SlideShare une entreprise Scribd logo

Compliance for Real-Time communications-June2016

Mohan C. de SILVA
Mohan C. de SILVA
1  sur  9
Télécharger pour lire hors ligne
[Type text] 2016 Cyber Security with full regulatory compliance for Real- Time communications.
Compliance When compliance is discussed in an IT context, key sector regulations applying to data processing and storage usually spring to mind. However, compliance is a much broader topic. Compliance regulations apply to most businesses not just these major sectors, such as Defence, Government, Oil& Gas, Health, Finance. Compliance also applies to all forms of business communication including phone, video calling and Instant Messaging (IM) communication. This collection of real-time services is known as Unified Communications (UC, now in use by most businesses globally). The securing of real-time communications is more complex when the technology vendors build for feature and ease of use without allowing the designs to be flexible and secure set against a rising value chain of cyber-crime in the market place. (Technical Papers @ www.um-labs.com ) In all aspects of the technology platforms, (Microsoft, Cisco, Avaya, Mitel, Shortel, Alcatel etc.) and the design in this 21st century, must have a common theme, it must exist to forge compatibility and the most widely used of these is the SIP protocol, which means inter-op between products and services can exist. The financial sector as an example, has its own set of compliance regulations, but even here the regulations vary from country to country. In the Europe the regulator extended compliance regulations to cover the recording of phone calls. This translated into the Markets in Financial Instruments Directive (MIFID) published a mandated that records must be kept to enable the reconstruction of each stage of the processing of each transaction1. This can be interpreted to include the recording of phone calls, but this requirement is not explicitly stated. The MIFID II regulations, which were adopted by the European Parliament and Council, which will apply from January 2017 specifically, include call recording. 1 http://tinyurl.com/manset8 There are two topics that should be uppermost in every CISO's mind, how to address the growing demand for Unified Communications (UC) and how to ensure that the organisation's compliance obligations are met. Responsibility for compliance extends beyond the CISO to the entire board. These issues are linked because any Real-Time communications (incl. UC and IOT) implementation impacts the deploying organisation's compliance status. This white paper examines the UC compliance issues and shows how with the correct security controls, an organisation may realise the benefits of UC without compromising their compliance status.
However, there is more to compliance than call recording regulations for the financial sector. There are a number of European regulations which apply to any business handling personal data. These regulations are defined in a number of documents including EU Directive 95/46/EC2 now morphed into the General Data Protection Regulation (GDPR 2016-2018) in Europe and in the United States, the HR1770 Data Security and Breach Notification Act 2015, this can be reviewed in Europe and summarised in the Handbook on European Data Protection Law3. GDPR controls the collection and use of personal data and defines seven principles including:  Personal data may be used only for stated purposes and no other purpose.  Personal data must be kept safe and secure from potential abuse, theft or loss.  Any organisation processing personal data is responsible for adhering to all seven principles. The Handbook on European Data Protection Law provides a summary of regulations and quotes article 8 of the European Convention on Human Rights which is summarised as: a right to protection against the collection and use of personal data. The broad scope of these regulations places a responsibility on all businesses processing personal data to protect that data, and holds that business responsible for breaches no matter how those breaches are triggered. This includes the loss of data through any IT security breach. This means that any IT system which includes UC (and in future IOT) services is not compliant if it is not protected against attack. The frequency with which security breaches continue to occur has led to new proposals for EU data protection regulation. These include a requirement to report all security beaches within 72 hours and setting up a public register of all breaches notified. In addition, any breach can result in a fine of up to 4% of global annual turnover. The magnitude of the fine will depend on the level of data protection measures implemented by the offending organisation. 2 http://tinyurl.com/6gpkrav 3 http://tinyurl.com/olbzgeu
It is clearly in a company's interest to ensure that adequate security and compliance measures are applied to all information processing systems. As Paul McNulty, former US Deputy Attorney General commented: If you think compliance is expensive, try noncompliance. Unified Communication (UC) Unified Communication (UC) is the integration of real-time, enterprise communication services with existing IT applications and services. UC includes voice and video calls, Instant Messaging and presence information (showing the availability of colleagues). UC is designed to improve the effectiveness of business communication, both within an organisation and to a business's customers and partners. The full benefits of UC are gained only when the service is extended beyond the bounds of an organisation's network to connect remote users on mobile or fixed line devices and to extend the service to 3rd parties. UC is implemented on IP networks and can share those networks with data services, social collaboration platforms and email systems. This brings communication services such as voice and video into the IT realm. This plus the fact that UC services will inevitably carry sensitive and personal data means that UC is subject to the same compliance regulations as any data services. This means that all UC deployments must be protected with effective security measures. The protocols used to deliver UC are complex. This complexity plus the real-time requirements of UC means that the security measures deployed must be tailored to meet UC specific security threats. Standard data security measures are not sufficient. The security and compliance problems are not confined to UC. Recent reports show that both cellular networks4 and the global SS7 phone network5 are vulnerable to attacks that can allow unauthorised monitoring of calls and text messages. 4 http://tinyurl.com/pwbv9o2 5 http://tinyurl.com/pukfnz3
