My first reaction was: "If I was in charge, I would probably have provided our enterprise telecom records to the Feds, but would have sought legal advice for limits and restrictions on its use and storage." The proliferation of big-data-driven analytics has changed the way that government and enterprises do their jobs. In the past, large data files were difficult or impossible to analyze economically. Today, the scary part is not that our own government would do the wrong thing, but that it awakens our sensitivity to corporate espionage… both the good guys and bad guys know how to leverage these technologies.
Some may read this article and conclude that it enables bad behavior. I believe that the bad guys already know how to take advantage of legacy telecom infrastructure and they already know how to use advanced telecom infrastructure to hide their activity. That said, this is an effort to inform the good guys about how to protect themselves.
So, if you are going to protect your enterprise communications networks and records from unauthorized access, then where would you start? Having built many communications networks in the last 30 years, my advice is:
1. Do not publish anything about your efforts on any electronic media until you have a face-to-face discussion with your boss and agree upon a series of code words that can be used in any future electronic communications. The most important part of keeping a new method of communications secret is to mask its existence. The government uses this same tactic: The FISA Court order to Verizon specifically instructs the carrier to deny the existence of the program.
2. Plan for how to handle any inquiries from the press or government regarding the construction or use of a private, point-to-point, encrypted, virtual and anonymous communications network. My experience is that a prototype, highly-secure WebRTC network can be built for a small number of users in a matter of a couple weeks. The prototype can be built in a secure, private environment, then rapidly moved to its permanent location at a later date. The only thing that needs to be exposed to the network (private or public) is a single webpage for directory services. This can be local to the machines that connect to the network or hosted on the Web. There are multiple options for securing this page.
3. Use this network to plan and build secure communications and collaboration tools that fit the needs of your enterprise.
4. Do not put anything into the public or private hosted cloud.
Why use WebRTC to thwart the bad-guys?
WebRTC is a peer-to-peer architecture. What this means is that the network can operate without the need for aggregation points (Think Verizon). Because aggregation points are not necessary, it will be more difficult for anyone with malicious intent to gather network-wide information.
WebRTC uses Secure RTP for transmission of content. This encrypts the content but not the headers. Additional encryption applications are necessary to mask the headers and signaling.
WebRTC does not use the PSTN carrier telecommunications infrastructure. It uses an URI-based addressing mechanism that is highly portable and can be housed on any digital infrastructure. This eliminates the opportunity for the carrier to possess your information thus removing your enterprise information from the purview of telecom carrier scanning programs.
Right now there are over one billion WebRTC enabled browsers (Chrome and Firefox) in use globally. No special client is necessary and maintenance costs are an order of magnitude lower than the legacy VoIP/PSTN.
Websites can be housed locally on a few machines and only exposed to the local user. What is outlined here is that it is possible to locate communications addresses on the hard drives on two or more machines and they can be autonomously attached to the network and communicate peer-to-peer without the need for anything but DNS and an IP connection for each device. They can communicate with each other over secure, encrypted, point-to-point sessions that are virtual and anonymous. In other words, these machines can be the proverbial “needle in the haystack.” Additional encryption technologies can be layered on this network making it virtually undetectable and secure.
Alternatively, enterprises may choose to publish a Web directory. For security purposes, the records of use of this network should be stored on a different machine. This will force inquiring minds to ask permission for any information related to your enterprise communications first. Which, in the first place, is what we all want.
Edited by Rich Steeves