In today's unified communications (UC) environment, security threats are real, significant and growing. In the introduction to their book Hacking Exposed: Unified Communications and VoIP authors Mark Collier and David Endler explain why unified communications security issues are on the rise:
"In terms of threats, [unified communications or] UC has made many attacks easier. Attackers target VoIP and UC for the same reasons they attacked legacy voice -- to steal service, to harass and disrupt, to sell unwanted products and services, to steal money and information and to eavesdrop on conversations."
"Security threats may not necessarily be intrinsic to unified communications systems, but the biggest threat to a company's security is not having the systems and safeguards in place," says Rick Puskar, senior vice president for vision and strategy with Unify (formerly Siemens Enterprise Communications). "A company leaves itself vulnerable to attack when they do not prioritize the investment in tailored security and data protection systems."
Secure unified communications component uniquely
But unified communications entail voice, video, text and visuals; each UC component uses different architecture to communicate and each channel has its own vulnerabilities. Mounil Patel, vice president of strategic field engagement at Mimecast -- a unified email management company based in Watertown, Mass. -- contends that voice, in particular, is a vulnerable component of UC that needs focus.
UC is typically deployed as a multisite IP service that requires opening a wide range of ports, which creates a security risk.
chief technology officer, Sonus Networks
Patel says that IP telephony-related devices have weak links and are running OS kernels that risk being exploited. "At the very least, hardware-based devices [that could harm the user's network] should be isolated on their own networks to isolate that risk from other network-attached devices," said Patel. "Software-based clients are much harder to isolate, because they run on end-user computers. I suspect we're not far away from requiring vendors to provide results of application security testing for software-based clients."
In the near term, Patel believes that telephony and instant messaging (IM) need to be treated differently from email and other more conventional means of communication between enterprises. Security breaches tend to take place at points within networks other than UC channels, but this could be changing.
"Hackers haven't focused on these devices, because there are easier penetration points into an organization's network, [such as email]. As computer end-point security becomes commonplace, and email and IM security solutions continue to match the pace of new threats, I suspect we will see a shift in focus to telephony-based clients as penetration points and isolate them to reduce the risk of the unknown," adds Patel.
He further explains that users have cut their teeth on IM and are accustomed to its use; now, workers expect its use in the professional suite as a means of instantly communicating and engaging in dialogue.
"This increased adoption [of IM] is certainly being driven by the utility of instant communication, but adoption is also being driven by a new generation of users who have grown up with IM as their preferred means of communication," says Patel. "IT has clearly bought into the advantages of platforms like Lync, and the availability of a corporate-sanctioned IM is too tempting for users to ignore. As workplace demographics continue to change over time, this shift will continue to increase. I don't think emails will fall to the wayside as paper memos did over the past decades, but IM will gain similar prominence."
IM is adjunct to other communication modes and its popularity will help fuel the popularity of UC platforms. IM and other popular communication modes with unified communication platforms will serve as end points for security breaches.
Kevin Riley, chief technology officer, Sonus Networks, based in Westford, Mass., sees unified communications platforms not necessarily as end points, but as beginning points for intrusion -- and a concern that is growing. He emphasizes the importance of security on UC platforms because of the landscape architecture surrounding it, which just seems to lend itself to trouble. Riley cites research found in The CIO Playbook, which found that 31% of organizations considered security and privacy issues to be a key challenge to implementing UC. That's where security technology and tools can help.
"This concern is because integrating platforms requires opening up ports to enable the flow of data, which means additional unwanted traffic is able to flow freely," says Riley. "However, organizations can take precautions, like installing session border controllers (SBCs) to close ports that aren't required and protect their networks from dangerous traffic. The legacy, on-premises PBX architecture was isolated to the enterprise from an IP networking perspective and used PSTN for multisite interconnect. In contrast, UC is typically deployed as a multisite IP service that requires opening a wide range of ports, which creates a security risk."
Continue reading to learn about cross-platform UC vulnerabilities.