The only response to the security problems on mobile and SS7 networks is to recognise that these networks are not secure. Implementing a well-designed and secure UC system that meets compliance requirements protects all real-time communications. Steps to Ensure UC Compliance As we have seen, compliance obligations extend beyond the financial sector and are about more than implementing call recording. Compliance also requires that systems used for information processing are protected against attacks that could result in information leakage and loss of confidentiality of personal information. As the EU directive states: Personal data must be kept safe and secure from potential abuse, theft or loss.
If an organisation processes any personal data, which includes basic information such as contact and payment details for customers, then that organisation is responsible for ensuring the safety of this data. The specific financial sector regulations may also apply. In both cases the compliance requirements apply to both data and UC services the latter including all voice, video and IM communication. Compliance for UC is a process, the key steps in this process are: 1. Understand which of the many regulations apply. 2. Audit your UC, Social Collaboration and telephony systems to ensure that they are adequately protected from attacks that could lead to the compromise of personal information. This audit should check for both generic network security vulnerabilities and vulnerabilities specific to the protocols used. 3. Review your existing security measures, recognising that most IT data security measures (Firewalls, VPNs etc) do not adequately protect UC applications. 4. Review the need for call encryption, particularly for mobile devices used to communicate sensitive information. 5. Review the need for call recording, any financial sector organisation subject to MIFID will need to implement this if not already obliged to do so by other regulations. 6. Implement an effective UC security system which meets the compliance requirements. Protection and assured is crucial with such high fines for noncompliance, it is also key that the technology platforms have a multi-level integrated layer of security for UC, today this is only the case if the design has started from the 21st century. The risks of connecting any data application server to public IP networks have been well understood for some time. These risks lead to the growth of the Firewall market in the early 1990, followed by the development of application specific security controls for Web, Email and other applications. Unfortunately, there is a lower level of understanding of the risks associated with real- time communication applications using SIP, IPV6 protocol in IOT, ORTC Web which extend into based Unified Communication and Internet of Things.
As a consequence, development of application level security controls for real-time IP based services has not kept pace with the increasing risk. Many technology vendors and therefore service providers continue to rely on Firewalls, VPN, Application Gateways, Session Border Controllers (SBCs), Content proxies to deliver security for network, application and content, via OTT and SIP trunk services in a real-time communication world. A recent pen test and compliance test showed that all SBCs are demonstrably unable to protect against many of the application level security threats faced by SIP based UC applications and services. These threats include break-ins which enable attackers to make calls via compromised systems leading to costly call fraud or using DDOS open up to more valuables. UM Labs R&D can support this process by analysing an existing UC system and accessing the security measures in place to protect that system. UM Labs have also developed the UC Security Platform which is designed to protect UC/IOT systems and to provide a number of features to support UC compliance. This unique and tested platform is certified compliant by government and Telecom regulated authorities, pen tested by Deliotte Red Teams, set against ENISA and EU GDPR rules, with compliance assured for operating over multi-levels of attacks with an integrated and adaptable to change architecture. This platform has been audited across SIP UC technologies and providers in the light of non-compliance. As a result, and after years of testing, UM-Labs was selected as a key component in that Telecom compliance technology. The Platform is designed to meet the following compliance goals.  To protect from attack on three levels, network, application and content.  To protect the UC systems from attacks, including Denial-of-Service (DoS) attacks. (See the UM Labs white paper, Combating Denial of Service Attacks for VoIP and UC6 for further details on DoS attacks).  To provide auditing functions to record all attacks on the system and to record the corrective action taken.  To provide alerts when the system is attacked.  To provide encryption services to protect voice, video and IM communications.  To enable the recording and secure storage of calls, including encrypted calls, to meet compliance and legal intercept requirements.  Delivered from Any Cloud implementation overlaid to protect independent of UC technology, but integrated across mobile, desktop and network. 6 http://tinyurl.com/kkmlby7
Example of an Azure cloud implementation used at KPN the Dutch national carrier. About UM-Labs R&D Cyber Security is the fastest growing challenge in today's world of the Internet, everyday 24 hours a day there is a breach, a theft of data, listening on phone calls/video calls, messaging (IM) and even your location. Businesses have in the past tried to control attacks with outdated computing technics and this legacy is set against a back drop of keeping in with the status quo. The thirst for internet content and the fast growing use of Cloud technology increases the volume of criminal cyber- attacks on Video chat, Internet phone calls, IM and location. Over 234 million people use these communication services in business every day, a 21st century solution is required to protect and manage; if not your business is at risk.
Tomorrow, 60 billion end points for Internet of Everything (IOE/IOT) will be at risk to attack, so keeping ahead of the thinking and delivering safe IP connectivity over three layers, network, application and content is crucial, UM-Labs are a creative and advanced R&D company with experts in compute security software design, smart mobile technology and cloud computing. The cloud solution is a unique layer of real time security software. This protects and encrypts Internet communications across all of the cloud variants, it is easy to install and scales to thousands of users from one virtual server, compliant tested and certified customer reference sites in Europe and the US. Information at www.um-labs.com or email marketing@um-labs.com

