Modern Enterprise Voice Security Controls: An Interview by Dr. Edward G. Amoroso, with Nigel Jones
In conjunction with the release of the 2017 TAG Cyber Security Annual, Dr. Edward G. Amoroso, CEO of TAG Cyber, interviewed Nigel Jones, CEO of KoolSpan, to provide insight on modern enterprise voice security controls.
Most of the attention in cyber security over the past few years has focused on data security controls. And this is understandable, given the number of highly visible enterprise break-ins and data exfiltration cases that have occurred. But the requirement remains that voice communications must be properly protected and while carriers have done an admirable job improving controls through improved standards, considerable privacy gaps remain, especially for traveling executives. These privacy gaps are best addressed through a combination of encryption, key management, and related security controls for traditional and over-the-top voice security communications.
EA: What are the typical requirements you see from executives for voice security?
NJ: The requirements fall into several categories: security, user experience, and for some, enterprise features. When it comes to security, people want to know that their calls and texts are protected end-to-end with proven, strong encryption. For user experience, a high quality, easy to use, convenient solution is important. The drawback of most secure communications solutions is that they sorely lack a quality user experience. Our philosophy regarding TrustCall is that if a secure call is as high quality and as easy to use as a regular phone call, then why would anyone ever opt to make an insecure call. When it comes to enterprise features, people ask for a solution that fits into their existing environments, so that it can be easily integrated via APIs into their ERP, CRM, Provisioning, MDM and other systems.
EA: Do you see international travel as a major driver in the voice security marketplace?
NJ: Absolutely. It almost does not matter in what industry they operate, from finance to construction, energy, manufacturing, retail, and many others. International travelers inevitably are targeted by regional actors, whether the local government, competitors, organized criminals, or hacktivists. Every international business traveler should assume that everything he or she says in their phone calls and everything they text will be intercepted and potentially used against them. I can tell you many stories. In one example, we have a client whose business development people were talking on their cellphones in a Latin American country about the bid they were going to submit the next day for a regional contract. It turns out that they lost to a competitor whom, they believe, listened to their conversations, and then slightly underbid them to win the business.
EA: What are the advantages of software-based encryption over hardware? And I guess I should ask the reverse question as well since hardware has always played an important role in cryptography?
NJ: Historically there was a big difference and encryption purists argued that a hardware anchor was critical. Today, the reality is that they are converging in that sophisticated software encryption can rely on other anchors, including the devices themselves and the secure elements of the chips in the devices. At KoolSpan we offer both solutions, and they are interoperable.
EA: Do you see more compliance auditors starting to require voice security in their security requirement frameworks?
NJ: Yes, and it is happening with astonishing speed. Only a few years ago, voice security was a niche market, serving principally government and defense organizations. Two things have expanded the market. First, the cost and level of sophistication required to intercept mobile communications has plummeted. Today, a non-techie can intercept phone calls and texts with equipment that costs less than $2,000. As the cost came down, the volume of attacks has increased dramatically. The second is that the market is much more aware today of attacks on mobile communications via, it seems, a regular drumbeat of high-profile attacks and increasing media coverage. Today, it is fair to say that encrypting mobile communications is a “best practice” and I believe in the relatively near future it will be mandated.
EA: Have we reached the point where “voice” is essentially synonymous with “mobile?” Or do you still see businesses requiring security for landline voice communications?
NJ: No doubt they are becoming synonymous. That said, we do not see landline voice communications going away. For that reason, we offer TrustBridge, so one can make a secure call from mobile into the corporate environment and vice-versa.
EA: What do you see as the role of OTT communications application in the modern enterprise? Will they become more important and will they require encryption?
NJ: Depends on how you define OTT and the various parties involved. We believe that communications will be delivered differently to varying segments of the market. Many TrustCall customers today prefer to implement their solution “as a service,” and for them, we provide the TrustCall Global Service, so there is no customer infrastructure or capital expenditures. By the way, we have carrier partners globally that sell TrustCall to their customers as a service. Many other customers, including some enterprises and most defense, law enforcement, and other government organizations prefer to control their own communications system, so they can protect not only their data but also control the metadata. This second set of customers purchase TrustCall DIRECT. We help these customers deploy the necessary infrastructure on their premises or in their private cloud, provide training and support, so the customer can manage their communications system directly.