The growing pains of unified comms

Unified communications (UC) is commonly perceived as an industry not so much in its infancy as working its way through those awkward teenage years: a mix of attitude, slight confusion, uncoordinated limbs, loud but inconsistent vocal chords, and a tendency to cost more than expected.

Anthony Finbow, CEO of voice-over-IP quality assessment firm Psytechnics, is perhaps a little kinder, describing UC today as “more of a vision than a specific product of engineering”. The problem, he says, is that the UC industry “is not effectively communicating its value to business. Unless [business] sees value, they are not going to take it on.”

Forrester Research reports that while the number of companies running UC pilots rose by 20% this year, these trials are not translating into deployments – 55% of IT decision makers are still struggling to identify the value of a broad application of UC in their companies. The analyst firm says while companies understand what constitutes UC, they show “schizophrenic attitudes toward understanding the business case”.

The heart of the problem may lie in the term ‘unified communications’ itself, which describes the technology rather than the benefit. Vendors seem equally confused: Microsoft, busy pouring resources into its new UC platform Office Communication Server 2007 (OCS), describes it as “tearing down the walls that separate telecommunications and computing”, while Cisco, with all the panache of a network engineer sent on a crash-course in marketing, describes it as “reducing human latency”.

What UC actually offers is streamlined collaboration, a productivity-boosting concept well understood by business and one that should be an easy sell in an era of economic downturn.

“Fifty per cent of projects are delayed because people can’t get hold of key stakeholders,” says Mark Forster, Cisco’s head of UC in the UK. “If you’re trying to perform a particular process, and you have a list of people who need to approve a particular aspect of that process, then knowing their presence status and being able to use a click-to-call button or send an instant message, all without leaving one screen, will save masses of productivity time.”

A survey of IT managers who have implemented UC, conducted by network integrator Dimension Data, found that successful UC projects are producing general cost savings and productivity gains of around 10%, cutting travel costs by 11% and increasing customer satisfaction by 20%.

Nonetheless, UC remains a hard sell. “Nobody goes out to buy UC in the same way they might buy Outlook; the technology is very complex, and people [across business and IT] feel threatened by different priorities,” says Dimension Data’s CTO Ettienne Reinecke. “In a typical example, when we go to a company to explain the power of UC, often we have to introduce different groups in the same company to each other.”

Interoperate!

“Much of UC’s innovation is in the integration,” Reinecke says, highlighting

the fact that despite glossy UC-utopia brochures from incumbents like Cisco, it is rare for an organisation to rely on a single vendor for a UC solution. In practice, situations like that of Falmouth College in Cornwall are much more common: head of IT, Nathan Prisk, brought in IT and communications system integrator Logicalis to connect Cisco’s IP telephony network to Microsoft’s OCS, largely because the Cisco software equivalent was more expensive and the college qualified for an education discount on the Microsoft platform.

“We could also link OCS to the Exchange back-end, dialing numbers and receiving voicemail as email attachments through Outlook,” Prisk explains. However “getting the [Cisco and Microsoft] systems to talk together in a common language was quite difficult, and would not have been an easy thing to do in house. It’s overcome-able, but tricky.”

Several analysts have previously accused Cisco of being if not hostile towards cross-vendor interoperability, then certainly unhelpful – that is a side effect of the company’s network-centric rather than software-centric approach to UC, according to Gartner. Lately, however the company seems to have softened its stance.

“UC is not a solution that comes from one organisation,” outlines Forster. “Cisco has all the bits you need to build a system from the ground up, but organisations are already using [other] programs, and we’re not silly enough to say you can’t use them.”

Psytechnic’s Finbow describes the UC landscape as “islands of technology”, rather than a single continent dominated by a single vendor. A typical customer for UC is “a medium-to-large enterprise involved [in UC] at an IP telephony level, but now looking at introducing video conferencing to cut travel budgets and [support] a green agenda.”

“Some organisations are seeing what you can do with this kind of collaborative environment,” he adds, “but few comprehensively follow [any single vendor’s] vision of what UC is. Interoperability is the key to the next phase.”

