below). $ Operating costs Capital expenditure Risk management requirements Technology sophistication Technology sophistication over time
12 10 Voice over IP - Decipher and decide We believe that the risks of VoIP and IP Telephony implementation can be broadly categorised into two core areas: Project risks Security risks. Project risks The implementation of VoIP and IP Telephony may be organisation-wide or in key lines of business (such as the customer service call centre) where the most immediate benefits might be realised. In either case, they are likely to represent a dramatic change to critical organisational infrastructure and therefore, require strong project management principles to be followed. Examples of implementation risks and the potential effects are outlined in the table below. Inherent risk Potential effect Example controls 7 Unclear business case Unrealised benefits (eg. technology goals achieved, but no business advantage) Clear cost/benefit and business impact analyses, project metrics and appropriate project monitoring controls Unclear roles and responsibilities of involved parties (eg. vendor, integrator, organisation, outsourcer) Inappropriate vendor selection Inappropriate system selection Lack of accountability and key tasks incomplete Unable to meet project needs (eg. hardware lacks required functionality) Unable to meet business requirements (eg. applications do not fully integrate with VoIP infrastructure) Clear definition of roles and responsibilities (the importance of this is magnified when a business function is outsourced) Vendor selection due diligence Definition and matching of business requirements Failure to accurately evaluate bandwidth and other capacity requirements Unexpected cost increases (eg. additional bandwidth required or cabling upgrades) Definition of business requirements Understanding of business strategies and direction Technical understanding of network, applications and devices Lack of internal resources with the necessary skill sets Degraded project quality and/or delays (eg. unable to effectively negotiate with vendor or integrator to achieve stated security and other business objectives) Skills inventory Appropriate training Use of appropriate external resources 7 These controls are examples only. Control design would require detailed analysis based on specific network characteristics and business needs. Controls cannot be totally effective in all circumstances and some residual risks might remain.
13 Voice over IP - Decipher and decide 11 A retailer based in Singapore has recently implemented VoIP within one of its main outlets. During the planning phase, the project team underestimated the volume of traffic that would traverse the network. Due to congestion, it was necessary to redesign and upgrade the network infrastructure, which had cost implications that had not been factored into the original project plan. Part of project risk management requires consideration of the cultural impact to the organisation. Any technology implementation will affect end users. Some of the cultural risks associated with the uptake of VoIP and IP Telephony include: Changing telephony (a key working tool) without consultation and end user buy-in could have consequences such as rejection of new features or functionality In many organisations, voice and data communications are managed by separate groups. For example, PPL Services Corporation (a U.S. energy utility company), identified the merging of staff and duties as an issue and started planning a restructure prior to implementation 8 Ownership of the IP Telephony service, with one party looking after networking and another looking after application servers. There may be a lack of clarity over key roles and responsibilities, which leads to inefficiencies. Widespread dissatisfaction was experienced when a Philippinesbased hospitality company replaced its handsets with phone applications running on individual computers. To make a phone call, users were required to have their computer switched on and be logged onto the network. Consequently, mobile phone usage increased. 8 Computerworld, 18/08/04
14 12 Voice over IP - Decipher and decide A disgruntled employee of a multi-national insurance company used a recently installed VoIP/IP Telephony system to eavesdrop on a Board meeting. The employee intercepted confidential information that was subsequently leaked to the press. Security risks The introduction of VoIP means that voice traffic needs to be treated in the same context as data for security purposes since it will share a common medium. The increased technical complexity of integrating voice and data into one network further increases an organisation s dependence on network availability. Many organisations fail to recognise that with this increased technical complexity comes increased security and availability risks that must be appropriately assessed, and the necessary risk management measures applied. As hardware PABX systems are replaced with computers and network hardware running common operating systems, networks will become increasingly vulnerable to common threats such as viruses and denial of service (DoS) attacks. Exposures that were experienced with traditional systems are more prevalent with VoIP and IP Telephony, as networking awareness is more widespread. Each entry point to a network is a potential point of attack and therefore risk management is essential. This logically includes every IP-enabled telephone handset or other IP Telephony device. Hacking techniques for VoIP networks are widely published (refer to the table below). Hacking technique Potential outcome Call redirection All calls diverted to a premium cost service such as '1900' services in Australia or the U.S. Use of inactive handsets as listening devices Eavesdropping on sensitive discussions eg. Board meetings Use of IT network tools to intercept data packets Eavesdropping or retransmission of telephone conversations Reprogramming handset Network flooded with meaningless traffic
15 Voice over IP - Decipher and decide 13 The following table summarises VoIP and IP Telephony security risks and controls based upon the three tenets of security - confidentiality, integrity and availability. Security characteristic Definition Inherent risk Example controls 9 Confidentiality Assurance that only the Eavesdropping through VoIP encryption intended recipient receives interception or duplication the communication Use of strong authentication and access controls Integrity Assurance that the Packet loss, insertion or Confidentiality controls plus: communication is unaltered alteration Quality of service protocols Availability Assurance that the VoIP Lack of capacity Integrity controls plus: communication medium is efficient and effective Inadequate system Gateway security controls management and configuration Denial of service attacks Segmentation of voice and data components Viruses and other malicious software Anti-virus software Increased number of Hardware redundancy, attack points Service Level Agreement (SLA) with vendor Endpoint operating system controls 9 These controls are examples only. Control design would require detailed analysis based on specific network characteristics and business needs. Controls cannot be totally effective in all circumstances and some residual risks might remain.
