Business Disruption in Document Communications – What Happened?

In the late 1990s, the Internet and the World Wide Web created massive technical disruption for the worlds of document communications and messaging. Now, nearly twenty years later, business communications looks much different than it did going into the Millennium and once major businesses such as the marketing of enterprise fax machines are deep into their long tail phase. In my last post, I noted several trends in both fax and email as the related standards communities pushed to transform these technologies for the new IP world. Let’s look at what happened.

One major driver of the success of fax in the Nineties was the classic network effect as postulated by Ethernet inventor Robert Metcalfe. In essence, Metcalfe had stated that a network became much more compelling as the number of connected devices increased.  In the Nineties, the fax machine vendors and computer fax companies were often on opposing sides in technical battles, but all of these companies benefited from Metcalfe’s network effect as it applied to the overall fax network. But as we crossed into the 21st century, fax machines designed to run on the circuit-switched phone network (aka the Public Switched Telephone Network or PSTN) had much less utility in an increasingly IP network connected world. As a result, physical fax machines began to disappear from larger enterprise offices and in smaller offices, they were often replaced by less expensive multi-function peripherals (MFPs), which were basically printers that also included fax and scanning features. This meant that the number of Group 3 fax devices in total at first plateaued and then began a decline. In essence, Metcalfe’s network effect played out in reverse. The fax machines and MFPs of the Nineties did not evolve to use the new IP fax standards, so as document communications moved to IP, these physical fax or MFP devices still only sent faxes over the PSTN and were less connected as IP communications became more prevalent.

If we consider the trends in computer-based fax, they played out differently. Companies like Brooktrout sold fax boards to independent software developers and the boards were incorporated in local area network solutions. These solutions also typically included tight integration with email.  By 2004, Fax over IP enabling technology started to be commercialized, using the ITU-T T.38 IP fax standards. T.38 had some technical issues, but it could use the same call control protocols — SIP, H.323 and H.248 — that were being adopted by the new Voice over IP networks, so T.38 became a popular choice for conveying fax over these VoIP networks. By contrast, the T.37 approach of Internet Fax over Email did not get much adoption, most likely because it didn’t mesh very well with Voice over IP.  The computer-based fax solutions that ran on Local Area Networks continued to have healthy growth in the first decade of the 2000s in large part due to the continued validity of fax as a legal document, perceived security compared to use of email over the Internet, a slow rampup in the use of digital signatures on other electronic documents and regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which meshed well with receiving fax documents in electronic form (rather than on a paper tray).

During the same period, email use continued to grow, but rising issues such as lack of security and massive amounts of spam made the use of email outside of corporate subject to a number of hassles. As noted above, electronic signatures started to become available as a legal alternative to fax signatures, but didn’t gain widespread use until the past few years. As a result, enterprises tended to standardize on a particular commercial email package and communicate whenever possible over secured private IP networks and by making use of security tools such as Virtual Private Networks (VPNs).

Now, in 2018, the messaging world is highly fragmented. Large enterprises have tended to choose unified communications eco-systems from large players like Microsoft, Cisco and Avaya, but even these solutions are rapidly evolving as the momentum is shifting toward pushing enterprise communications into the Cloud.  Hence, Microsoft is shifting its emphasis from Lync to Skype for Business and now onto Teams and other vendors such as Cisco are doing much the same.  Upstarts such as Slack have started by offering cloud-based team communications and have forced reactions from the traditional Unified Communications players.  As messaging has evolved, voice is now becoming less important and fax is now more of a niche play.  One thing I don’t see too much of is the use of business communications that can effectively cross the boundaries between organizations. In theory, Cloud-based communications could get us there, but the vision of the late Nineties of being able to communicate documents and other types of media effectively across the entire Internet has been hobbled by security, privacy and spam issues. We’ll have to see if the Cloud and better cross-network security mechanisms could form the foundation for approaches that will be superior to today’s highly balkanized communications landscape.

If you or your company have participated in the massive changes to the communications eco-system since the 1990s, feel free to weigh in with comments. If you’d like to explore strategies on how to evolve your application solutions or other communications products and services to better address the rapidly changing business environment, you can reach me on LinkedIn or on our web site.

Advertisements

Secure IP Fax – Now Standard

Last fall, I blogged about a pending standard for securing facsimile communications over IP networks here and I spoke about this progress at the SIPNOC conference. Since that time, the standard, known as RFC 7345 has been approved by the Internet Engineering Task Force. The availability of a standard is very good news. There’s a common perception that fax isn’t used anymore, but there are a number of business to business (B2B) and consumer applications where fax still is common, including real estate, insurance, health care and legal applications. There are also a number of companies which provide fax by selling equipment, fax enabling technology, software or a hosted service.

