A WebRTC Security Primer

There are a number of reoccurring themes in my blog articles and security is near the top of the playlist. If you’ve been a long time follower of mine, you’ve read about securing SIP signaling with Transport Layer Security (TLS) and media with Secure Real-Time Protocol (SRTP). I’ve also written extensively about providing intrusion security with session border controllers. Today I want to spend some time on my latest kick – secure WebRTC.

In case you are new to WebRTC, allow me to give you a one paragraph definition. However, I highly recommend that novices read my article, WebRTC for Beginners before tackling this one.

WebRTC is a technology that allows web browsers to send and receive real-time media. With WebRTC, a user can go to a web page and use that web page to make an audio or video call. Media is subsequently sent directly to and from the web browser.

The key word here is directly. There is no requirement that any specialized hardware, such as an SBC, be situated between the web browser and the far-end. One web browser can send and receive real-time video to another web browser across any Internet connection.

Since the Internet is inherently an open, non-secured environment, it is imperative that the all WebRTC traffic be encrypted before it leaves the user’s device. For that, the WebRTC developers have settled on two protocols – DTLS and SRTP.

Datagram Transport Layer Security (DTLS) is used to provide communications privacy for datagram protocols. This fosters a secure signaling channel that cannot be tampered with. In other words, no eavesdropping or message forgery can occur on a DTLS encrypted connection.

DTLS is based on the same principals as its stream oriented counterpart, Transport Layer Security (TLS), and provides the same levels of security. This means that web browsers exchange DTLS handshakes on every voice, video, and data channel. While this handshake (two round-trips) adds some latency to peer-to-peer setup time, it should not be an issue for most connections.

For a companion piece, please see An Introduction to the Opus Codec.

If you’ve worked with SIP for a while, you should be familiar with Secure Real-Time Protocol (SRTP). Like DTLS, SRTP works with unreliable, datagram protocols like UDP. However, DTLS encrypts WebRTC signaling while SRTP deals strictly with media.

SRTP media cannot be decrypted by rogue players thus ensuring that IP communications across an open medium such as the Internet remain private. With SRTP, your WebRTC voice and video traffic will not be heard or seen by unauthorized parties.

The WebRTC specification also offers developers the ability to use Session Description Protocol Security Descriptions (SDES) instead of DTLS, but that seems to be quickly falling out of favor. Google’s Chrome browser no longer supports SDES and Firefox has never offered support for SDES. Both browsers do support DTLS-SRTP and that appears to be the on-going choice.

I mentioned that an SBC is not required for browser-to-browser WebRTC calls. That is most likely not the case with browser-to-PBX communication. In those instances, enterprises will probably want an SBC on their network edge to both protect their network internals and to perform gateway functionality such as WebRTC to SIP.

Mischief Managed

I could certainly go on for quite a bit longer about DTLS-SRTP and WebRTC security, but this should be enough to get you started. The key point is that you don’t sacrifice privacy with WebRTC no matter how open your network connection might be.

Related Articles:

A Closer Look at MiFID II Recording Requirements

The Markets in Financial Instruments Directive II (MiFID II)—arguably the greatest reform to hit Europe’s financial industry—is finally in effect as of January 3, 2018. This EU legislation serves as a much-needed upgrade from the original MiFID, enacted in 2004, and addresses key issues that resulted from the 2008 global financial crisis.

The directive requires all national governments in the EU to adopt certain laws, which they are free to do in their own way should the resulting effect be the same. Financial services institutions—specifically investment firms, credit institutions and trading venues—are subject to MiFID II, including companies that are headquartered outside of the EU but do business there (for a more thorough overview, see this blog by industry analyst Sheila McGee-Smith).

Recording Regulations: Raising the Bar

Perhaps the greatest impact of MiFID II is the law’s tighter recording regulations. Under the 2004 MiFID directive, there was no mandatory requirement to record communications involving client orders. To ensure fairer, safer and more efficient financial markets, MiFID II now requires firms to record communications (both phone and electronic) for the following investment services:

  • Reception and transmission of orders
  • Execution of orders on behalf of clients
  • Dealing on own account (takes place when a firm puts its own trading books at risk)

The specific customer interactions that are required to be recorded in relation to investment services include:

  • Receipts of client orders
  • Transmissions of orders (both where the investment firm transmits and executes the order)
  • Conclusions of transactions when executing orders on behalf of clients
  • Conclusions of transactions when dealing on own account, regardless of whether a client is involved in the transaction

Important note: MiFID II covers all communications relating to activities intended to result in the conclusion of a transaction or the provision of client order services, even if they do not result in a financial transaction.

Communication of orders placed through channels other than voice—postal mail, faxes, emails, SMS, face-to-face conversations recorded using written minutes—must be stored in a durable medium.

Keep in mind a few rules that apply to this ‘durable medium’:

  • Records must be able to be replayed or copied
  • Records must be retained in a format that does not allow the original to be altered or deleted
  • Firms are required to ensure the quality, accuracy and completeness of all phone records and electronic communications
  • Records must be kept for a minimum of 5 years and, if requested by the National Competent Authority in a specific country, up to 7 years
  • Clients must be notified in advance of recording
  • Records must cover communications made with, sent from or received by equipment provided or permitted by the investment firm (privately-owned equipment used by employees or contractors is not prohibited)

Ensuring Compliancy with MiFID II Recording Regulations

If your business is involved in financial services in any way—even if it’s not your main focus (i.e. credit institutions performing investment activities, branches of third country firms)—you’ll need to investigate to understand whether this new legislation will affect you and, if so, what you need to do to comply.

