The Broader Implications of VoIP

Many analysts think the Internet is going through a change every bit as profound as the transition in the mid-90s, when it went from an academic, research tool to the present mass medium. In this case, the change is from a relatively homogeneous, wired operating environment in which hundreds of millions of humans interact via store-and-forward technologies - such as e-mail - to a highly heterogenous system in which hundreds of billions of unmanned devices communicate in real time, often wirelessly. In the security context alone, these devices might include lights, locks, cameras, microphones, loudspeakers, photocells, meters and counters, alarms, biometric devices, signs, and radio frequency identification tags for locations, vehicles and security-related inventory such as firearms. Ravenel's walkie-talkies and Moss's intercoms illustrate the trend.

This new Internet is going to require new thinking about security. For instance, since devices are inherently dumb, authentication will probably have to stop relying exclusively on end-based, challenge-and-response solutions - such as typing in passwords - and look to supplementary technologies that live in the network. One might be device monitoring; the network will measure the behaviour of each device against its operating history and different policy constraints as defined by the CISO. So, for instance, if the printer starts doing something novel, alarms will ring.

Not many dogmas run deeper than the one about how the Internet destroys locality. John Roese, CTO of Enterasys Networks, thinks locality is coming back big time, but as an authentication and authorization technique. Your laptop will gain access rights of Type A when it is detected in Room 100 and will lose them when it is taken out of that room. Roese thinks that even wireless devices (whose locations would be determined by access points triangulating signals or by planting address transponders into walls) will end up being controlled the same way. Another example he gives of the changes that will be required in security practices is remediation management. Right now, when a network has a problem - such as a virus infection - it's shut down till all the nodes are cleaned. When the network is running the phones in addition to the elevators, the A/C, and the microwaves, you are going to have to be more careful about what you shut down.

In other words, VoIP is just the point technology of a broad-based revolution in networking that is coming regardless of how deeply an enterprise buys into this or that telephony system. This revolution is probably going to require an across-the-board reappraisal of security practices and their relation to everyday operating procedures.

As a rule, sentences like that last one make CIOs and CISOs wince, since typically, they get very little support in an organization for radical rewriting of security policies. VoIP might be different; when phone calls move onto the network and the "dial-tone reliability" of, well, dial tones themselves are threatened, people might be willing to take security more seriously. If they do, that will be the most important contribution of all that VoIP technology can make to the profession.

SIDEBAR: Fuzzy Maths

Despite voice over IP's status as one of the hot information technology topics in the past couple of years, the actual adoption rate seems to be a bit on the careful side.

In-Stat/MDR reports that the percentage of companies using VoIP grew from 3% in 2003 to 12% in 2004, with "substantially higher rates" of growth among large businesses.

Insight Research predicts that installed VoIP private branch exchanges (PBXs) will outnumber installed, conventional PBXs after 2009.

Nemertes Research finds that VoIP costs "vary wildly", with initial deployment costs ranging from around $700 to $2000 per user.