Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Compliance for Real-Time communications-June2016

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 9 Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (18)

Ähnlich wie Compliance for Real-Time communications-June2016 (20)

Anzeige

Compliance for Real-Time communications-June2016

  1. 1. [Type text] 2016 Cyber Security with full regulatory compliance for Real- Time communications.
  2. 2. Compliance When compliance is discussed in an IT context, key sector regulations applying to data processing and storage usually spring to mind. However, compliance is a much broader topic. Compliance regulations apply to most businesses not just these major sectors, such as Defence, Government, Oil& Gas, Health, Finance. Compliance also applies to all forms of business communication including phone, video calling and Instant Messaging (IM) communication. This collection of real-time services is known as Unified Communications (UC, now in use by most businesses globally). The securing of real-time communications is more complex when the technology vendors build for feature and ease of use without allowing the designs to be flexible and secure set against a rising value chain of cyber-crime in the market place. (Technical Papers @ www.um-labs.com ) In all aspects of the technology platforms, (Microsoft, Cisco, Avaya, Mitel, Shortel, Alcatel etc.) and the design in this 21st century, must have a common theme, it must exist to forge compatibility and the most widely used of these is the SIP protocol, which means inter-op between products and services can exist. The financial sector as an example, has its own set of compliance regulations, but even here the regulations vary from country to country. In the Europe the regulator extended compliance regulations to cover the recording of phone calls. This translated into the Markets in Financial Instruments Directive (MIFID) published a mandated that records must be kept to enable the reconstruction of each stage of the processing of each transaction1. This can be interpreted to include the recording of phone calls, but this requirement is not explicitly stated. The MIFID II regulations, which were adopted by the European Parliament and Council, which will apply from January 2017 specifically, include call recording. 1 http://tinyurl.com/manset8 There are two topics that should be uppermost in every CISO's mind, how to address the growing demand for Unified Communications (UC) and how to ensure that the organisation's compliance obligations are met. Responsibility for compliance extends beyond the CISO to the entire board. These issues are linked because any Real-Time communications (incl. UC and IOT) implementation impacts the deploying organisation's compliance status. This white paper examines the UC compliance issues and shows how with the correct security controls, an organisation may realise the benefits of UC without compromising their compliance status.
  3. 3. However, there is more to compliance than call recording regulations for the financial sector. There are a number of European regulations which apply to any business handling personal data. These regulations are defined in a number of documents including EU Directive 95/46/EC2 now morphed into the General Data Protection Regulation (GDPR 2016-2018) in Europe and in the United States, the HR1770 Data Security and Breach Notification Act 2015, this can be reviewed in Europe and summarised in the Handbook on European Data Protection Law3. GDPR controls the collection and use of personal data and defines seven principles including:  Personal data may be used only for stated purposes and no other purpose.  Personal data must be kept safe and secure from potential abuse, theft or loss.  Any organisation processing personal data is responsible for adhering to all seven principles. The Handbook on European Data Protection Law provides a summary of regulations and quotes article 8 of the European Convention on Human Rights which is summarised as: a right to protection against the collection and use of personal data. The broad scope of these regulations places a responsibility on all businesses processing personal data to protect that data, and holds that business responsible for breaches no matter how those breaches are triggered. This includes the loss of data through any IT security breach. This means that any IT system which includes UC (and in future IOT) services is not compliant if it is not protected against attack. The frequency with which security breaches continue to occur has led to new proposals for EU data protection regulation. These include a requirement to report all security beaches within 72 hours and setting up a public register of all breaches notified. In addition, any breach can result in a fine of up to 4% of global annual turnover. The magnitude of the fine will depend on the level of data protection measures implemented by the offending organisation. 2 http://tinyurl.com/6gpkrav 3 http://tinyurl.com/olbzgeu
  4. 4. It is clearly in a company's interest to ensure that adequate security and compliance measures are applied to all information processing systems. As Paul McNulty, former US Deputy Attorney General commented: If you think compliance is expensive, try noncompliance. Unified Communication (UC) Unified Communication (UC) is the integration of real-time, enterprise communication services with existing IT applications and services. UC includes voice and video calls, Instant Messaging and presence information (showing the availability of colleagues). UC is designed to improve the effectiveness of business communication, both within an organisation and to a business's customers and partners. The full benefits of UC are gained only when the service is extended beyond the bounds of an organisation's network to connect remote users on mobile or fixed line devices and to extend the service to 3rd parties. UC is implemented on IP networks and can share those networks with data services, social collaboration platforms and email systems. This brings communication services such as voice and video into the IT realm. This plus the fact that UC services will inevitably carry sensitive and personal data means that UC is subject to the same compliance regulations as any data services. This means that all UC deployments must be protected with effective security measures. The protocols used to deliver UC are complex. This complexity plus the real-time requirements of UC means that the security measures deployed must be tailored to meet UC specific security threats. Standard data security measures are not sufficient. The security and compliance problems are not confined to UC. Recent reports show that both cellular networks4 and the global SS7 phone network5 are vulnerable to attacks that can allow unauthorised monitoring of calls and text messages. 4 http://tinyurl.com/pwbv9o2 5 http://tinyurl.com/pukfnz3
