Unified communications and collaboration security has always been tricky, and the growth of remote and virtual collaboration during the pandemic has created new security requirements. The addition of UC features, such as meeting recordings and transcriptions, creates more communications data that organizations need to secure and control.
"You're putting more information out there that can be vulnerable to outside parties that may have malicious intent," said Sorell Slaymaker, analyst at TechVision Research.
Other threats to UC and collaboration include malware in UC clients, phone number and voice spoofing, database dumps and remote access, Slaymaker said in an Enterprise Connect webcast on UC and collaboration security.
Traditionally, UC has been difficult to secure for several reasons, including the following:
- Users are everywhere. "It's not like dealing with servers in hard data centers that have hard physical security," he said. Organizations don't have as much control when users can be located anywhere, accessing apps on different kinds of devices and communicating with people outside the organization.
- Privacy laws can be difficult for global organizations that have departmental regulations based on the industry and country in which they're located.
- Unique technology. Real-time applications using User Datagram Protocol, such as voice and video, don't have the same level of security as those with TCP. Additionally, these applications are sensitive to jitter. "A lot of security stacks do not scale well; under load, they'll start delaying packets," Slaymaker said. As a result, voice and video quality can be negatively affected.
- User experience. The process of securing collaboration apps can degrade UX, he said. Users prefer ease of use and shun apps with complicated security controls. "Being able to come up with solutions that are easy for end users, along with being secure, is very important," he said.
Security framework addresses challenges
UC and security architects, engineers and managers need to work together to integrate UC and collaboration's specific security needs into the overall security framework.
Sorell SlaymakerTechVision Research
"Security architects know a lot about security, but they don't go into the details of unique things that happen in the communications and collaboration world," Slaymaker said.
To create a strong foundation for UC security, UC and collaboration should occupy their own security zone in the data center. Most organizations have three-tier security architectures that include presentation, application and data layers with firewalls in between each layer, he said. He recommended putting voice and video in their own zone and using a session border controller (SBC) for firewall protection.
Organizations should also understand that a security framework should identify three tiers of UC and collaboration security: consumer-grade, enterprise-grade and ultra-secure.
Consumer-grade is acceptable for everyday conversations in which no private information is shared, so additional security controls aren't necessary. Enterprise-grade communications involves more sensitive information and requires additional security measures, such as end-to-end encryption or VPN access. Ultra-secure is for highly sensitive or classified information that requires tight security measures, such as a zero-trust strategy or multifactor authentication.
Components of a UC and collaboration security framework
Slaymaker offered a list of measures that should be included in a UC security framework.
- Proven identity. Passwords are no longer enough to secure data. One-time passwords delivered over text message are more secure than traditional passwords, but they aren't encrypted. Biometrics, such as fingerprint scanners, have made advancements and are a more secure way to provide a user's identity in a nonintrusive way, he said.
- Zero trust. "Gone is the secure network perimeter," Slaymaker said. "In a world of mobile and cloud, users everywhere, APIs -- you don't have a hard perimeter." As a result, many organizations are now adopting a zero-trust security method that withholds access to a device or user until thoroughly inspected and authenticated.
- End-to-end security. It's important that encryption and security are end to end. For networking pros, this means being aware of Layer 5 so every session is individually encrypted, Slaymaker said.
- Device security. Securing devices can be tricky because BYOD policies make it difficult for IT to manage every device within the organization. Additionally, consumer tools, such as text messaging and WhatsApp, don't have the level of security that enterprise apps have. The preferred option is to provide users with devices managed by IT to prevent users from downloading software without going through a secure, specialized process, he said.
- Data management. Organizations need to understand the data that's created -- from meeting transcriptions to chats -- and classify the data to determine the level of security it needs. Basic profile information, for example, only requires limited security. But highly sensitive data, such as a person's Social Security number, needs tighter security controls.
- Measurement and alerting. Organizations need to integrate their UC systems into their security event management software to enable security teams to track logs and alerts from virtual meetings, SBCs and call manager software. This enables security teams to detect cross-platform anomalies to determine if a security issue has occurred.