Technology continues to foster ways to improve the business of financial services, and the emergence of Internet Protocol (IP)-based telephony and related applications is a prime example. IP communications offers the industry the potential for more secure and reliable communications systems than ever before.
Because their very existence is based on trust, banks, credit unions, and other financial institutions give top priority to issues of network security. Such institutions have requirements, often imposed by regulators, to maintain high levels of privacy and confidentiality, especially for customer records and related information. Furthermore, accuracy and integrity of transaction data are imperative. Incorrect or incomplete information can create embarrassing or expensive problems, and the ability to validate transactions and provide nonrepudiation is often necessary. Fortunately, when IP communications solutions are configured with appropriate levels of security and reliability, they can meet or exceed the requirements of the most demanding environment.
The convergence of voice, video, and traditional data applications holds great promise for improving customer interaction. Freed from the rigid construct of voice or text only communication, financial institutions can use the latest rich-media communication tools to offer innovative multimedia solutions to their clientele that are both less expensive than direct personal contact and more fulfilling to customers. For example, video enhanced collaboration tools allow much more effective communication while reducing travel expenses.
Convergence of voice and video communications with traditional data systems can also result in smarter, more efficient operations. As communications systems transition to integrated IP-based solutions, the complexity of running multiple redundant systems is reduced. This benefit of convergence translates into real, even compelling, cost savings and attractive returns on investment.
While the security of traditional telephony systems relies primarily on physical isolation of equipment and wiring, modern IP communications solutions draw on a wide range of network security tools developed to protect other business-critical applications, making possible a higher level of protection than has ever before been available. From authentication tools, to advanced threat detection and defense, to readily available encryption solutions for management and media, the latest developments in information security are ready to use in the IP communications setting.
The Internet protocol was designed to offer flexible and reliable connectivity to a wide range of systems. Thus a fundamental benefit of IP-based telephony is its ability to offer redundant, fail-safe operation of voice services in the face of system or segment failure. Whether using a large, centralized call control solution or a more distributed approach, IP communications systems take advantage of the inherent robustness of IP to continue operation in conditions that would impair or bring down traditional communications systems. This degree of resilience is an asset in an environment where availability and business continuance are essential.
IP communications offers unprecedented integration of interpersonal communications technology with other critical business data. Customer records, transaction data, financial analysis tools, and other business applications are currently delivered in a highly secure, reliable way over the corporate data network. As voice and video enter the mix, the capabilities of the network can be incrementally extended to them with the same level of protection. For example, the network can use virtual local-area network (VLAN) features to effectively sequester voice and voice-related traffic to specific segments of the network. This not only affords protection against unwanted access, but also makes it possible to apply network policies such as access control and quality of service (QoS) parameters much more effectively.
Other network security tools are also useful in an IP communications environment. Firewalls that control access to specific resources and locations in the network can intelligently direct call control information and voice media streams to their intended recipients while protecting them against interference from outside and inside the network. And the privacy protection that virtual private networks (VPNs) afford to data moving between corporate locations can be extended to voice traffic as well.
In the world of IP communications, the network is an important asset, and its security capabilities should not be overlooked or underestimated. Intrusion detection and prevention tools that are currently on the network and hosts can also be directed to protect the IP communications systems, recognizing and in many cases neutralizing threats before they can cause damage or disruption. In an environment where network security incidents are measured in seconds, it is important to take advantage of these and other automated systems wherever possible. In the world of IP communications, the network is an important asset and its security capabilities should not be overlooked or underestimated.
Beyond these existing network security tools, IP communications offers new and important capabilities that further enhance the security of voice-related solutions. For example, many new IP phones and call control systems can be configured with digital certificates that are, in effect, tamper-resistant virtual identity cards issued by a trusted authority. These can be used to authenticate each device on the network, making it exceptionally difficult to insert foreign devices into the network and enabling any that are found to be quarantined and denied access.
Digital certificates also provide the foundation for scalable authenticated signaling and media encryption between phones. This voice-specific encryption adds another level of protection to the contents of telephone conversations and messages when appropriate. The combination of a correctly configured, highly secure network and voice encryption makes for a system that is, in aggregate, much more secure than traditional PBX systems.
Today's IP communications solutions have proven security. Independent organizations from Miercom Labs, a research and testing firm, to the U.S. Department of Defense have scrutinized, evaluated, and rigorously tested IP communications solutions and found them to be quite secure. Yet work continues on improving the systems and protocols. The Internet Engineering Task Force, the International Telephony Union, and others continue to work to identify and address network security considerations in evolving IP communications protocols. This means that investing in IP communications today can provide immediate benefits while protecting investments.
To take prudent advantage of the benefits of IP communications, financial institutions can take several actions. First, think of IP communications like any other business-critical application and make it an important component of security and business continuance planning. Look to vendors for evaluation and planning documents that will help in the transition process. Identify areas of concern and work to address the issues before implementation.
Next, introduce new systems with precision and carefully evaluate their actual effects on existing policy and procedure. Periodic network security audits and policy adjustments should, of course, be extended to cover the new systems. While the benefits of IP communications are compelling, a thoughtful approach to deployment will help meet fiduciary requirements and help maintain the trust that is critical to the health of a financial services organization. Finally, apply the lessons learned in deployment to future development. By drawing on experience to update planning and implementation guides, an organization can become adept at delivering secure IP communications.
Roger Farnsworth is senior systems marketing manager, IP Communications Security, Cisco Systems.