Recommandé

Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Steve Hood
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati
 
Cybersecurity for Chemical Industry
Cybersecurity for Chemical IndustryCybersecurity for Chemical Industry
Cybersecurity for Chemical Industryjournal ijrtem
 
Fundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest TechnologyFundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest Technologyijtsrd
 
CyberSecurityCompliance-Aug2016-V10 (002) final
CyberSecurityCompliance-Aug2016-V10 (002) finalCyberSecurityCompliance-Aug2016-V10 (002) final
CyberSecurityCompliance-Aug2016-V10 (002) finalRobertPike
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Malaysia University of Science and Technology (MUST)
 
GUL Network Infrastructure
GUL Network InfrastructureGUL Network Infrastructure
GUL Network InfrastructureMuhammad Zeeshan
 
Maloney slides
Maloney slidesMaloney slides
Maloney slidesOnkar Sule
 

Recommandé

Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Steve Hood
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati
 
Cybersecurity for Chemical Industry
Cybersecurity for Chemical IndustryCybersecurity for Chemical Industry
Cybersecurity for Chemical Industryjournal ijrtem
 
Fundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest TechnologyFundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest Technologyijtsrd
 
CyberSecurityCompliance-Aug2016-V10 (002) final
CyberSecurityCompliance-Aug2016-V10 (002) finalCyberSecurityCompliance-Aug2016-V10 (002) final
CyberSecurityCompliance-Aug2016-V10 (002) finalRobertPike
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Malaysia University of Science and Technology (MUST)
 
GUL Network Infrastructure
GUL Network InfrastructureGUL Network Infrastructure
GUL Network InfrastructureMuhammad Zeeshan
 
Maloney slides
Maloney slidesMaloney slides
Maloney slidesOnkar Sule
 
188
188188
188vivatechijri
 
Global Perspective Cyberlaw, Regulations and Compliance
Global Perspective Cyberlaw, Regulations and ComplianceGlobal Perspective Cyberlaw, Regulations and Compliance
Global Perspective Cyberlaw, Regulations and Complianceijtsrd
 
