1.
[Type text]
2016
Cyber Security with full
regulatory compliance for Real-
Time communications.

2.
Compliance
When compliance is discussed in an IT context, key sector regulations applying to data
processing and storage usually spring to mind. However, compliance is a much broader
topic. Compliance regulations apply to most businesses not just these major sectors,
such as Defence, Government, Oil& Gas, Health, Finance. Compliance also applies to all
forms of business communication including phone, video calling and Instant Messaging
(IM) communication. This collection of real-time services is known as Unified
Communications (UC, now in use by most businesses globally).
The securing of real-time communications is more complex when the technology
vendors build for feature and ease of use without allowing the designs to be flexible and
secure set against a rising value chain of cyber-crime in the market place. (Technical
Papers @ www.um-labs.com )
In all aspects of the technology platforms, (Microsoft, Cisco, Avaya, Mitel, Shortel,
Alcatel etc.) and the design in this 21st century, must have a common theme, it must
exist to forge compatibility and the most widely used of these is the SIP protocol, which
means inter-op between products and services can exist.
The financial sector as an example, has its own set of compliance regulations, but even
here the regulations vary from country to country. In the Europe the regulator extended
compliance regulations to cover the recording of phone calls. This translated into the
Markets in Financial Instruments Directive (MIFID) published a mandated that records
must be kept to enable the reconstruction of each stage of the processing of each
transaction1. This can be interpreted to include the recording of phone calls, but this
requirement is not explicitly stated. The MIFID II regulations, which were adopted by the
European Parliament and Council, which will apply from January 2017 specifically,
include call recording.
1
http://tinyurl.com/manset8
There are two topics that should be uppermost in every CISO's mind, how to address the
growing demand for Unified Communications (UC) and how to ensure that the organisation's
compliance obligations are met. Responsibility for compliance extends beyond the CISO to the
entire board. These issues are linked because any Real-Time communications (incl. UC and IOT)
implementation impacts the deploying organisation's compliance status. This white paper
examines the UC compliance issues and shows how with the correct security controls, an
organisation may realise the benefits of UC without compromising their compliance status.

3.
However, there is more to compliance than call recording regulations for the financial
sector. There are a number of European regulations which apply to any business
handling personal data. These regulations are defined in a number of documents
including EU Directive 95/46/EC2 now morphed into the General Data Protection
Regulation (GDPR 2016-2018) in Europe and in the United States, the HR1770 Data
Security and Breach Notification Act 2015, this can be reviewed in Europe and
summarised in the Handbook on European Data Protection Law3.
GDPR controls the collection and use of personal data and defines seven principles
including:
 Personal data may be used only for stated purposes and no other purpose.
 Personal data must be kept safe and secure from potential abuse, theft or loss.
 Any organisation processing personal data is responsible for adhering to all seven
principles.
The Handbook on European Data Protection Law provides a summary of regulations and
quotes article 8 of the European Convention on Human Rights which is summarised as: a
right to protection against the collection and use of personal data.
The broad scope of these regulations places a responsibility on all businesses processing
personal data to protect that data, and holds that business responsible for breaches no
matter how those breaches are triggered. This includes the loss of data through any IT
security breach. This means that any IT system which includes UC (and in future IOT)
services is not compliant if it is not protected against attack.
The frequency with which security breaches continue to occur has led to new proposals
for EU data protection regulation. These include a requirement to report all security
beaches within 72 hours and setting up a public register of all breaches notified. In
addition, any breach can result in a fine of up to 4% of global annual turnover. The
magnitude of the fine will depend on the level of data protection measures
implemented by the offending organisation.
2
http://tinyurl.com/6gpkrav
3
http://tinyurl.com/olbzgeu

4.
It is clearly in a company's interest to ensure that adequate security and compliance
measures are applied to all information processing systems. As Paul McNulty, former US
Deputy Attorney General commented:
If you think compliance is expensive, try noncompliance.
Unified Communication (UC)
Unified Communication (UC) is the integration of real-time, enterprise communication
services with existing IT applications and services. UC includes voice and video calls,
Instant Messaging and presence information (showing the availability of colleagues).
UC is designed to improve the effectiveness of business communication, both within an
organisation and to a business's customers and partners. The full benefits of UC are
gained only when the service is extended beyond the bounds of an organisation's
network to connect remote users on mobile or fixed line devices and to extend the
service to 3rd parties.
UC is implemented on IP networks and can share those networks with data services,
social collaboration platforms and email systems. This brings communication services
such as voice and video into the IT realm. This plus the fact that UC services will
inevitably carry sensitive and personal data means that UC is subject to the same
compliance regulations as any data services. This means that all UC deployments must
be protected with effective security measures.
The protocols used to deliver UC are complex. This complexity plus the real-time
requirements of UC means that the security measures deployed must be tailored to
meet UC specific security threats. Standard data security measures are not sufficient.
The security and compliance problems are not confined to UC. Recent reports show that
both cellular networks4 and the global SS7 phone network5 are vulnerable to attacks
that can allow unauthorised monitoring of calls and text messages.
4
http://tinyurl.com/pwbv9o2
5
http://tinyurl.com/pukfnz3

5.
The only response to the security problems on mobile and SS7 networks is to recognise
that these networks are not secure. Implementing a well-designed and secure UC
system that meets compliance requirements protects all real-time communications.
Steps to Ensure UC Compliance
As we have seen, compliance obligations extend beyond the financial sector and are
about more than implementing call recording. Compliance also requires that systems
used for information processing are protected against attacks that could result in
information leakage and loss of confidentiality of personal information. As the EU
directive states:
Personal data must be kept safe and secure from potential abuse, theft or loss.

