Posted by Jeffrey Urdan on Tue, Mar 15, 2011 @ 09:15 AM
Why We Need Security
It is hard to watch a TV Show like Leverage, or talk to someone like a friend of mine who was worked on network and internet security with Booz Allen & Hamilton, and not get a queasy feeling that there is no possible way to secure your information from the "bad guys."
A client mentioned the other day that "any kid with a laptop" can crack a typical alpha character password in a couple hours. His point, fortunately, was that when you make it alphanumeric, case sensitive and include special characters you can drive the time required to crack it closer to 20,000 years, or at least separate the true professionals from the amateurs.
In the world of Unified Communications, Video Conferencing and Collaboration we spend a lot of time thinking about how to connect with disparate systems, how to give others access to our networks. Unfortunately, when you open the door, you don't always know who will walk in, so it is important to have a well defined process for authenticating parties on the other side and keeping people from "dropping in" uninvited.
2 Ways to Think About Security
There are a lot of ways to think about security in communications, starting with a couple of broad categories:
1) Hard coded keys/certificates -- This model for security rests on the ability to uniquely identify a piece of hardware by a physical "signature" number and then attach a "license plate" to that signature. If you receive data from the right hardware with the right license plate, it must be the right driver, right ? Unfortunately, having a fixed certificate makes it all the more worthwhile to try to hack. If you are able to break the code, you have a free pass to a device until it is decommisioned or the license plate is changed. A lot of hardware-based video conferencing systems use this type of authentication.
2) Session keys -- A unique key is generated for each individual session and is exchanged between the participants. With 10,000 potential users, picking the right 5 to hack for the one hour meeting when the price of tea in China is set for the coming year, is a Hurculean undertaking. This is the model that Veamea uses. While it means that the session itself is virtually unhackable, as my friend at Booz Allen said, the bad guys then try to hack the server that gives out the keys. So we build another few lines of defense at the application level, and between the application and the hardware server software.
How Secure Does It Have To Be ?
There is ongoing tension in all technologies between the overhead added to secure the communication channel vs. the speed and efficienct use of resources. And different types of communication merit different levels of security. Our clients running telehealth applications ask for strong encryption as one step to comply with HIPAA guidelines.
The Advanced Encryption Standard (AES) is in widespread use with multiple different implementations based on the length/strength of the key (128 bit, 192 bit or 256 bit). While 128 bit was a financial services standard 10 years ago, it is fast becoming "loose" encryption compared to the 256 bit encryption used by a small number of communications vendors (including VeaMea).
Unfortunately, military grade encryption, disconnected from the grid can still be beaten by human nature and well designed code as the Stuxnet worm proved recently.
How Do You Know It Is Secure ?
Beyond just trusting a vendor's claims, you can hire "white hat" hackers to try to break into your site to test that it is secure.
Or you can think about security in a broader sense. While your communications application, your servers and your network transport layer should have well-thought out security structures, a cleaning temp worker who walks out the front door with IP addresses and passwords is a threat your vendors can't control. Creating a culture that is mindful of security best practices, thinking about how your organization designs processes, screens and trains people, and manages physical security is another important component to your security strategy.
Of course, the final way to make sure you are safe, is to make sure that there is nothing worth stealing. Make all your communications and collaboration mind-numbing, never-ending blather sessions that put the bad guys to sleep so Interpol can sneak up on them. That's my personal strategy, is it working ?
Click here to contact us to discuss your security strategy and where Unified Communications fits within it.