sdecoret - stock.adobe.com
Unified communications has steadily gained traction in recent years, but the sudden shift to widespread remote working has made UC one of the most important application suites for SMBs and enterprises worldwide. Given that more companies are relying on UC, security has become a major concern. In this article, we'll look at some of the key elements that should be part of every on-premises unified communications security plan.
While many security issues overlap across internally administered and UC-as-a-service systems, infrastructure security is where they differ. You provide the infrastructure when you manage the system, so you must provide the security as well.
Depending upon the specific services your UC implementation entails, details will vary. That said, you will certainly need to protect servers used for messaging and related functions and session border controllers (SBCs) used for your voice over IP (VoIP)-to-PSTN gateway.
3 common UC security issues
- Theft of service. Hackers exploit UC systems to place scam or illegal phone calls. Detecting these types of attacks as they happen can be difficult unless your UC system has usage-based billing.
- Denial of service (DoS). DoS attacks typically target VoIP systems. Some DoS attacks flood the VoIP system with requests to prevent it from functioning, while other attacks crash the system by interrupting call protocols.
- Hacking tools. These tools can be used from both outside and inside the corporate network to compromise a UC system.
4 UC security tips
While some security strategies seem obvious, they can also be easily overlooked. Don't forget the basics.
- Restrict physical access. Ensure unauthorized personnel can't get anywhere near your UC hardware. This step will avoid intentional and unintentional problems.
- Institute complex system passwords. Simple or standard passwords might make things easier for your system admins, but they also make it easy for hackers or others to cause problems. Most networking hardware comes with default passwords that can easily be found via search. Be sure to change them.
- Deploy software updates and patches when they are released. Many system admins are happy to leave a well-running system alone: If it isn't broken, don't fix it. Unfortunately, this philosophy can bring a false sense of security when it comes to, well, security. Your system can appear to be running just fine when it has vulnerabilities that can expose you to big problems. Thus, it is important to keep current with software and firmware updates.
- Protect yourself from DoS attacks. For years, DoS attacks have been a relatively easy avenue for malefactors to compromise the operational security of systems. To guard against these attacks, ensure that next-generation firewalls (NGFWs) are configured to detect and block overload attacks on the IP ports used for UC. Additionally, some VoIP SBCs now have DoS detection built in to provide another level of protection beyond what's delivered by the NGFW.
How to build a continuous UC security plan
The UC system itself is a collection of interrelated applications based around a core of chat, file transfer and storage, voice and video functions. UC's success hinges on ease of use. Unfortunately, adding layers of unified communications security gets in the way of that goal.
The security challenges Zoom faced earlier this year illustrate this point. Ease of use is one of the vendor's main selling points. Session IDs, for example, were not overly long, nor did they require passwords. Attendee codes, meanwhile, were single digits, making it easy for unauthorized users to hack into users' video conferences. In response, Zoom made some simple but effective changes that dramatically improved security, while keeping the platform easy to use.
The best route to take is to properly configure your UC system to balance the twin concerns of security and ease of use. The core of your UC security plan should center around selecting those security options that provide the best protection without introducing excessive friction into the UC user experience.
The obvious place to start is user identification and passwords. Requiring strong passwords is a good policy, but it can be considered burdensome by some users. I find an eight-character password -- encompassing a mix of uppercase and lowercase alpha characters, one number and one special character -- to be workable. Security experts might advise the use of 16 characters in that format to be secure, but users might push back hard on that.
Multifactor authentication is another tool, although some users might object to having to grab their phone or retrieve an email containing the one-time authentication code every time they log in.
Consider what you need to make UC work for you
Consider the minimum unified communications security level you will accept for audio/video conference sessions, as well as how much leeway you will give users to adjust security -- tighter or looser -- for each conference.
Requiring passwords for each user for every conference enhances security but increases friction. Some systems may allow you to make passwords a default option but also let the user setting up the conference to remove that requirement.
If your UC system gives you options to make conference IDs and attendee codes longer or more random, I think that is a good option to use. This level of protection would help keep unauthorized users from guessing their way into conferences and does not unduly burden legitimate users.
The forgotten outsiders
A big element -- and benefit -- of UC is extending the collaborative environment beyond company employees. Allowing outsiders to log in to your UC environment is a core function, but this degree of access represents a major unified communications security concern.
By definition, outside participants of your UC environment are BYOD users, which makes it impossible to dictate what devices are being used or to determine the security protections those devices have in place. While some UC systems have the ability to deny access to BYOD devices that don't meet internal security requirements, this isn't a common feature.
The real threat occurs when outsiders are added to group or team discussions. These discussion threads can have topics that are confidential or have file postings containing sensitive material. Employees using the system may not even be aware that outsiders can view this information and possibly download and exfiltrate sensitive and/or confidential corporate data.
Worse, often, when the project is over, outsiders still have access. A team or group discussion board could be reused for a new project, and nonemployees could now become silent spectators on projects they have no legitimate reason to see.
It's essential to audit UC groups and discussions on a periodic basis. Outdated discussions should be archived and deleted. Outside users who were granted permission for a given, since-ended project should be deactivated and removed from the system. Doing so increases unified communications security significantly by removing an easy and obvious backdoor -- or maybe even front door -- into the UC system.
A realtor's mantra is "location, location, location." The security manager's is "layers, layers, layers." The more layers of security, the more difficult it is for a hacker to achieve success.
UC security plan costs
Fortunately, most UC systems have multiple layers of security built in. Ensuring strong security isn't going to require a lot of extra costs -- aside from making sure you have an NGFW in place on your perimeter.
Probably the biggest cost is time. Budget the time to review your UC system and configure the appropriate security parameters. Make sure security patches are installed when they roll out, and monitor logs. Finally, frequently assess the effectiveness of your security plan, and tweak it as needed.