16 14 Voice over IP - Decipher and decide Confidentiality Traditional telephony operating over a dedicated PSTN network does not require encryption. A confidentiality breach in the traditional network generally requires physical connection to the network to eavesdrop on conversations from selected lines. This can be complex in large networks. With VoIP, the nature of the underlying protocol makes it relatively easy to identify calls from a particular location from anywhere in the direct network. Tools to enable eavesdropping are widely available and encryption of voice traffic is the essential means to combat this. In the event that voice traffic is carried over an external network (such as the internet) eavesdropping would be a risk. An example of the potential implication of not encrypting is having a user's phone banking details (account number or pin tones) intercepted across the network. A potential implication of not encrypting is having a user's phone banking details (account number or pin tones) intercepted across the network. Encryption can minimise the threat of VoIP eavesdropping, however, a risk assessment must be made based on the sensitivity of calls and the level of control over the network infrastructure. That is, use of Private IP networks as opposed to the public internet. A dedicated VoIP VPN can be used to encrypt data over disparate locations, however, if encryption is not performed between the appropriate endpoints (for example, between gateways instead of between handsets), the encryption might not be effective. Another consideration is the risk that infrastructure might not be compliant with the requirements of future privacy or telecommunications legislation, particularly where there are multiple jurisdictions involved. A Korean utilities company implemented encryption over its entire VoIP network across the country. This was undertaken to mitigate against integrity and confidentiality threats. Integrity VoIP packets travel independently of one another, and like data packets are vulnerable to loss. This does not generally pose a problem for data packets, however, this may have implications for VoIP communication. Out-of-sequence or lost data packets can result in degraded voice quality. Strategies to minimise this data loss include jitter control, sending duplicate data or concealing lost data. Jitter occurs where the timing between VoIP traffic varies. Jitter control holds VoIP packets in memory until the slowest packets arrive and then transmits them in the correct sequence 10. Correct sequencing of voice packets will be aided by prioritising voice data over conventional data on the network. The risk of insertion and alteration of packets can be reduced by the adoption of encryption. Without knowledge of the encryption key (ordinarily kept confidential), encryption makes it very difficult for a packet to be altered, or for a rogue packet to be inserted. 10 Achieving voice quality in packet networks, Sandeep Sharma, Express Computer, 11/11/02
17 Voice over IP - Decipher and decide 15 Availability With voice and data now sharing the same medium, the risks associated with availability increase and require appropriate assessment by management. Voice is a critical real-time application for every organisation, and quality cannot be compromised. Threats to availability range from small errors which affect voice quality through to system outages affecting part or all of the network. One concept that has been used to deal with availability is quality of service (QoS). VoIP requires a different approach to the way in which information is delivered compared to traditional data networks. This is because historically, IP was designed to deliver data on a 'best effort' basis, whereas, VoIP must deliver voice on a much more reliable, low-latency basis. VoIP availability is complicated further due to the links between local and wide area networks over which the data must transfer. To combat these issues, a level of intelligence must be built into the network to give voice priority over regular data. Therefore, QoS protocols have been designed to provide for some level of control over latency and delivery issues. Furthermore, as IP Telephony applications are implemented, the bandwidth availability will increase and this will require appropriate planning. Failure to accurately predict or manage overall network capacity needs can lead to service degradation and outages. For health and safety reasons, a manufacturing company in Hong Kong installed a small number of ordinary phone lines for emergency purposes in the event of a power or network outage which would affect VoIP. DoS attacks can occur when a network or device is overloaded with meaningless traffic or sent a specific command that will disable it, rendering the network unavailable. One example of a DoS attack is repeatedly sending a hang-up command to each handset, which is difficult to detect or prevent 11. As voice is sharing a network with traditional data, it is susceptible to the DoS techniques that have been applied against data networks for many years. A malfunctioning or manipulated handset has the ability to cause a DoS attack by flooding the network with traffic. VoIP is also susceptible to viruses and therefore requires an appropriate management framework. Depending on the telephone handset operating system, handsets might also require virus protection. Service quality and availability are now your problem. 11 Lurking threats to VoIP, Adam Turner, The Age, 20/07/04
18 16 Voice over IP - Decipher and decide Next steps For organisations to have confidence that the introduction of VoIP and IP Telephony will not increase their risk profile, they must give consideration to project and security risks. There are a number of management, operational and technical controls to consider. These are summarised in the diagram below. Key IT management controls Perform cost-benefit analysis Perform benchmarking of technologies against successful implementation projects at other organisations Perform formal product/system selection of potential solutions Implement pilot project Implement formal project risk management controls Integrate VoIP and IP Telephony into existing security policy End user acceptance Effective risk management Key IT operational controls Configuration management (inc. asset management) IT change management Security control design Include VoIP and IP Telephony requirements as part of business continuity and disaster recovery planning Physical security Capacity and performance planning Effective risk management Key IT technical controls Encryption Network segmentation Gateway security configuration High availability network architecture Authentication Periodic security testing and assessment From the initial decision to implement VoIP and IP Telephony, organisations must assess a number of critical areas including a clear understanding of: Business benefits and opportunities Appropriate processes to identify technologies, suppliers and implementation requirements Ongoing maintenance and operational requirements Security and availability risks relative to the organisation's risk profile and how these will be dealt with. As with the adoption of all new technology, the benefits are widely discussed in the market, however the risks to the organisation are often overlooked. Assessment of the critical areas, in conjunction with implementation of the appropriate controls, will ultimately shape the outcome of the project and VoIP's ongoing success. It is important not to lose sight of the overall objective of the project and ensure that the technology supports the strategic directions of the organisation.
19 Voice over IP - Decipher and decide 17 Key elements of VoIP and IP Telephony implementations Define needs Assess risks Manage change Plan the project Develop controls Understand your organisation's needs and business strategies to develop a business case with clear and measurable success criteria Conduct a risk assessment based on your unique business features, including the Business Continuity Management implications Consider the impact on your workforce, work practices and organisation Define a technology implementation plan considering pilots and phased introduction Implement key management, operational and technical controls