FUD Alert: SBCs Won’t Close Your WebRTC Security Holes

Fear, Uncertainty and Doubt. The sales man's best friend is now in the hands of SBC marketers, trying to sell their merchandise to "fix" WebRTC.

There has been a slew of webinars, posts and podcasts lately. All of them with a single mission: telling us how great WebRTC is; while at the same time making sure we are scared shitless of it – so we go purchase an "enterprise grade" video system or an SBC. All of it comes from traditional players in the market who have decided to adopt WebRTC, but somehow twisted it to fit their current business model, architecture and product without stopping for a second to see if that's a long term strategy.

Or maybe they did, and took the easy path towards "phase 1", where they put something out there on the market, while working on the real version somewhere down the road. Whatever it is, I think it is pointless.

I want to mention one specific post – the vendor itself isn't the issue here (they all do it, and if I were a marketer at such a vendor, I'd do it as well). This one is about security and SBC:

"SBC vendors like Acme Packet, Dialogic and Sonus are working toward delivering platforms that can apply policies to WebRTC session"

I am no expert about what these vendors are doing, but…

• Dialogic deals with a media server for WebRTC. This one gets used by developers to build their own service
• Acme Packet and Sonus have their SBC products – products which sit between the "browser" and the specific "web server" of the service (if we phrase it in internet terms). This won't affect any sessions I do out of the well-kept garden of my enterprise (think Tawk.com or some other service)

You see, what I was told is that SBCs deal with protecting the VoIP servers of the enterprise – it makes sure that only those who should can access them, and along the way deals with the headaches of interoperability.

In other words – it adds security to your own service.

The issue with WebRTC and enterprises when it comes to security isn't only that of the managed services of the enterprise, but rather of the unsanctioned ones – and WebRTC increases their number from 1 (Skype) to hundreds. SBCs won't help there, and WebRTC is designed to be secured (which is more than I can say for other VoIP protocols used by enterprises).

The doozy in this post?

Even though WebRTC will be standards-based and will be reasonably secure, for every system that gets built, there is someone else trying to break it, Frost and Sullivan's Brandenburg said.

True. But how is that any different than enterprise video conferencing as we know it today? It is also standardized, reasonably unsecure, and… a lot less maintained. I'd say WebRTC is a quantum leap in the security of video calling over whatever crap you use today in the enterprise.

Stop raising FUD in potential buyers. Explain what problem you really solve and make sure it is a problem your prospects actually have. Yes – there is a need for SBCs, but that need isn't everywhere and it sure doesn't exist for the WebRTC-only use cases.