Vulnerability-over-IP

Voice-over-IP (VoIP) technology remains at the centre of any UC rollout, but once voice becomes data it is vulnerable to the same gremlins that plague the rest of the Internet. Indeed, as UC becomes mainstream, many security experts predict that VoIP has the potential to become a major security headache.

In a survey of UK businesses using VoIP, information communications services company Damovo found that 40% had suffered a financial loss as a result of a security problem with their IP telephony system, with 35% (in businesses of over 400 employees) reporting the loss amounted to over £10,000. Despite this, half said they were unaware of either what telephony fraud was or measures to counteract it, and only 17% said they monitored their voice network constantly.

“As well as financial losses, security breaches which could undermine intellectual property are very real possibilities if the same attention that is given to the data network is not given to voice,” said Damovo’s managing director Nick Dean. “The research shows that there is a distinct lack of awareness within corporations of the need to protect the voice network.”

Perhaps unsurprisingly, VoIP security isn’t a subject many vendors will volunteer for discussion during their sales pitches. Enquiries are generally met with rosy assurances about firewalls and encryption. But the issue made headlines last November when Peter Cox, who co-developed one of the first commercial firewalls while at BorderWare, found new life as a VoIP ‘insecurity’ expert after writing a simple VoIP ‘sniffing’ tool and posting a demonstration on YouTube.

Using a laptop and his proof-of-concept tool ‘SIPtap’ – essentially a customised packet sniffer and Trojan – the video shows him disabling his VoIP phone, making it ring constantly, spamming it with advertisements, recording conversations, cutting them off and drowning the system with denial-of-service flood attacks.

“Obviously I was making things easy for myself for the demonstration,” he admits. “But it’s fairly drastic if you lose your telephone service. Imagine how serious such an attack would be against a call centre, or if the tapped call was the CFO calling the bank.”

In 2006, 23 year-old Miami hacker Robert Moore was charged with stealing 10 million minutes of talk-time from VoIP providers and reselling it at cut-price rates through a front company. “It was so easy a caveman could do it,” he told reporters at the time, after being sentenced to two years for his part in the crime and netting a mere $20,000 of the $1 million haul garnered by the caper. He later revealed that 70% of the companies he scanned were insecure along with 45% to 50% of VoIP providers, mostly through the use of default passwords such as ‘admin’ or ‘Cisco0’.

“Most vendors have optional call security setup or call encryption, but the vast majority [of systems in use] don’t have it even turned on,” says Cox. “Vendors say VoIP is secure but the key thing is that VoIP is a collection of complex applications and protocols. There are vulnerabilities in many products and in many systems already implemented.”

Cisco’s Forster says VoIP should be secured like any other network, and “not just by a firewall”.

“You need active network security rather than just a perimeter, with 128-bit encryption and user authentication. This means you can’t plug another Cisco phone into a socket and spoof the system – every phone must authenticate with the UC manager program.”

Such systems might be secure when they leave the vendor, but whether they are secured and monitored once installed is another issue. In October last year two security experts at the San Diego ToorCon9 hacking conference broke into the host hotel’s network, using an open source tool called VoIP Hopper and a laptop to spoof a Cisco phone and access the hotel’s financial and corporate network. They were also able to record phone calls.

Even encryption is fallible: in June a team from John Hopkins University in Baltimore demonstrated a tool that could extract phrases from an encrypted conversation simply by measuring the size of the packets being sent, with 90% accuracy.

Cox has an even simpler approach. “If I was going to attack a hotel [VoIP system] I wouldn’t attack the network – there’s lots of things they could do to make it difficult for me. Instead my aim would be to get a piece of malicious software on a core system, using a removable USB or an email virus, something specifically crafted that would get through the virus scanner. Then I could listen in to the traffic.”

A compromised phone service is one thing, but experts are warning that UC exacerbates the potential impact of an attack as more and more devices are plugged into the network, from mobile devices to door monitors and CCTV cameras – an issue vendors are reluctant to draw attention to.