6.
If an organisation processes any personal data, which includes basic information such as
contact and payment details for customers, then that organisation is responsible for
ensuring the safety of this data. The specific financial sector regulations may also apply.
In both cases the compliance requirements apply to both data and UC services the latter
including all voice, video and IM communication.
Compliance for UC is a process, the key steps in this process are:
1. Understand which of the many regulations apply.
2. Audit your UC, Social Collaboration and telephony systems to ensure that they
are adequately protected from attacks that could lead to the compromise of
personal information. This audit should check for both generic network security
vulnerabilities and vulnerabilities specific to the protocols used.
3. Review your existing security measures, recognising that most IT data security
measures (Firewalls, VPNs etc) do not adequately protect UC applications.
4. Review the need for call encryption, particularly for mobile devices used to
communicate sensitive information.
5. Review the need for call recording, any financial sector organisation subject to
MIFID will need to implement this if not already obliged to do so by other
regulations.
6. Implement an effective UC security system which meets the compliance
requirements.
Protection and assured is crucial with such high fines for noncompliance, it is also key
that the technology platforms have a multi-level integrated layer of security for UC,
today this is only the case if the design has started from the 21st century.
The risks of connecting any data application server to public IP networks have been well
understood for some time. These risks lead to the growth of the Firewall market in the
early 1990, followed by the development of application specific security controls for
Web, Email and other applications.
Unfortunately, there is a lower level of understanding of the risks associated with real-
time communication applications using SIP, IPV6 protocol in IOT, ORTC Web which
extend into based Unified Communication and Internet of Things.

7.
As a consequence, development of application level security controls for real-time IP
based services has not kept pace with the increasing risk. Many technology vendors and
therefore service providers continue to rely on Firewalls, VPN, Application Gateways,
Session Border Controllers (SBCs), Content proxies to deliver security for network,
application and content, via OTT and SIP trunk services in a real-time communication
world.
A recent pen test and compliance test showed that all SBCs are demonstrably unable to
protect against many of the application level security threats faced by SIP based UC
applications and services. These threats include break-ins which enable attackers to
make calls via compromised systems leading to costly call fraud or using DDOS open up
to more valuables.
UM Labs R&D can support this process by analysing an existing UC system and accessing
the security measures in place to protect that system. UM Labs have also developed the
UC Security Platform which is designed to protect UC/IOT systems and to provide a
number of features to support UC compliance. This unique and tested platform is
certified compliant by government and Telecom regulated authorities, pen tested by
Deliotte Red Teams, set against ENISA and EU GDPR rules, with compliance assured for
operating over multi-levels of attacks with an integrated and adaptable to change
architecture.
This platform has been audited across SIP UC technologies and providers in the light of
non-compliance. As a result, and after years of testing, UM-Labs was selected as a key
component in that Telecom compliance technology. The Platform is designed to meet
the following compliance goals.
 To protect from attack on three levels, network, application and content.
 To protect the UC systems from attacks, including Denial-of-Service (DoS)
attacks. (See the UM Labs white paper, Combating Denial of Service Attacks for
VoIP and UC6 for further details on DoS attacks).
 To provide auditing functions to record all attacks on the system and to record
the corrective action taken.
 To provide alerts when the system is attacked.
 To provide encryption services to protect voice, video and IM communications.
 To enable the recording and secure storage of calls, including encrypted calls, to
meet compliance and legal intercept requirements.
 Delivered from Any Cloud implementation overlaid to protect independent of UC
technology, but integrated across mobile, desktop and network.
6
http://tinyurl.com/kkmlby7

8.
Example of an Azure cloud implementation used at KPN the Dutch national
carrier.
About UM-Labs R&D
Cyber Security is the fastest growing challenge in today's world of the Internet,
everyday 24 hours a day there is a breach, a theft of data, listening on phone
calls/video calls, messaging (IM) and even your location. Businesses have in the past
tried to control attacks with outdated computing technics and this legacy is set
against a back drop of keeping in with the status quo. The thirst for internet content
and the fast growing use of Cloud technology increases the volume of criminal cyber-
attacks on Video chat, Internet phone calls, IM and location.
Over 234 million people use these communication services in business every day, a
21st century solution is required to protect and manage; if not your business is at
risk.

9.
Tomorrow, 60 billion end points for Internet of Everything (IOE/IOT) will be at risk to
attack, so keeping ahead of the thinking and delivering safe IP connectivity over
three layers, network, application and content is crucial, UM-Labs are a creative and
advanced R&D company with experts in compute security software design, smart
mobile technology and cloud computing. The cloud solution is a unique layer of real
time security software. This protects and encrypts Internet communications across
all of the cloud variants, it is easy to install and scales to thousands of users from one
virtual server, compliant tested and certified customer reference sites in Europe and
the US.
Information at www.um-labs.com or email marketing@um-labs.com