|
Solution Search:
Unified Communications Tips
Editor's note: Cloud computing security has become a pivotal issue for enterprises exploring hosted solutions for a variety of services and applications, including cloud-based unified communications (UC). The already-difficult task of securing sensitive data, resources and applications becomes even more daunting when you attempt to safeguard a cloud environment with more potential entry points and, as a result, create more vulnerable spots. Whether your enterprise has chosen to pursue a public, private or hybrid cloud computing approach, CIMI Corp. President Tom Nolle details the cloud computing security obstacles you may face in your implementation and how to overcome them. While the connected world offers enormous opportunities to use information technology (IT) to improve worker productivity, it has also created a collateral risk to companies' information assets. Active interference with IT processes can also attack company operations, because most operations now rely on IT support. Security of both information and information processes is already a critical requirement, and as enterprises move toward cloud computing, security specialists are heading into unfamiliar territory. In the past, security measures could be divided into data security, access security and transmission security. Cloud computing affects all three by dispersing computing resources within and even outside of the enterprise. Resource, data management are key cloud computing security considerations Data security -- the protection of stored information assets -- has normally relied strongly on the physical security of the data center. In cloud computing, the virtual nature of the data center makes it difficult to know which forms of access control are being applied and how thoroughly those controls protect information assets. With public clouds, enterprises have no idea how assets are stored and protected. Even private clouds can include insecure assets, unless all new system and storage device locations are subjected to a security audit before adding them to the cloud. One of the most insidious methods of breaching virtualization or cloud computing security is the "poisoned resource." If resource management processes for commissioning new servers and storage arrays are not strongly secured, it's possible for a foreign resource to be added to the pool and used freely by enterprise applications. That resource could be a lure for an attacker -- a place where data, passwords, keys and other important assets can be compromised, with the apparent full support of the enterprise's own cloud computing security processes. In fact, resource-related security problems are the greatest new threat to cloud computing security, and they also apply to simple virtualization applications within a single data center. Problems arise because managing IT resources, like resource pools in the cloud, means having to enroll new devices when they become available, and that process can easily be compromised. Viruses targeting virtualization tools (like hypervisors) and cloud computing management tools can enroll maverick resources. Once a resource is enrolled, it often enrolls others. You have to fully secure each individual cloud data center, in terms of both access and resource enrollment, or there is no cloud computing security. Access and transmission security: Tighten VPN enrollment, encryption practices Access security for cloud computing tends to focus too much on secure access to cloud computing applications through things like Secure Sockets Layer virtual private networks (SSL VPNs). This type of access security doesn't differ significantly among public cloud, private cloud and enterprise client/server implementations of applications. The major issue with access security in the cloud is the security of enterprise VPNs as opposed to access VPNs. Most enterprises rely on VPNs to segregate their private traffic; they treat VPN membership as conveying some right of access to applications and resources. Cloud resources are typically hosted on a company VPN, even if those resources are owned by a public cloud operator. Providing a mechanism for third-party sites to join a VPN reduces VPN security, so it's critical to carefully audit VPN enrollment processes to ensure there is no way for unwanted sites to be added. Transmission security is normally enforced through a combination of network segregation (isolation of traffic from shared facilities like the Internet) and encryption. Public cloud computing obviously reduces the extent to which shared facilities can be avoided, but any form of cloud computing demands broader dissemination of encryption keys and increases the risk of compromise. Most public cloud users should review their encryption policies, paying particular attention to any transmission of critical information over nonsecured client/server links. SSL connections should be mandatory in cloud applications because it's difficult to control where cloud traffic goes. Cloud computing security risk factors The following practices increase cloud computing security risks: The use of public cloud resources for service-oriented architecture (SOA) application components necessitates exchanging information with other components running on enterprise systems. These links are more difficult to secure; in some cases, enterprise managers may not even be aware they exist. Dynamic discovery and the enrollment of resources in public cloud applications create a risk of having a poisoned resource enter your resource pool. Where virtualization is used in data centers, it's particularly important to ensure that servers not intended to be a part of a cloud are not linked into a virtual pool that supports cloud applications. VPNs that segregate traffic are much less suitable as a general access and transmission security tool in cloud computing than in standard client/server computing because of the necessary elasticity of VPN membership. Reliance on contractual terms to protect information access in public clouds is rarely successful in itself. Nearly all such contracts limit consequential liability and prevent enterprises from recovering the cost of operations problems or legal action arising from a cloud computing security breach. It's essential that public resources be secured and monitored by enterprise-owned tools.Analyzing cloud computing security issues Addressing cloud computing security issues is, first and foremost, a matter of determining whether your cloud applications are most likely to raise data security, access security or transmission security issues. Where data security isn't a major factor, cloud access and transmission security are managed using the same tools that would be used to manage Internet VPN access to corporate applications hosted in a traditional way. Data security issues raised in cloud computing are much harder to manage, since a lack of enterprise control over the physical storage