This content is part of the Essential Guide: Take advantage of embedded communications with CPaaS
Problem solve Get help with specific problems with your technologies, process and projects.

Communication APIs mark uncharted waters for UC security

Unified communications security is venturing into unknown territory with the growing trend of embedding communications into business applications. New security challenges could emerge for IT as organizations fuse their communications to business apps by using APIs and communications platform as a service (CPaaS).

For instance, if an organization has used a communications API to embed click-to-call in a sales management app and the app got hacked, the hacker could access the organization’s phone system.

“If someone figures out how to route their traffic over my CPaaS connection, it’s a new era of toll fraud,” Nemertes Research analyst Irwin Lazar said.

Most CPaaS and API providers, such as Twilio and TokBox, haven’t quite discussed their positioning around security for their APIs, Lazar said. However, the vendors do offer security features such as encryption and authentication.

If a communications API is compromised, organizations could lose business if their services are made inoperable and transaction data is stolen. Also, a provider could lose credibility if a hacker uses an API for other purposes, said WebRTC consultant and API expert Tsahi Levent-Levi.

He said hackers would likely target the point of integration between a communications API and business application. “That is where care and attention to security will be at its lowest,” he said.

Other security concerns include exposure of API access keys, data proxy hacking, and man-in-the-middle attacks between an organization’s app and CPaaS provider.

However, communication APIs aren’t wholly insecure. They do include security features such as transport layer security for API calls, the ability to revoke and regenerate API keys, role-based access to an API provider’s back end and an audit log of actions performed by users and API calls, Levent-Levi said.

To protect themselves, organizations must evaluate a CPaaS or API provider’s security measures, as well as their own. These measures range from role-based management of accounts to API keys that encrypt data in transit.

Levent-Levi said organizations should select API developers who understand security and have developed cloud services in the past. An external security audit of potential providers can validate a provider’s security practices.

Organizations must take similar precautions to lock down the business apps they are using with communication APIs to prevent hackers from stealing access keys and sensitive data or intercepting communications, he said.