So why should people or companies care about securing IP fax? Increasingly, most of our real time communications, whether by voice, fax, text or video, are transported over IP networks. Very often, they will travel over the Internet for a portion of their journey. The Internet is ubiquitous, but fundamentally unsecure unless the application or the transport layers provide security. Security can mean many different things, but is often referring to solutions for needs which include privacy, authentication and data integrity. The new RFC 7345 is designed to support these types of requirements by applying a standard known as Datagram Transport Layer Security (DTLS). One of the key reasons that the Fax over IP RFC uses DTLS is because the T.38 IP fax protocol most typically formats its signals and data using the User Datagram Protocol Transport Layer (UDPTL), unlike most real time media, which use the Real Time Transport protocol (RTP).  DTLS was designed to provide security services with datagram protocols, so it’s a good fit for T.38 IP fax.  The current version of DTLS is 1.2, which is defined in RFC 6347.

Getting a standard approved is really only the beginning. In order to get traction in the marketplace, there needs to be implementations. For example, T.38 was originally approved in 1998 by the International Telecommunications Union, but implementations did not become common until many years later, starting around 2005. In the time since, T.38 has become the most common way to send fax over IP networks and its been adopted by most of the fax eco-system.  On the plus side, a key advocate for the new standard is the Third Generation Partnership Program (3GPP), which is the standards group that drives standardization of services which will run over mobile networks, such as the emerging Long Term Evolution (LTE) network.  The SIP Forum is also continuing work on its SIP Connect interworking agreements and there is potential for including the new standard in a future version of SIPconnect.

I’ll continue to track what’s happening with respect to implementation of the standard.   As I noted in some of my previous posts, the current work on standardizing WebRTC is helping implementors to gain experience in important new standards for security, codecs and Network Address Translation (NAT) traversal. This WebRTC “toolkit” is also available in open source form.  The inclusion of DTLS in RFC 7345 joins the pending RTCWeb standards in providing new applications and use cases for these emerging standards. This will be good news for the user community, as features which were previously available only in proprietary get implemented in variety of products and services.  If you know of any plans in motion or want to learn more, please feel free to comment or get in touch with me.  You can also learn more by checking out my presentation on Securing IP Fax.

On the Road Again – SIPNOC 2014

I’ll be speaking next week at the SIPNOC conference in Herndon, Virginia.  SIPNOC is sponsored by the SIP Forum and covers a wide variety of topics related to SIP — the Session Initiation Protocol — with a particular focus on the needs of service providers.   It runs from June 9 – 12.

WebRTC continues to be a hot topic in the telecom industry and I’ll be on a panel with several other participants to discuss the relationship between SIP and WebRTC.   SIP has been the primary protocol for Voice over IP and is widely deployed.  WebRTC is much newer, but offers an interesting mix of audio, video and data capabilities and it can be accessed via popular browsers from Google and Mozilla.  WebRTC also has a rapidly growing eco-system.  Are SIP and WebRTC complementary standards which work well together or going in totally different directions?  Come to the panel and find out!

I am also delivering a presentation on a very exciting development in IP fax communications over SIP.  The presentation is entitled: Securing IP Fax – A New Standard Approach.  It’s been a long time coming, but there will soon be a new security standard for implementors of IP Fax over SIP networks.  In particular, the Internet Engineering Task Force is working on using an existing security standard known as DTLS and adding this as a security layer for T.38 fax.    I’ll be talking about the pending standard, why it’s needed and what kind of benefits can be expected for the many users of T.38 IP fax once the new standard is deployed.

I’ve attended SIPNOC as a speaker since its beginning four years ago.  It’s an excellent conference and offers an in-depth perspective on the latest news in SIP as delivered by an all star cast of speakers.  I hope you’ll be able to join us.

Securing Fax over IP for Business Communications

The recent controversy regarding NSA tracking of phone conversations has elevated concerns about security and privacy for business communications. Enterprises generally want to keep their communications private. Use of techniques such as private networks, firewalls and secured tunnels can help to protect internal communication from eavesdroppers, but there are also many exchanges which entail communication with third parties over public networks.

Facsimile is best known as a method of communicating images of printed pages over the Public Switched Telephone Network (PSTN) and many fax companies touted the PSTN as being much more secure than the public Internet, hence reducing the need for formal security approaches. But the circuit-switched network is rapidly being replaced by hybrid and all-IP networks, and a portion of business fax traffic is now sent over the Internet.

During the Nineties, the fax standards experts in the International Telecommunications Union (ITU-T) added annexes to the Group 3 fax T.30 protocol to protect against a variety of security threats. However, there was lack of consensus on how to proceed, so two different approaches were standardized. As attention turned to standardizing fax over higher speed V.34 links and over IP networks, the initial efforts to implement fax security using the new standard approaches fizzled out and never got traction in the marketplace.