“A lot of it has to do with the fact that there is no comprehensive security solution [for UC],” senior IDC research analyst Nora Freedman recently told specialist website searchunifedcommunications.com.

“No vendor is anxious to talk about a strong security solution when none are geared to having a solution,” said Freedman. “No one would put Nortel or Avaya and strong security in the same sentence. Now that Microsoft is in the market, [given that] the major kinds of email attacks have been Microsoft-based, it’s only a matter of time before something happens. If Microsoft enters the game, someone is going to try to take them down.”

Into the future

A survey by Psytechnics estimates that 60% of UC specialists do not believe there are enough staff to cope with the number of deployments, and 74% believe the workforce will need to have training in both networks and voice and video applications.

This shortage of skilled technical staff in the UC sector and the challenges of interoperability suggest the future of the industry may be driven by the systems integrators, service providers and specialist outsourcers as much as the product vendors.

“We’re going to see tremendous outsourcing in UC, most likely to incumbents like BT,” Finbow predicts. “It’s quite clear that the complexity is going to increase and ensuring quality is going to become even harder, so we’re definitely going to see a drive towards managed services.”

Reinecke believes adoption is already “way beyond what we currently believe it is”, driven by the increasing popularity and acceptance of consumer applications like Skype and MSN Messenger.

“UC is taking what the consumer has at home, and unleashing it into the organisation,” he says, explaining that the generation that has grown up with these tools is now questioning why they can’t use them in the work place.

“You can use controls to block them, but it’s not the right thing to do – people will find ways around it,” Reinecke says, predicting that UC will lead the drive to a “community-based workspace”, which for most people “is currently their inbox.”

Finbow even forecasts that UC will emerge as a method of attracting young skilled workers. “The new generation is communicating in different ways that are quite flexible. UC can be a method to attract them,” he proposes.

Unified communications in practice

Allied Carpets

When Allied Carpets’ telecoms contract with BT came up for renewal, IT controller Ken Moss decided the company should shop around and see what it could get for its money.

With 225 stores containing four to five phone lines at a cost of £13-£15 each per month, “the line rental saving [of a VoIP option] was compelling,” he says.

The company chose a five-year managed service agreement with voice and data comms specialist Azzurri Communications, a multi-million pound contract that will provide support, monitoring, maintenance and hosting for the entire service. For Moss, it was “a black box solution” that allowed the business to get on with its job. “We don’t worry about security per se; we will rely on Azzurri,” he says. “Later we may bolt on [things like] video streaming, IP alarms and CCTV.”

The company expects to finish testing the new system in August, and start the roll-out across stores in the following two to three months.

Falmouth University College

Nathan Prisk, head of IT at Falmouth University College in Cornwall, predicts next year is the year UC will take off, but hopes “we will have it by then.”

“We were one of the first higher education institutions to install VoIP,” he says, beginning about six years ago.

A £70m upgrade at the college’s Tremough campus has provided the opportunity for a high-tech UC project. Prisk is not stopping at an IP telephony system; even the doors, lifts, CCTV and fire alarms will be hooked up to the campus’s Cisco network.

“If someone goes through a door they shouldn’t, you can send out an email alert to the security guard who can see the event unfold on the CCTV through his HP iPAQ [mobile device],” Prisk explains.

On the software side, the college chose to implement Microsoft OCS over the more expensive Cisco alternative, bringing in specialist IT and communications specialist Logicalis to handle the integration.

For security, the college implemented Cisco firewalls and boundary protection to pick up viruses before they ever reach the Exchange. Side benefits included “letting us shut down BitTorrent (peer-to-peer client, commonly used for film and music piracy), and deny access to [the highly-addictive multiplayer game] World of Warcraft between the hours of nine and five.”

For Prisk, the project wasn’t so much about ROI as competitiveness. “We need to stay ahead of larger institutions using technology,” he explains.

Related Topics

Unified Communications