Legal, ethical & professional issues
Legal, ethical & professional issuesLegal, ethical & professional issues
Legal, ethical & professional issuesDhani Ahmad
 
SPEEDA INSIGHTS_Market Prospects for the Security Industry
SPEEDA INSIGHTS_Market Prospects for the Security IndustrySPEEDA INSIGHTS_Market Prospects for the Security Industry
SPEEDA INSIGHTS_Market Prospects for the Security IndustryKyna Tsai
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET Journal
 
Ethiopia reba paper
Ethiopia reba paperEthiopia reba paper
Ethiopia reba paperWesen Tegegne
 
Sms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsSms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsTextGuard
 
Chapter 3.docx
Chapter 3.docxChapter 3.docx
Chapter 3.docxAmir Khan
 
Developing surveillance challenges in theinternet of things
Developing surveillance challenges in theinternet of thingsDeveloping surveillance challenges in theinternet of things
Developing surveillance challenges in theinternet of thingsDr. Raghavendra GS
 
105 Common information security threats
105 Common information security threats105 Common information security threats
105 Common information security threatsSsendiSamuel
 
Byod in the middle east
Byod in the middle eastByod in the middle east
Byod in the middle eastteam-abr
 
A Study on Device Oriented Security Challenges in Internet of Things (IoT)
A Study on Device Oriented Security Challenges in Internet of Things (IoT)A Study on Device Oriented Security Challenges in Internet of Things (IoT)
A Study on Device Oriented Security Challenges in Internet of Things (IoT)Eswar Publications
 
Whitepaper: Security in the Network Environment
Whitepaper: Security in the Network EnvironmentWhitepaper: Security in the Network Environment
Whitepaper: Security in the Network EnvironmentEES Africa (Pty) Ltd
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
 
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020Business Days
 
Internet of things
Internet of thingsInternet of things
Internet of thingsvarungoyal98
 
Module 5 ig presentation iran 2
Module 5 ig presentation iran 2Module 5 ig presentation iran 2
Module 5 ig presentation iran 2Habib Noroozi
 
Yugo Neumorni - prezentare - Cyber Security Trends 2020
Yugo Neumorni - prezentare - Cyber Security Trends 2020Yugo Neumorni - prezentare - Cyber Security Trends 2020
Yugo Neumorni - prezentare - Cyber Security Trends 2020Business Days
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Steven Pearson
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Alan Coleman
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
White Paper: IoT Security – Protecting the Networked Society
White Paper: IoT Security – Protecting the Networked SocietyWhite Paper: IoT Security – Protecting the Networked Society
White Paper: IoT Security – Protecting the Networked SocietyEricsson
 

Contenu connexe

Tendances

Global Perspective Cyberlaw, Regulations and Compliance
Global Perspective Cyberlaw, Regulations and ComplianceGlobal Perspective Cyberlaw, Regulations and Compliance
Global Perspective Cyberlaw, Regulations and Complianceijtsrd
 
Legal, ethical & professional issues
Legal, ethical & professional issuesLegal, ethical & professional issues
Legal, ethical & professional issuesDhani Ahmad
 
SPEEDA INSIGHTS_Market Prospects for the Security Industry
SPEEDA INSIGHTS_Market Prospects for the Security IndustrySPEEDA INSIGHTS_Market Prospects for the Security Industry
SPEEDA INSIGHTS_Market Prospects for the Security IndustryKyna Tsai
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET Journal
 
Sms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsSms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsTextGuard
 
Chapter 3.docx
Chapter 3.docxChapter 3.docx
Chapter 3.docxAmir Khan
 
Developing surveillance challenges in theinternet of things
Developing surveillance challenges in theinternet of thingsDeveloping surveillance challenges in theinternet of things
Developing surveillance challenges in theinternet of thingsDr. Raghavendra GS
 
105 Common information security threats
105 Common information security threats105 Common information security threats
105 Common information security threatsSsendiSamuel
 
Byod in the middle east
Byod in the middle eastByod in the middle east
Byod in the middle eastteam-abr
 
A Study on Device Oriented Security Challenges in Internet of Things (IoT)
A Study on Device Oriented Security Challenges in Internet of Things (IoT)A Study on Device Oriented Security Challenges in Internet of Things (IoT)
A Study on Device Oriented Security Challenges in Internet of Things (IoT)Eswar Publications
 