Fast forward to 2013. Security and privacy now have a much higher profile. The NSA exposé and other security glitches like the Wikileaks exposures of government and corporate documents have increased awareness of the down side of unsecured documents and communication. In the meantime, as the phone network is being replaced by IP technology, most new sales of fax to the enterprise are for Fax over IP and the T.38 standard from the ITU is frequently used. Most applications of T.38 use a transport protocol called UDPTL (User Datagram Protocol Transport Layer) which is currently an unsecured protocol.

The conventional wisdom might have a “who cares?” attitude, since there’s a common perception that nobody uses fax anymore. However, fax still is used a great deal for a wide variety of business applications which include healthcare, financial and legal organizations, plus fax is integrated into a variety of business processes. Fax is also used for transmission of many normally confidential documents such as insurance claims, real estate transactions and legal notices, plus there are regulations such a HIPAA in the health care domain which require protection of documents from third parties.

For all of these reasons, the need for better security solutions for IP-based facsimile is becoming clear. In another realm of standardization, WebRTC is attracting a lot of attention as a next generation method for performing a wide variety of real time communications such as video and voice over web protocols. The original applications of the Session Initiation Protocol (SIP) were often implemented with little attention paid to security, so the WebRTC standards activities have examined the best approaches for addressing matters such as security and are recommending use of a relatively new security protocol known as Datagram Transport Layer Security (DTLS) to secure real time communications of media within WebRTC.

One advantage of DTLS is that it is relatively protocol agnostic and can be applied as a security layer for various different protocols. So this is a good time to consider how protocols planned for use in WebRTC might also have other applications. The Third Generation Partnership Program (3GPP) has recognized that IP fax is still an important application and wants to have a standard approach to secure faxes which are being transported over IP networks. As a result, there is now an Internet Draft being circulated for comments within the MMUSIC (Multiparty Multimedia Session Control) working group of the Internet Engineering Task Force (IETF) which proposes that DTLS be established as a transport layer that can be used to secure sessions of T.38 IP fax when running over the SIP protocol.

I’m personally enthusiastic about this direction and have made comments on the current draft. I find it ironic that the IETF is looking at adding security layer support to an ITU protocol, but in the world of standards, it’s useful for the work to be done by the experts who have the right domain expertise. In this case, the IETF created DTLS and there is interest in the combination of UDPTL and T.38 from the Fax over IP task group of the SIP Forum, so there is probably enough participation by the Internet and fax communities to produce a useful standard. At this writing, MMUSIC is considering adoption of this draft as an official working group item.

Stay tuned on this one. WebRTC is training a generation of engineers to use a new toolkit of various protocols, so the potential adoption of DTLS by the IP fax community may be a harbinger of a trend to re-purpose various components of the WebRTC initiative in innovative and surprising ways.

Security – A Teachable Moment?

The recent headlines about the NSA capturing data related to phone calls brings up a familiar topic – security. I’ve been managing a session border controller product for the past year and I’ve often been asked if the product supports security. This can be a frustrating question for a product manager, since security is a blanket term that can cover so many areas and this kind of naive question means that the discussion needs to start at a pretty basic level. However, the question can be turned around. One logical response is to ask what kind of security the person wants to know about. An even better response is to get back to basics and ask what are they — typically a customer — trying to protect. In other words, what are the threats?

In the world of international telecom standards, the definition of security starts with the analysis of threats. The National Standards Institute (NIST) wrote a fine paper on security for Voice over IP networks which can be found here. The authors analyzed potential threats to such networks and then proposed solutions. This is preferable to the approach that is often taken of prescribing a security solution before understanding what the goals of the security solution are.

Returning to the topic of the NSA, the President offered a response to critics saying that NSA was not recording phone calls, as if that was the only issue in play here. But if we look at this from a threats perspective, if you are an individual subscriber of phone services, you might want assurances from the service provider of privacy protecting both the content of your communications and the records of who you are talking to. We’ve all seen television shows where the police get a warrant to dump the cell phone records of a potential suspect and just by analyzing the call patterns, are able to figure out who they were calling, when and for how long. This kind of information is often called “traffic analysis” and it can be very revealing. If your company is discussing a merger deal with another company, getting access to these kinds of phone records might reveal the potential merger participants in advance of any public announcement. So is there an incentive for businesses and individuals to protect against people who want to do traffic analysis on their voice (or other) communications? You bet.

I’ve been hearing that argument that if people participate on Facebook and Twitter their public activities are an open book for anybody with Internet access. Sure, that’s true to an extent, though there are battles going on between Facebook and their members about where the privacy lines get drawn. However, I think most phone subscribers, be they individuals or businesses, expect that their private communications will remain so.

On the technical side, this story boils down to a question of where to draw the lines between security and privacy. If this story and the resulting publicity causes individuals and businesses to consider what information they’d like to remain private and which data is considered “fair use” by the government and under what guidelines, then maybe we can have a useful public debate on these matters and not “leave it to the experts.”