  5. 5. The only response to the security problems on mobile and SS7 networks is to recognise that these networks are not secure. Implementing a well-designed and secure UC system that meets compliance requirements protects all real-time communications. Steps to Ensure UC Compliance As we have seen, compliance obligations extend beyond the financial sector and are about more than implementing call recording. Compliance also requires that systems used for information processing are protected against attacks that could result in information leakage and loss of confidentiality of personal information. As the EU directive states: Personal data must be kept safe and secure from potential abuse, theft or loss.
  6. 6. If an organisation processes any personal data, which includes basic information such as contact and payment details for customers, then that organisation is responsible for ensuring the safety of this data. The specific financial sector regulations may also apply. In both cases the compliance requirements apply to both data and UC services the latter including all voice, video and IM communication. Compliance for UC is a process, the key steps in this process are: 1. Understand which of the many regulations apply. 2. Audit your UC, Social Collaboration and telephony systems to ensure that they are adequately protected from attacks that could lead to the compromise of personal information. This audit should check for both generic network security vulnerabilities and vulnerabilities specific to the protocols used. 3. Review your existing security measures, recognising that most IT data security measures (Firewalls, VPNs etc) do not adequately protect UC applications. 4. Review the need for call encryption, particularly for mobile devices used to communicate sensitive information. 5. Review the need for call recording, any financial sector organisation subject to MIFID will need to implement this if not already obliged to do so by other regulations. 6. Implement an effective UC security system which meets the compliance requirements. Protection and assured is crucial with such high fines for noncompliance, it is also key that the technology platforms have a multi-level integrated layer of security for UC, today this is only the case if the design has started from the 21st century. The risks of connecting any data application server to public IP networks have been well understood for some time. These risks lead to the growth of the Firewall market in the early 1990, followed by the development of application specific security controls for Web, Email and other applications. Unfortunately, there is a lower level of understanding of the risks associated with real- time communication applications using SIP, IPV6 protocol in IOT, ORTC Web which extend into based Unified Communication and Internet of Things.
  7. 7. As a consequence, development of application level security controls for real-time IP based services has not kept pace with the increasing risk. Many technology vendors and therefore service providers continue to rely on Firewalls, VPN, Application Gateways, Session Border Controllers (SBCs), Content proxies to deliver security for network, application and content, via OTT and SIP trunk services in a real-time communication world. A recent pen test and compliance test showed that all SBCs are demonstrably unable to protect against many of the application level security threats faced by SIP based UC applications and services. These threats include break-ins which enable attackers to make calls via compromised systems leading to costly call fraud or using DDOS open up to more valuables. UM Labs R&D can support this process by analysing an existing UC system and accessing the security measures in place to protect that system. UM Labs have also developed the UC Security Platform which is designed to protect UC/IOT systems and to provide a number of features to support UC compliance. This unique and tested platform is certified compliant by government and Telecom regulated authorities, pen tested by Deliotte Red Teams, set against ENISA and EU GDPR rules, with compliance assured for operating over multi-levels of attacks with an integrated and adaptable to change architecture. This platform has been audited across SIP UC technologies and providers in the light of non-compliance. As a result, and after years of testing, UM-Labs was selected as a key component in that Telecom compliance technology. The Platform is designed to meet the following compliance goals.  To protect from attack on three levels, network, application and content.  To protect the UC systems from attacks, including Denial-of-Service (DoS) attacks. (See the UM Labs white paper, Combating Denial of Service Attacks for VoIP and UC6 for further details on DoS attacks).  To provide auditing functions to record all attacks on the system and to record the corrective action taken.  To provide alerts when the system is attacked.  To provide encryption services to protect voice, video and IM communications.  To enable the recording and secure storage of calls, including encrypted calls, to meet compliance and legal intercept requirements.  Delivered from Any Cloud implementation overlaid to protect independent of UC technology, but integrated across mobile, desktop and network. 6 http://tinyurl.com/kkmlby7
  8. 8. Example of an Azure cloud implementation used at KPN the Dutch national carrier. About UM-Labs R&D Cyber Security is the fastest growing challenge in today's world of the Internet, everyday 24 hours a day there is a breach, a theft of data, listening on phone calls/video calls, messaging (IM) and even your location. Businesses have in the past tried to control attacks with outdated computing technics and this legacy is set against a back drop of keeping in with the status quo. The thirst for internet content and the fast growing use of Cloud technology increases the volume of criminal cyber- attacks on Video chat, Internet phone calls, IM and location. Over 234 million people use these communication services in business every day, a 21st century solution is required to protect and manage; if not your business is at risk.
  9. 9. Tomorrow, 60 billion end points for Internet of Everything (IOE/IOT) will be at risk to attack, so keeping ahead of the thinking and delivering safe IP connectivity over three layers, network, application and content is crucial, UM-Labs are a creative and advanced R&D company with experts in compute security software design, smart mobile technology and cloud computing. The cloud solution is a unique layer of real time security software. This protects and encrypts Internet communications across all of the cloud variants, it is easy to install and scales to thousands of users from one virtual server, compliant tested and certified customer reference sites in Europe and the US. Information at www.um-labs.com or email marketing@um-labs.com

×