Whitepaper: Security in the Network Environment
Whitepaper: Security in the Network EnvironmentWhitepaper: Security in the Network Environment
Whitepaper: Security in the Network EnvironmentEES Africa (Pty) Ltd
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
 
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020Business Days
 
Internet of things
Internet of thingsInternet of things
Internet of thingsvarungoyal98
 
Module 5 ig presentation iran 2
Module 5 ig presentation iran 2Module 5 ig presentation iran 2
Module 5 ig presentation iran 2Habib Noroozi
 
Yugo Neumorni - prezentare - Cyber Security Trends 2020
Yugo Neumorni - prezentare - Cyber Security Trends 2020Yugo Neumorni - prezentare - Cyber Security Trends 2020
Yugo Neumorni - prezentare - Cyber Security Trends 2020Business Days
 

Tendances (18)

188
188188
188
 
Global Perspective Cyberlaw, Regulations and Compliance
Global Perspective Cyberlaw, Regulations and ComplianceGlobal Perspective Cyberlaw, Regulations and Compliance
Global Perspective Cyberlaw, Regulations and Compliance
 
Legal, ethical & professional issues
Legal, ethical & professional issuesLegal, ethical & professional issues
Legal, ethical & professional issues
 
SPEEDA INSIGHTS_Market Prospects for the Security Industry
SPEEDA INSIGHTS_Market Prospects for the Security IndustrySPEEDA INSIGHTS_Market Prospects for the Security Industry
SPEEDA INSIGHTS_Market Prospects for the Security Industry
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and Threats
 
Ethiopia reba paper
Ethiopia reba paperEthiopia reba paper
Ethiopia reba paper
 
Sms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsSms compliance white paper for mobile communications
Sms compliance white paper for mobile communications
 
Chapter 3.docx
Chapter 3.docxChapter 3.docx
Chapter 3.docx
 
Developing surveillance challenges in theinternet of things
Developing surveillance challenges in theinternet of thingsDeveloping surveillance challenges in theinternet of things
Developing surveillance challenges in theinternet of things
 
105 Common information security threats
105 Common information security threats105 Common information security threats
105 Common information security threats
 
Byod in the middle east
Byod in the middle eastByod in the middle east
Byod in the middle east
 
A Study on Device Oriented Security Challenges in Internet of Things (IoT)
A Study on Device Oriented Security Challenges in Internet of Things (IoT)A Study on Device Oriented Security Challenges in Internet of Things (IoT)
A Study on Device Oriented Security Challenges in Internet of Things (IoT)
 
Whitepaper: Security in the Network Environment
Whitepaper: Security in the Network EnvironmentWhitepaper: Security in the Network Environment
Whitepaper: Security in the Network Environment
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
Module 5 ig presentation iran 2
Module 5 ig presentation iran 2Module 5 ig presentation iran 2
Module 5 ig presentation iran 2
 
Yugo Neumorni - prezentare - Cyber Security Trends 2020
Yugo Neumorni - prezentare - Cyber Security Trends 2020Yugo Neumorni - prezentare - Cyber Security Trends 2020
Yugo Neumorni - prezentare - Cyber Security Trends 2020
 

Similaire à Compliance for Real-Time communications-June2016

Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Steven Pearson
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Alan Coleman
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
White Paper: IoT Security – Protecting the Networked Society
White Paper: IoT Security – Protecting the Networked SocietyWhite Paper: IoT Security – Protecting the Networked Society
White Paper: IoT Security – Protecting the Networked SocietyEricsson
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Miguel A. Amutio
 
Unleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdfUnleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdfSecurityGen1
 
Strengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGenStrengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGenSecurityGen1
 
Telecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity VigilanceTelecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity VigilanceSecurityGen1
 
Securing the digital economy
Securing the digital economySecuring the digital economy
Securing the digital economyaccenture
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet accenture
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443WoMaster
 
ITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU
 
The Tools of Industry 4.0
The Tools of Industry 4.0The Tools of Industry 4.0
The Tools of Industry 4.0Osama Shahumi
 
