How to reap the benefits of unified communications security

James Steidl - Fotolia

UC security lags despite the cloud creating new threats

UC security is not a priority, according to a survey of IT professionals. But security should not be overlooked, as cloud UC creates new risks.

Unified communications security seems like a no-brainer, but a report has found that it's not on the radar for many information security professionals. Nemertes Research, based in Mokena, Ill., found UC did not rank in the top 10 priorities for information security professionals.

The report found UC security is increasingly viewed as the responsibility of the network team, rather than the security team within an organization. Most security professionals said they don't handle the day-to-day management of network devices, such as firewalls, the report found.

"UC is typically not part of a security strategy," said Irwin Lazar, a Nemertes analyst. "When doing assessments, the risk of someone hacking into the phone system doesn't factor into the discussion."

Another reason for the low-priority outlook toward UC security is the lack of high-profile breaches into communications systems, Lazar said. Toll fraud is viewed as the biggest threat to a communications system, but it's usually not a top concern for security professionals. However, many security teams lack awareness of what threats their communications systems face.

Cloud unified communications presents security threats

As enterprise communications systems move toward the cloud, organizations open themselves up to UC security vulnerabilities. The PSTN was relatively difficult to hack, but WebRTC, cloud services and Session Initiation Protocol (SIP) trunking offer vectors to attack.

There are a lot more ways into enterprise communications systems than there were.
Irwin Lazaranalyst at Nemertes Research

"There are a lot more ways into enterprise communications systems than there were," Lazar said. For example, a growing trend of distributed denial-of-service attacks blocks calls in organizations that use WebRTC or communications platform as a service to make calls through a website or mobile app.

With cloud unified communications, organizations must open their networks to providers, which can create new areas for attack. "The more open you make your network to someone on the outside, the more risk," Lazar said.

Bring your own device and bring your own applications add to this challenge, according to Roopam Jain, an analyst at Frost & Sullivan, a consulting firm based in San Antonio.

"A proliferation of user-driven devices and applications results in more attempts to connect untrusted devices to the corporate network," she said. This trend is compounded by shadow IT and lines of business deploying their own cloud UC services without IT's knowledge or consent.

The growing number of cloud services, devices and networks that connect to corporate databases make UC security a daunting task for organizations. If a cloud service lacks the necessary layers of security and access control, then network data is at risk, Jain said.

Evaluate a provider's UC security competence

Organizations should not assume their cloud UC provider is inherently secure. Lazar said some cloud UC and hosted telephony providers can have poor security implementations.

"There is a lot of variance in how providers implement SIP," he said. A provider's SIP implementation might not work with an organization's SIP deployment, causing performance and connectivity issues. To address those performance issues, providers might tell the organization to disable the SIP application layer gateway in its firewall, leaving calls without SIP protection, Lazar said.

To address these UC security risks, organizations must have a holistic security framework that includes encryption and authentication. They should prioritize real-time control of cloud usage and enforcement across all types of cloud services, whether they're sanctioned or unsanctioned, Jain said.

Organizations should look for third-party validation of a potential cloud provider's security, said Mike McAlpen, chief information security officer at 8x8 Inc. Third-party validations include certifications and standards such as SOC 2, SAS 70 Type II and ISO 27001.

U.S. public sector organizations should select providers that have FedRAMP certification. Organizations that do business with European Union countries should look for the Privacy Shield certification, he said.

Next Steps

Secure video conferencing to keep meetings private

Lock down SIP trunks with a SIP security checklist

How to address WebRTC security concerns

Dig Deeper on Developing a UC Strategy