Just as the enterprise VoIP market has begun to grow vigorously, a recent spate of news about the security risks attendant to VoIP have been circulating about the industry. Just what the recently recovered telephone equipment industry doesn't need - Chicken Little saying, "The sky is falling."  But the sky is not falling. Enterprises implementing VoIP can readily protect the VoIP application running on the enterprise data network with the appropriate planning and management. VoIP is but one critical corporate resource running within the enterprise data network; all of these assets need security protection, appropriate to the needs of your organization.

During the latter months of 2004, VoIP enterprise shipments accounted for more than 50% of total US industry enterprise phone shipments. At about the same time, the NIST (National Institute of Standards and Technology), among others, published a report noting VoIP security risks.

I've explored this question across the industry to see if the growth engine, that is VoIP, also has a dark side in untoward new security risks. My conclusion is that security is but one of the multiplicities of factors that must be examined, planned for and included in the careful, studied and well designed successful VoIP implementation. You may want to review my earlier articles addressing the 11 steps to a successful VoIP implementation (part 1 and part 2) to be sure you and your organization are approaching the overall planning of your VoIP transformation with appropriate care and diligence. Just as security hasn't stopped the growth of ecommerce, email or web searching, security should not be a reason to veto or delay a VoIP implementation out-of-hand.

As we read everyday, all data networks are certainly vulnerable to attack by viruses, hackers and other service affecting attacks. And VoIP, as an application running on a converged network (LAN and WAN) shares the same vulnerabilities as your enterprise's other critical business applications. I'm sure you have invested to secure your critical business applications on the data network - sales information, human resources and accounting, among others.

Writing this article, itself, has significant risk; because failures will happen and since you can't prove a negative, it's impossible to ensure that you won't have a security failure on your VoIP network. As indicated by Craig Hinkley of Bank of America, in his keynote address at this week's VoiceCon 2005 conference, your risk management valuation of how far to go, how fast and at what cost needs to be balanced with the risk of doing nothing. Hinkley's excellent presentation indicated why Bank of America made its recent commitment to transforming their entire voice network to VoIP and learnings about how enterprises might proceed. Why? Because Bank of America concluded that there was a greater risk to their business from standing pat and doing nothing than the risk of implementing VoIP - today.

Managing the security risk is a continuous management challenge. Implementing the appropriate level of security, balancing the level of protection vs. the cost of protection, is an ongoing requirement for management attention. But the security of enterprise voice communications had always had risks and it didn't stop your enterprise from having voice communications to the world. You applied the appropriate levels of physical security (locking doors and password protecting the equipment and administrative terminals as well as having the cables in places difficult to clip on a "butt" set. You have always had to secure the perimeter, and protect against service theft by providing the appropriate security locks and keys, some mechanical and others technology based. Equipment to encrypt and secure calls has been offered by several manufacturers for years, prior to VoIP. However, most organizations, the cost of encryption outweighed the cost. With the emergence of low cost encryption chip technology, perhaps the risk decision equation will change and encryption will become cost effective and employed across many enterprises.

Your project team must decide what level of investment and ongoing monitoring you wish to invest in security vs. the risk of standing pat and not providing the cost savings, improved productivity and not availing your enterprise of the opportunities to grow revenue and improve competitiveness that VoIP is delivering today (mobility, teleworking, collaboration, unified messaging, etc., are providing today; with more to come).

Your VoIP security planning and ongoing monitoring might include several of the following considerations (in no particular order of precedence or complexity):

• As in your current TDM world, provide physical security

• Ensure strong, active and up to date firewalls, intrusion detection and prevention across the perimeter of the converged network (thus protecting other valuable business applications in addition to VoIP)

• Keep access control lists current

• Run VoIP-traffic in a separate virtual LAN on the converged network

• Implement IP-VPNs to secure (and encrypt) your WAN traffic, especially for remote access users (mobiles, teleworkers and satellite locations), with special consideration to secure the extranet locations of your partners, suppliers and customers that you want "resident" on your VoIP system

• Ensuring that the VoIP software remains up to date

• Implementing appropriate password access control processes

• Make sure PCs running softphones are clean of viruses and require frequent scans of these devices so they don't become a Trojan horse

• Continuous performance monitoring and tracking of any unusual activity

• Continuous testing for security vulnerabilities

As Hinkley Bank of America said, "Secure the phones. Secure the platform. And secure the conversations." But, by all means, don't choose to miss or delay the business benefits of VoIP because of the security risk; rather, manage it according to the needs, standards and policies of your individual enterprise. 

David H. Yedwab is the Executive Vice President of The Eastern Management Group and can be reached at dyedwab@easternmanagement.com.