WP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTIONWP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTIONJohn Pinson
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sDr Lendy Spires
 

Similaire à Compliance for Real-Time communications-June2016 (20)

Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
 
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)Compliance in Unified Communications & Collaboration- The Financial Sector (1)
Compliance in Unified Communications & Collaboration- The Financial Sector (1)
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
White Paper: IoT Security – Protecting the Networked Society
White Paper: IoT Security – Protecting the Networked SocietyWhite Paper: IoT Security – Protecting the Networked Society
White Paper: IoT Security – Protecting the Networked Society
 
Code of practice_for_consumer_io_t_security_october_2018
Code of practice_for_consumer_io_t_security_october_2018Code of practice_for_consumer_io_t_security_october_2018
Code of practice_for_consumer_io_t_security_october_2018
 
Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)
 
Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...Using cloud services: Compliance with the Security Requirements of the Spanis...
Using cloud services: Compliance with the Security Requirements of the Spanis...
 
Unleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdfUnleashing the Power of Telecom Network Security.pdf
Unleashing the Power of Telecom Network Security.pdf
 
Strengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGenStrengthening Your Network Against Future Incidents with SecurityGen
Strengthening Your Network Against Future Incidents with SecurityGen
 
Telecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity VigilanceTelecom Resilience: Strengthening Networks through Cybersecurity Vigilance
Telecom Resilience: Strengthening Networks through Cybersecurity Vigilance
 
Securing the digital economy
Securing the digital economySecuring the digital economy
Securing the digital economy
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address them
 
The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443The new era of Cyber Security IEC62443
The new era of Cyber Security IEC62443
 
ITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information Technology
 
The Tools of Industry 4.0
The Tools of Industry 4.0The Tools of Industry 4.0
The Tools of Industry 4.0
 
WP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTIONWP-Privacy-IoT-Era - PRODUCTION
WP-Privacy-IoT-Era - PRODUCTION
 
Securing Smart Cities
Securing Smart CitiesSecuring Smart Cities
Securing Smart Cities
 
IT Security Trends in 2012
IT Security Trends in 2012IT Security Trends in 2012
IT Security Trends in 2012
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
 

