Evaluating Cost of Security—Cost Versus Risk
The best way to put forth cost versus risk in implementing IP Telephony Security is a single phrase, “There’s no such thing as a free lunch.”
There’s a cost for everything whether it is setting up your IP Telephony network or securing it. In the context of cost, consider the following:
- What do you think is the cost to secure your IP Telephony network?
- What should you do to minimize the cost and to maximize the security? In other words, not to put at risk what is the lifeline of your organization, the communications network, yet decrease the cost of securing this asset.
It is sometimes complicated to calculate the ROI for security implemented for your IP Telephony network. However, the damage sourced by the absence of efficient security controls is far greater than the cost to implement them. Figure 4-4 depicts the analytic details of the cost of security.
Figure 4-4. Cost vs. Risk Evaluation
Two factors contribute to the overall cost of security for an IP Telephony system:
- Cost of IP Telephony Security
- Cost of IP Telephony Security breach
Cost of Implementing IP Telephony Security
The first factor is the cumulative cost of all system security components. For example, the costs to set up Certificate Authentication Proxy Function (CAPF) with a third-party certificate to encrypt media and signaling, administer user accounts and passwords, and to set up and operate routine data backup and recovery procedures. In the long run, if planned properly this cost pays off quite well.
Cost of a Security Breach
The second cost factor arises from the expected cost (damages) resulted by IP Telephony Security breaches. For example, the organization’s reputation damage, cost of recovering damaged IP Telephony information, and cost of losing data to a competition. This is the cost that would be incurred if the IP Telephony system was compromised and sensitive and critical data about call records, recordings, and customer’s data were destroyed or exposed to the wrong people.
Thus, it is expected that any organization using IP Telephony would invest rationally in security controls for its IP Telephony system (as long as you invest your money judiciously), and as a result the cost of the expenditure for damages from security breaches should go down.
As described in RFC 2196, “The Site Security Handbook:”
One old truism in security is that the cost of protecting yourself against a threat should be less than the cost of recovering if the threat were to strike you. Cost in this context should be remembered to include losses expressed in real currency, reputation, trustworthiness, and other less obvious measures.
How to Balance Between Cost and Risk
With the preceding discussion about cost of security in context, let’s look at the cost versus risk evaluation and understand how this can affect your decision to implement security controls in your IP Telephony network. Figure 4-5 depicts the verity that “Security is a balance between cost and risk.”
Figure 4-5. Security Is a Balance Between Cost and Risk
As you can discern, the cost of implementing a security control and process increases from left to right. The security implemented in an IP Telephony network can be broadly categorized in three categories: low, medium and high.
Let’s explore what each one of these cover and the trade-off to invest heavily versus not investing in IP Telephony Security:
- Low (or default level of) security: As it is evident, a low-level of security costs nothing to minimum. This level of security is provided at a default level by IP Telephony applications and network elements. As a matter or fact, it is just about enabling it on an IP Telephony application or an underlying network component. Although this level of security might be right for networks considered to be low profile or networks where intrusion and breaches would not interest hackers, it is also an open invitation for attacks.
- Medium (or moderate level of) security: This level requires a moderate level of investment (not only in terms of cost however, also in terms of increasing complexity). At this level, the investment into security (fiscal and manpower) is higher than the default security level; however, it provides a much better security level to organizations (for example, SMBs to enterprises) where security breaches into IP communication network are almost imminent. The investment, both manpower and cost, pays in the long terms as, the assets are protected, and the chances of damage as a result of malicious attacks from inside or outside are minimized.
- High (or maximum level of) security: This is the most secure level that an IP Telephony network can be elevated to and may require a lot of planning and investment. The result is an IP Telephony solution that is secure, end-to-end. This kind of deployment is recommended for highly secure environments; however, it can be opted for by organizations where cost and manpower are next to security concerns. At the maximum security level, the monetary cost also goes up to ensure that the performance does not take a dip because of encryption overhead. To counter the same, more equipment might be required (for example, an increase in CUCM cluster size or the use of dedicated hardware encryption modules in IOS gateways instead of software encryption).
With this discussion in view, you can start thinking about the cost of implementing versus not implementing security in your IP Telephony network and make a conscious decision on how you will go about securing your IP Telephony network.
To address the second question about the level of security, let us go through the next section of evaluating the level of security required for your IP Telephony network before you can comprehend the cost versus risk equivalence with complexity versus security level. The same matrix would be leveraged to describe the level of security, complexity, and manpower or man-hours required to implement various levels of security for different IP Telephony networks.