This tip, which originally appeared on SearchMobileComputing.com, provides value-added resellers (VARs) and consultants with a thorough discussion of the factors to consider when deciding whether or not Skype is the right solution for your enterprise customer's mobile workforce. From cost analysis to security concerns, Lisa Phifer tackles many important questions in the article that follows.
Many companies are deploying voice over IP (VoIP) to cut onsite communication cost by converging voice and data onto the same internal network. But offsite, VoIP presents a different cost/benefit equation: whether a mobile worker uses a traditional cell phone or a VoIP phone, there's an ISP/carrier bill to be paid. The big benefit, as millions of Skype users have found, is elimination of distance-sensitive toll charges. Many mobile workers now use Internet VoIP services like Skype while on the road, without racking up huge long distance bills. But should enterprises permit or even embrace Skype use by mobile workers? Here are some factors to consider.
The Skype skinny
Skype is a "Global P2P Telephony Company" recently acquired by eBay. The basic Skype service supports free Internet-based voice calls between Skype users located anywhere in the world. Skype's Win32, Mac OS X, or Linux software can be installed on an Internet-connected laptop or desktop, outfitted with a microphone/speakers, headset, or a USB/Wi-Fi Skype phone. Alternatively, Skype's Pocket PC software can be installed on a Windows Mobile 5 PDA, connected to the Internet via Wi-Fi or 3G data. Either way, Skype operates as a proprietary peer-to-peer VoIP service, with call set-up brokered through Skype "super nodes."
So what's in it for Skype? Calls between Skype users may be free, but off-network calls and related services (e.g., voicemail, SMS, hotspot Wi-Fi, teleconferencing) are not. SkypeOut credits are required to pay for calls placed to non-Skype numbers (landlines, cell phones), although calls within the U.S. and Canada are free through 2006. A SkypeIn number must also be leased to receive incoming calls from non-Skype users. If you make frequent or lengthy long-distance calls, Skype may slash your telecomm bill. But do the math before you assume that Skype will save you money. In particular, mobile Skype users must factor in 3G wireless costs -- or make calls only when connected to Wi-Fi.
Skype for business
Skype can infiltrate your company in two ways: through the front door, as a corporate-paid service, and through the back door, as unauthorized software installed by employees on business assets, or used from within business networks.
Let's start with the front door. Skype recently announced "Skype for Business" -- a re-packaging of Skype services for sale to companies, either directly (today) or through partnership with remote-access service providers (future). About 30% of Skype customers are already using the consumer service for business, so it makes sense for Skype to recognize and encourage that trend. The Skype for Business control panel lets a company pay for Skype services that can be shared across workgroups. A new Skype for Business Web site provides dedicated support for business customers, and third-party Skype hardware and services are being developed for businesses -- for example, the Actiontec Vosky Exchange that supports Skype calls through your PBX and the Plantronics Voyager 510 Bluetooth voice adapter that can be used for both cellular and Skype calls.
Despite these steps, Skype for Business means small business, not large enterprise. Skype CEO Niklas Zennstrom made this crystal-clear when speaking at the VON Europe conference in May 2006. "We will continue to bring out features useful to business users," he said. "What we've not done is an enterprise-wide solution, and that's not our intention." (IDG News Service)
Why use Skype for Business? Skype users can easily see whether other users are online, using voice, instant messaging, and conference services to communicate with co-workers. Traditional VoIP barriers such as Network Address Traversal and specialized SIP/H.323 phones are absent with Skype, making it easier to deploy Skype to both fixed and mobile users. Reduction in toll charges speaks for itself in large, highly distributed workforces. A mobile worker who already carries a 3G-capable PDA or laptop can reuse that paid-for platform for long conference calls or quick questions to those back at the office.
On the flip side, Skype for Business does require an Internet connection. For mobile workers who don't already have an unlimited 3G data plan, Skype may not be a good enough reason to pay for one. Although Skype can work over slower Internet links, high-speed Internet connections are more reliable -- but not available everywhere. From a "big picture" perspective, Skype lacks functionality that many enterprises need, such as hunt groups, central call logging/audit support, QoS controls, and high availability. And the proprietary nature of Skype raises concerns about single-sourcing and security.
Skype for mobile workers
Even if corporate-sponsored Skype is not for you, there is still the question of whether to allow or ban consumer Skype use by individual workers. Scenarios to consider include (1) corporate network use by employee-owned devices making Skype calls, (2) installation of Skype software on company-owned devices, and (3) using Skype to carry business voice and instant messages.
- Skype consumes bandwidth, just like any other real-time protocol. Skype voice traffic is encrypted, so companies have no ability to control or audit the content that Skype carries through corporate firewalls. Skype "super nodes" have a bigger impact on firewall performance and WAN bandwidth because they serve as communication hubs, helping Skype users find each other. In other words, Skype can lower caller cost by borrowing network and system resources from around the globe. Do you want your corporate network to donate to this cause?
- Skype is a proprietary P2P program that communicates over the Internet. As such, Skype presents the same risks associated with permitting employee installation of other commercial P2P programs. For example, employees must exercise caution to avoid being victimized by phishing emails and offers for phony Skype "helper" software and services such as FANBOT and LOOKSKY. To prevent unwanted calls, teach employees to use Contact and Authorization lists and to be judicious about the information included in their public Skype profile. Leverage anti-virus and personal firewall software to scan files received from other Skype users, and block packets that try to exploit Skype bugs. (For a current list, search cve.mitre.org for Skype, or check Skype's own security bulletins.)
- When employees use Skype to convey business voice or data, you must consider whether Skype satisfies your corporate security policy. Many companies have detailed policies for data but simply assume that carriers provide adequate security for voice. VoIP and other real-time communication protocols pose many new threats and thus frequently require policy changes to address new business risks. But Skype poses a special challenge because it is a proprietary protocol that uses proprietary cryptographic algorithms. According to Skype's Web site:
"Skype uses AES (Advanced Encryption Standard) – also known as Rijndael – which is also used by U.S. Government organizations to protect sensitive information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates."
Beyond this, you must simply trust that Skype has implemented a robust security system. Many third-party security reports have been written about Skype: see [PDF1] [PDF2] [PDF3] [PDF4]. But the fact remains that Skype has not been scrutinized by the security industry and so remains somewhat of a "black box." For some companies, this is acceptable; for others, it may not be. If your security policy can be satisfied by Skype, define an acceptable-use policy that explains safeguards to be used with Skype -- for example, recommended password rules and public profile guidelines.
Companies that decide to block Skype should take all three scenarios into consideration. For example, Windows Group Policy Objects could be used to prevent unauthorized installation of Skype (or any other banned program) on a corporate laptop or desktop, or for a similar policy enforcement measure for PDAs. Consult your perimeter firewall/IPS vendor for new application plug-ins designed to filter or apply rate limits to Skype. You may not be able to stop mobile employees from making business calls on personal PDAs, using personal Skype accounts, but you can take steps to educate them about associated risks and safety guidelines. To learn more, consult the "Staying secure with Skype" user guide, the "Skype privacy" FAQ, and the Skype Network Administrator Guide.
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This tip originally appeared on SearchMobileComputing.com.