Compliance for Real-Time communications-June2016

  • 1. [Type text] 2016 Cyber Security with full regulatory compliance for Real- Time communications.
  • 2. Compliance When compliance is discussed in an IT context, key sector regulations applying to data processing and storage usually spring to mind. However, compliance is a much broader topic. Compliance regulations apply to most businesses not just these major sectors, such as Defence, Government, Oil& Gas, Health, Finance. Compliance also applies to all forms of business communication including phone, video calling and Instant Messaging (IM) communication. This collection of real-time services is known as Unified Communications (UC, now in use by most businesses globally). The securing of real-time communications is more complex when the technology vendors build for feature and ease of use without allowing the designs to be flexible and secure set against a rising value chain of cyber-crime in the market place. (Technical Papers @ www.um-labs.com ) In all aspects of the technology platforms, (Microsoft, Cisco, Avaya, Mitel, Shortel, Alcatel etc.) and the design in this 21st century, must have a common theme, it must exist to forge compatibility and the most widely used of these is the SIP protocol, which means inter-op between products and services can exist. The financial sector as an example, has its own set of compliance regulations, but even here the regulations vary from country to country. In the Europe the regulator extended compliance regulations to cover the recording of phone calls. This translated into the Markets in Financial Instruments Directive (MIFID) published a mandated that records must be kept to enable the reconstruction of each stage of the processing of each transaction1. This can be interpreted to include the recording of phone calls, but this requirement is not explicitly stated. The MIFID II regulations, which were adopted by the European Parliament and Council, which will apply from January 2017 specifically, include call recording. 1 http://tinyurl.com/manset8 There are two topics that should be uppermost in every CISO's mind, how to address the growing demand for Unified Communications (UC) and how to ensure that the organisation's compliance obligations are met. Responsibility for compliance extends beyond the CISO to the entire board. These issues are linked because any Real-Time communications (incl. UC and IOT) implementation impacts the deploying organisation's compliance status. This white paper examines the UC compliance issues and shows how with the correct security controls, an organisation may realise the benefits of UC without compromising their compliance status.
  • 3. However, there is more to compliance than call recording regulations for the financial sector. There are a number of European regulations which apply to any business handling personal data. These regulations are defined in a number of documents including EU Directive 95/46/EC2 now morphed into the General Data Protection Regulation (GDPR 2016-2018) in Europe and in the United States, the HR1770 Data Security and Breach Notification Act 2015, this can be reviewed in Europe and summarised in the Handbook on European Data Protection Law3. GDPR controls the collection and use of personal data and defines seven principles including:  Personal data may be used only for stated purposes and no other purpose.  Personal data must be kept safe and secure from potential abuse, theft or loss.  Any organisation processing personal data is responsible for adhering to all seven principles. The Handbook on European Data Protection Law provides a summary of regulations and quotes article 8 of the European Convention on Human Rights which is summarised as: a right to protection against the collection and use of personal data. The broad scope of these regulations places a responsibility on all businesses processing personal data to protect that data, and holds that business responsible for breaches no matter how those breaches are triggered. This includes the loss of data through any IT security breach. This means that any IT system which includes UC (and in future IOT) services is not compliant if it is not protected against attack. The frequency with which security breaches continue to occur has led to new proposals for EU data protection regulation. These include a requirement to report all security beaches within 72 hours and setting up a public register of all breaches notified. In addition, any breach can result in a fine of up to 4% of global annual turnover. The magnitude of the fine will depend on the level of data protection measures implemented by the offending organisation. 2 http://tinyurl.com/6gpkrav 3 http://tinyurl.com/olbzgeu
  • 4. It is clearly in a company's interest to ensure that adequate security and compliance measures are applied to all information processing systems. As Paul McNulty, former US Deputy Attorney General commented: If you think compliance is expensive, try noncompliance. Unified Communication (UC) Unified Communication (UC) is the integration of real-time, enterprise communication services with existing IT applications and services. UC includes voice and video calls, Instant Messaging and presence information (showing the availability of colleagues). UC is designed to improve the effectiveness of business communication, both within an organisation and to a business's customers and partners. The full benefits of UC are gained only when the service is extended beyond the bounds of an organisation's network to connect remote users on mobile or fixed line devices and to extend the service to 3rd parties. UC is implemented on IP networks and can share those networks with data services, social collaboration platforms and email systems. This brings communication services such as voice and video into the IT realm. This plus the fact that UC services will inevitably carry sensitive and personal data means that UC is subject to the same compliance regulations as any data services. This means that all UC deployments must be protected with effective security measures. The protocols used to deliver UC are complex. This complexity plus the real-time requirements of UC means that the security measures deployed must be tailored to meet UC specific security threats. Standard data security measures are not sufficient. The security and compliance problems are not confined to UC. Recent reports show that both cellular networks4 and the global SS7 phone network5 are vulnerable to attacks that can allow unauthorised monitoring of calls and text messages. 4 http://tinyurl.com/pwbv9o2 5 http://tinyurl.com/pukfnz3
