Most attention in cyber security over the past few years has focused on data security controls. And this is understandable, given the number of highly visible enterprise break-ins and data exfiltration cases that have occurred. But the requirement remains that voice communications must be properly protected, and while carriers have done an admirable job improving controls through improved standards, considerable privacy gaps remain, especially for traveling executives. These privacy gaps are best addressed through a combination of encryption, key management, and related security controls for traditional and over-the-top voice security communications. I had the opportunity to sit down with my friend and colleague Nigel Jones, CEO of Koolspan to pick his brain on the growingly important issue.
EA: Nigel, what are the typical requirements you see from business executives for voice security?
NJ: The requirements we see fall typically into the following categories: Security, user experience, and for some, enterprise features. When it comes to security, people want to know that their calls and texts are protected end-to-end with proven, strong encryption. For user experience, a high quality, easy to use, convenient solution is important. The drawback of most secure communications solutions is that they sorely lack a quality user experience. Our philosophy regarding TrustCall is that if a secure call is as high quality and as easy to use as a regular phone call, then why would anyone ever opt to make an insecure call? When it comes to enterprise features, people ask for a solution that fits into their existing environments, so that it can be easily integrated via APIs into their ERP, CRM, provisioning, MDM, and other systems.
EA: Do you see international travel as a major driver in the voice security marketplace?
NJ: Absolutely. And it almost does not matter in what industry they operate, from finance services to construction, energy, manufacturing, retail, and many others. All international travelers inevitably are targeted by regional actors, whether the local government, business competitors, organized cyber criminals, or even hacktivists. Every international business traveler should assume that everything he or she says in their phone calls, and everything they text to others, will be intercepted and potentially used against them. I can tell you many stories. For example, we have a client whose business development people were talking on their cellphones in a Latin American country about the important bid they were going to submit the next day for a regional contract. It turns out that they lost to a competitor whom, they believe, listened to their conversations, and then slightly underbid them to win the business.
EA: What are the advantages of software-based encryption over hardware? And I guess I should ask the reverse question as well, since hardware has always played an important role in cryptography.
NJ: Historically there was a big difference between hardware and software-based encryption, and the encryption purists argued that a hardware anchor was critical. Today, the reality is that they are converging, in that sophisticated software encryption can rely on other anchors, including the devices themselves and the secure elements of the chips in the devices. At KoolSpan we offer both solutions, and they are interoperable.
EA: Do you see more compliance auditors starting to require voice security in their security requirement frameworks?
NJ: Yes, and it is happening with astonishing speed. Only a few years ago, voice security was a niche market, serving principally government and defense organizations. But two things have expanded the market. First, the cost and level of sophistication required to intercept mobile communications has plummeted. Today, a non-techie can intercept phone calls and texts with equipment that costs less than two thousand dollars. As this intercept cost came down, the volume of attacks has increased dramatically. And second, the global enterprise market is much more aware today of attacks on mobile communications via, it seems, a regular drumbeat of high profile attacks and increasing media coverage. Today, it is fair to say that encrypting mobile communications is a well-recognized best practice and I believe that in the relatively near future it will be mandated by enterprise security teams in all government and business sectors and for organizations of every size and shape.
EA: Have we reached the point where “voice” is essentially synonymous with “mobile?” Or do you still see businesses requiring security for landline voice communications?
NJ: There is no doubt that voice and mobile are becoming synonymous. That said, we do not see landline voice communications going away. For that reason, we offer TrustBridge, so one can make a secure call from mobile into the corporate environment and vice-versa.
EA: What do you see as the role of OTT communications application in the modern enterprise? Will they become more important and will they require encryption?
NJ: It depends on how you define OTT and the various parties involved. We believe that communications will be delivered differently to varying segments of the market. Many TrustCall customers today prefer to implement their solution “as a service,” and for them, we provide the TrustCall Global Service, so there is no customer infrastructure or capital expenditures. By the way, we also have carrier partners globally that sell TrustCall to their customers as a service. Many other customers, including some enterprises and most defense, law enforcement, and other government organizations prefer to control their own communications system, so they can protect not only their data, but also control the metadata. This second set of customers will purchase TrustCall DIRECT. We help these customers deploy the necessary infrastructure on their premises or in their private cloud, and we provide training and support, so the customer can manage their communications system directly.