The Voice over IP Security Alliance (VoIPSA) today announced its much anticipated VoIP Security Threat Taxonomy, a classification and description of the types of security threats that affect IP telephony.
Identified as the alliance's first major task when VoIPSA was formed last February, alliance secretary and taxonomy project head Jonathan Zar, who is also SonicWALL Senior Director, say that the taxonomy is the first step in dealing with VoIP security. "When we were asked by the press and the regulatory community about threats, we weren't always talking about the same thing," he says. "Everyone was talking about their part of the elephant."
By defining the kinds and nature of threats, Zar says VoIPSA hopes to give the Internet voice industry a common reference point to deal systematically with VoIP security issues. "Many vendors said they could solve the problem themselves, but by going to the taxonomy, it became clear that there would still be gaps," he says. "For example, voice spam was perceived as a big deal at the beginning, but it became clear early on that deceptive practices would be a bigger threat,"
Indeed, the threat taxonomy is a necessary precondition for VoIP to fulfill the other projects in its mandate. Zar points out that it makes little sense to develop security requirements and best practices or pursue security research "unless you know what you're up against."
The VoIP Security Threat Taxonomy is organized into four broad phyla. Two --denial of service and unlawful signal or traffic modification -- deal essentially with the integrity of the network signal and infrastructure. Signal interception and bypass of refused consent, on the other hand, categorize threats specific to VoIP and deal specifically with privacy. "Privacy is not a wishy-washy abstraction, it's a concrete idea," Zar says. "So we defined privacy first, and then we defined the expectations for privacy within the community and defined security as a way to ensure that."
According to Zar, responding to VoIP security threats and, consequently, the taxonomy upon which such a response will be based, is essential for the widespread adoption of IP telephony technologies. With VoIP adoption progressing rapidly, he says that, unless security is addressed now, "there will be problems." The key, Zar says, is to have security requirements and best practices in place before VoIP becomes as ubiquitous as traditional telephone service.
"There will be concern about security, of course, but we have created the conditions to develop solutions for these problems ahead of the curve," he says. "We expect some latency, as there always is with security technologies, but we expect the folks in the regulators community and in larger and midsized companies to act more quickly."
Though Zar says the taxonomy will probably undergo considerable elaboration and revision as VoIP security technologies and practices develop, he says that it represents a major milestone in IP telephony. Now, the alliance can get down to its other work. "This is a significant accomplishment of only one of the goals we set for ourselves, which is foundational," Zar says. "But we've also spoken to multiple communities about this -- not just the technical community, but the policy community as well."
Indeed, VoIPSA's membership has swelled considerably in the last eight months. Since it was founded last winter, the alliance has grown to over one hundred member organizations, including virtually all of the major VoIP equipment vendors and many of the service providers, "Pretty much anybody who is anybody in VoIP is a member," Zar says.