  • 5. The only response to the security problems on mobile and SS7 networks is to recognise that these networks are not secure. Implementing a well-designed and secure UC system that meets compliance requirements protects all real-time communications. Steps to Ensure UC Compliance As we have seen, compliance obligations extend beyond the financial sector and are about more than implementing call recording. Compliance also requires that systems used for information processing are protected against attacks that could result in information leakage and loss of confidentiality of personal information. As the EU directive states: Personal data must be kept safe and secure from potential abuse, theft or loss.
  • 6. If an organisation processes any personal data, which includes basic information such as contact and payment details for customers, then that organisation is responsible for ensuring the safety of this data. The specific financial sector regulations may also apply. In both cases the compliance requirements apply to both data and UC services the latter including all voice, video and IM communication. Compliance for UC is a process, the key steps in this process are: 1. Understand which of the many regulations apply. 2. Audit your UC, Social Collaboration and telephony systems to ensure that they are adequately protected from attacks that could lead to the compromise of personal information. This audit should check for both generic network security vulnerabilities and vulnerabilities specific to the protocols used. 3. Review your existing security measures, recognising that most IT data security measures (Firewalls, VPNs etc) do not adequately protect UC applications. 4. Review the need for call encryption, particularly for mobile devices used to communicate sensitive information. 5. Review the need for call recording, any financial sector organisation subject to MIFID will need to implement this if not already obliged to do so by other regulations. 6. Implement an effective UC security system which meets the compliance requirements. Protection and assured is crucial with such high fines for noncompliance, it is also key that the technology platforms have a multi-level integrated layer of security for UC, today this is only the case if the design has started from the 21st century. The risks of connecting any data application server to public IP networks have been well understood for some time. These risks lead to the growth of the Firewall market in the early 1990, followed by the development of application specific security controls for Web, Email and other applications. Unfortunately, there is a lower level of understanding of the risks associated with real- time communication applications using SIP, IPV6 protocol in IOT, ORTC Web which extend into based Unified Communication and Internet of Things.
  • 7. As a consequence, development of application level security controls for real-time IP based services has not kept pace with the increasing risk. Many technology vendors and therefore service providers continue to rely on Firewalls, VPN, Application Gateways, Session Border Controllers (SBCs), Content proxies to deliver security for network, application and content, via OTT and SIP trunk services in a real-time communication world. A recent pen test and compliance test showed that all SBCs are demonstrably unable to protect against many of the application level security threats faced by SIP based UC applications and services. These threats include break-ins which enable attackers to make calls via compromised systems leading to costly call fraud or using DDOS open up to more valuables. UM Labs R&D can support this process by analysing an existing UC system and accessing the security measures in place to protect that system. UM Labs have also developed the UC Security Platform which is designed to protect UC/IOT systems and to provide a number of features to support UC compliance. This unique and tested platform is certified compliant by government and Telecom regulated authorities, pen tested by Deliotte Red Teams, set against ENISA and EU GDPR rules, with compliance assured for operating over multi-levels of attacks with an integrated and adaptable to change architecture. This platform has been audited across SIP UC technologies and providers in the light of non-compliance. As a result, and after years of testing, UM-Labs was selected as a key component in that Telecom compliance technology. The Platform is designed to meet the following compliance goals.  To protect from attack on three levels, network, application and content.  To protect the UC systems from attacks, including Denial-of-Service (DoS) attacks. (See the UM Labs white paper, Combating Denial of Service Attacks for VoIP and UC6 for further details on DoS attacks).  To provide auditing functions to record all attacks on the system and to record the corrective action taken.  To provide alerts when the system is attacked.  To provide encryption services to protect voice, video and IM communications.  To enable the recording and secure storage of calls, including encrypted calls, to meet compliance and legal intercept requirements.  Delivered from Any Cloud implementation overlaid to protect independent of UC technology, but integrated across mobile, desktop and network. 6 http://tinyurl.com/kkmlby7
  • 8. Example of an Azure cloud implementation used at KPN the Dutch national carrier. About UM-Labs R&D Cyber Security is the fastest growing challenge in today's world of the Internet, everyday 24 hours a day there is a breach, a theft of data, listening on phone calls/video calls, messaging (IM) and even your location. Businesses have in the past tried to control attacks with outdated computing technics and this legacy is set against a back drop of keeping in with the status quo. The thirst for internet content and the fast growing use of Cloud technology increases the volume of criminal cyber- attacks on Video chat, Internet phone calls, IM and location. Over 234 million people use these communication services in business every day, a 21st century solution is required to protect and manage; if not your business is at risk.
  • 9. Tomorrow, 60 billion end points for Internet of Everything (IOE/IOT) will be at risk to attack, so keeping ahead of the thinking and delivering safe IP connectivity over three layers, network, application and content is crucial, UM-Labs are a creative and advanced R&D company with experts in compute security software design, smart mobile technology and cloud computing. The cloud solution is a unique layer of real time security software. This protects and encrypts Internet communications across all of the cloud variants, it is easy to install and scales to thousands of users from one virtual server, compliant tested and certified customer reference sites in Europe and the US. Information at www.um-labs.com or email marketing@um-labs.com