We recommend a thorough review of compliance across all channels (including back office processes) to determine if they meet the new regulations. If not, you’ll need to deploy a workforce optimization (WFO) solution to demonstrate that policies, procedures and management oversight of the new recording and monitoring rules are in place. Here’s what you’ll need to consider in a WFO solution:

  • Continuous recording: This goes for all inbound and outbound voice and other electronic communications based on business rules. You need a WFO solution that will capture, search and retrieve calls, offer encryption for secure storage, and offer pause and resume capabilities.
  • Desktop screen capture: This is an undetectable back-end process that records desktop screen activity during each customer interaction. Supervisors and managers can use this both in the contact center and back office to view customer interactions from beginning to end via synchronized screen and call recordings.
  • Quality management monitoring: Identify and capture areas of non-compliance, while measuring how well employees are delivering services that align with customer experience expectations.
  • eLearning and coaching tools: Bring employees fully up to speed on regulatory changes and any new requirements, as well as correct any non-compliance behaviors.
  • Voice analytics: Proactively identify, measure and isolate areas of non-compliance by mining intelligence from large volumes of recorded calls.
  • Workforce management: Schedule employee compliance training while ensuring you have enough support personnel with the right skills to serve customers.

The greatest threat to reputability, revenue and customer experience is the thought that your technology is “good enough” to meet current needs. Your ability to innovate and grow are hinged on technology that meets the next-gen needs of today, tomorrow and beyond—something that only 24% of companies say their workforce optimization and recording systems achieve.

To complete a thorough review of your current MiFID II processes, connect with Avaya. For a deeper dive into MiFID II (including a few WFO features not mentioned above) download the white paper MiFID II: What Does it Mean for Your Organization?

MiFID II: What Do You Need to Know?

Sheila McGee Smith Sheila McGee-Smith is a leading communications industry analyst and strategic consultant with a proven track record in new product development, competitive assessment, market research, and sales strategies for customer care solutions and services. Her insight helps enterprises and solution providers develop strategies to meet the escalating demands of today’s consumer and business customers.

If you work in the financial services sector, you’ve likely seen news articles and heard IT, operations and other company managers and executives talking about the impending MiFID II regulation. It’s likely been a topic of conversation for months, if not years. Recently, The Washington Post began an article about MiFID II saying, “The impact of new market rules sweeping across Europe has been likened to motorists suddenly being told they must drive on the other side of the road.”

While the statement may seem like hyperbole to some, for those who work in financial services the statement will have the ring of truth. They have been working for years to create and refine practices and systems to be compliant with a European Union directive that became effective January 3, 2018: the Markets in Financial Instruments Directive II or MiFID II.

An original MiFID was enacted in 2004, prior to the 2008 global financial crisis. Ad hoc changes were made by individual countries to address issues that resulted from the crisis. These issues are being addressed through MiFID II, which harmonizes the rules for all firms with EU clients, across all countries. The main goals of the MiFID II are:

  • Customer protection
  • Increased financial product governance
  • Unbundling of advice from the sale of financial instruments
  • Broader scope of supervision to include equity and non-equity trading
  • Firms must take “all sufficient steps” to ensure that transactions are executed in the best interest of customers
  • A considerable increase in the requirements for transaction data reporting

From an enterprise communications perspective, the aspect of MiFID II which is relevant is that it requires the capture of all communications and orders intended to lead to an execution of a trade, even if the transaction is not actually finalized during the interaction.

Penalties for non-compliance are set by the regulatory agencies in each European Union country. The first fine for non-compliance of the 2004 MiFID directive was given out to Barclays for inaccurate transaction reporting. Barclays’ fines totaled £2.45 million for their inaccuracies between 2006 and 2008. Since then, published reports say that banks have paid over $204 billion in compliance-related fines and infractions.

Every day, millions of transactions are reported by hundreds of trading venues, for thousands of different financial instruments. As a result, the potential for individual company fines of tens of millions of dollars is very real.

If, like so many companies, you are not sure if your current recording procedures will be sufficient to meet the requirements of MiFID II, the time is now to prioritize an assessment. Businesses need a comprehensive review of their compliance across all channels – phone, email, and SMS – to meet the new regulations. In addition, they need to demonstrate that policies, procedures and management oversight of the MiFID II recording and monitoring rules are in place.

If this post has made you wonder whether MiFID II regulations apply to your firm or what types of transactions need to be recorded and which do not, download the white paper MiFID II: What it Means For Your Organization? It gives a more extensive review of the MiFID II regulations and answers questions about what geographies are impacted, what types of firms are affected and how the new transaction recording rules are different from the rules in effect today.

Avaya Ready to Emerge from Chapter 11

Today is a new day for Avaya—and for our partners and customers. It is also a day that we have been planning and preparing for since we filed for chapter 11 last January. Now that we have the green light from the Court to begin our exit from chapter 11, we are ready to emerge as a stronger, healthier company, with amazing growth potential for our customers, partners and our people.

We have greater freedom to invest. We will emerge from chapter 11 with reduced debt and increased cash flow, giving us greater opportunities to invest in people, processes, and game-changing innovations.

We have re-engineered our operations. We are now sharply focused on accelerating innovation and delivering solutions with greater relevance for our customers and partners. We are committed to making it easier for customers and partners to do business with Avaya and to delivering excellence in execution—Avaya will be the company that says what it will do and does what it says.

We have modernized our technology. For the past 12 months, we have been focused on advancing our core platforms, making them faster and simpler to adopt and integrate new functionalities and leverage emerging technology trends. We are expanding our ability to meet the transforming needs and priorities of our customers with greater speed and agility—and enable them to create the outstanding experiences that inspire loyalty in their customers.

We have done all this with one goal in mind—to be ready to emerge from chapter 11 and move forward stronger than ever.

At Avaya, we’re ready to seize the day because we believe we are going to deliver a better tomorrow for our partners, our customers, and our people. We’re looking forward to sharing more about the new Avaya in the weeks and months to come.