resources makes implementing effective security measures nearly impossible. Careful auditing of cloud data center security may be one solution, but many enterprises believe that the best strategy is to avoid storing critical data in the cloud at all. Cloud computing security practices continue to develop, with promising advances coming even in the area of data security. Regular review of security tools and practices can ensure your own security strategies are optimized and can open broader applications of cloud computing in your enterprise. About the author: Most planners and managers who support IP telephony in any form have received quality of service (QoS) complaints from users at some point or another, and many get them regularly. While complaints normally relate to quality of experience (QoE) and not to network QoS, it's still important to follow up and determine whether the network is creating problems with application performance to the point where operational efficiency could be at risk. IP telephony traffic is rarely sufficient to create network problems by itself. Most IP telephony performance problems are caused by other traffic that loads the network to the point where IP telephony QoS suffers. Since IP telephony traffic is often more sensitive to QoS issues than Web or application traffic, voice managers should take QoS problems as a warning sign to review network traffic, capacity, and traffic management measures. Otherwise, problems are likely to spread to all applications on the network. Are your IP telephony QoS symptoms caused by congestion? QoS normally measures packet loss and packet delay within a specified load or traffic volume. Congestion in the network will mean network routers or switches have to hold traffic for capacity to become available, and this will normally cause both packet delay (queuing delay) and packet loss (queue overflow). It's possible to measure delay and packet loss between various network points using tools ranging from simple to complex, and it's best to pick one that's familiar and apply it systematically to the routes taken by your IP telephony traffic. If you see evidence of both delay and packet loss, then you can be sure you have a congestion problem. Packet loss is also sometimes identifiable by the fact that it creates "drop-outs" or clicks in the audio stream of voice calls, but delay can also cause strange speech artifacts, so it's best not to rely on subjective views of voice quality in diagnosing problems. When a congestion problem is suspected, the most important step is to analyze the link utilization along the route the traffic would be likely to take. Traffic routes can be determined by looking at the forwarding tables in switches/routers (directly or using tools like traceroute). Dynamic routing protocols can change routes over time, but most enterprise networks will have fairly static routes except during network failures. Check several times on several days to get a complete view. What you're looking for is peak-level utilizations over 70% or average utilization over about 35%. Either suggests that it is possible that the network is becoming congested under load. If you can correlate objective network load on various routes with subjective reports of call quality problems, you're definitely on the right track. Video traffic hogs bandwith, hampers IP telephony QoS Where that doesn't work, look to see whether there are alternate routes for traffic that remain underutilized. If your network has such routes, you may be able to improve performance simply by utilizing them more effectively. How this can be done will depend on whether your network is based on Ethernet or IP and the specific routing protocol that you're using. In IP networks, it's fairly easy to establish multiple routes and control traffic flows, but for Ethernet, the standard spanning tree protocol won't allow multiple routes. See whether your vendor supports emerging data center Ethernet standards to provide alternatives to spanning tree. When in doubt, apply compression The most important thing to remember in reviewing traffic, network load, and congestion issues in IP telephony service is that it's almost always other non-voice traffic that causes the problem. When congestion is a problem, it's best to try to alleviate it for all traffic types. When it's not practical to improve network performance overall, it may be necessary to try and bypass network congestion with IP telephony traffic through a form of routing or prioritization. Next month, I will cover IP telephony QoS: Routing and prioritization. About the author: Unified Communications Articles
Building an enterprise video conferencing strategy is a multifaceted challenge for most enterprises. It begins with identifying use cases, then deploying the right video conferencing endpoints in the right locations to serve them. But it doesn't end there. Enterprises also need to understand how those endpoints will affect video conferencing network requirements and build supporting services to ensure the technology is easy to use and has a consistent quality of experience that meets user expectations. The Michigan Department of Corrections has a broad and expanding array of use cases, according to video conferencing coordinator Lynette J. Holloway. As video conferencing has become more popular, Holloway has had to transform and expand her video conferencing endpoint selection, transition to a new network and provide supporting services to users. "We use video conferencing in lots of different ways," Holloway said. "We have telemedicine in each of our correctional facilities, and we just started using telepsychiatry. In addition, we do all of our parole board hearings over video. We did 22,000 video parole board interviews last year. It's pretty much become a core function within our... More... |
Unified Communications Columns
When thinking about the biggest challenge to the growth of the unified communications (UC) market, one of the first things that come to mind is the lack of interoperability between UC products and vendors. It's often up to the customer, VAR or system integrator to ensure that the various products used as part of an end-to-end UC solution work smoothly together. Often...
More...
Businesses are still finding VoIP and unified communications strategies challenging. Find out why Asterisk's open source communication server was not a viable solution for one organization with limited in-house expertise and resources; what this company could have done differently to achieve anticipated results; why so many organizations are... More... Expert Response
If the delay is greater than 128 milliseconds (msec), no standard echo cancellation will work. In such cases, how about...
How can I effectively audit my telecom costs without making a career out of it?
For many companies, the prospect of... We need to reduce background noise and echo. A company that I consult for uses Asterisk in its 100-seat call center and is...
|