apops - Fotolia


How to evaluate UCaaS providers' security measures

Make sure potential UCaaS providers address multi-tenancy management, end-to-end encryption and session border controller issues for added security.

If current market research is on target, unified communications as a service (UCaaS) is expected to follow a healthy...

growth track, at least through 2018. But that doesn't mean everyone has jumped into UC in the cloud. Although early adopters are raving about UCaaS benefits -- like flexibility, scalability, cost savings and high-performance levels -- many organizations remain apprehensive about embracing UCaaS because of security concerns.

UCaaS security concerns boil down to Multi-tenancy and encryption. With multi-tenancy, UCaaS customers share a virtual instance of whatever software application provides UC services, usually over the Internet. The question is: Can a customer, or third party, access another customer's data in a multi-tenant environment?

If a breach does occur, potential customers are also concerned that their data might not be adequately encrypted. They want to ensure that transmitted data is encrypted as well.

Addressing multi-tenancy and encryption fears

To reduce fears about multi-tenancy, ask potential UCaaS providers to explain their multi-tenant setup and how they ensure customer security within such an environment. A provider should explain hypervisor and database segmentation and isolation, and how staff access is authenticated and authorized.

End-to-end encryption, beginning at the core, should be required for the most secure communications. Find out if or how the service provider applies encryption. If it does, ask what type of encryption they apply, its strength and when it's applied. Ask about data in motion and data at rest.

With possibly hundreds of thousands of Real-Time Transport Protocol streams flowing along the wire, the likelihood of capturing some specific customer's packets in transit is remote. But could someone capture all information at a certain point in time and sort it out afterward? What safeguards are in place?

Examine your security policies regarding access to server rooms or data center consoles, business continuity and disaster recovery, and ask potential UCaaS providers about their processes and plans. For example, how many staff members have a security pass to the data center or network operations center? Find out how often your data will be backed up, the backup location and the provider's disaster recovery plan, should it experience an outage or interruption.

SBCs, geared for UC, boost security

For added security, session border controllers (SBCs) are an important consideration. Similar to a firewall, but geared for a UC environment, an SBC can tell the difference between a legitimate, malformed packet and a malicious packet -- a feat most firewalls cannot adequately manage. An SBC can prevent denial-of-service attacks that target ports used by UC services, such as video and audio. So, find out if a potential provider uses an SBC. If they don't use an SBC, you probably don't want to use them.

Providers must comply with numerous state and federal information security laws and regulations, such as SAS-70/SSAE-16, Sarbanes-Oxley and Payment Card Industry Data Security Standard, just as their customers do. Find out which compliance audits the provider is subjected to and how often. Also ask the provider how often it performs internal security assessments, and, if you become a customer, if that information will be made available to you.

Regarding mobile devices, some UCaaS providers have the tools to modify device access and control settings from the back end, such as locking out a user who may be unauthorized or changing access credentials, among other security controls. Find out if a potential provider can assign permission to you to secure mobile devices in this manner.

Security is a hot-button issue in the UCaaS industry, but the reality is some UCaaS environments are actually more secure than their customers' on-premises UC systems. When shopping for a provider, stick with well-known, highly rated companies that have a proven track record with UCaaS, and grill the sales reps and chief technical staff on the same security points as you would a chief information security officer applicant.

About the authors
Kim Lindros is a full-time content developer who also writes on technology and security topics. Coming from a background in project management, she has run large multifunction teams to produce entire book series, online curricula and classroom training classes. She has also contributed to several books on Windows technologies and applications and IT certification.

Ed Tittel is a 30-plus year IT veteran who's worked as a developer, networking consultant, technical trainer, writer and expert witness. Perhaps best known for creating the Exam Cram series, Ed has contributed to over 100 books on many computing topics, including titles on information security, Windows OSes and HTML/XML. Ed also blogs regularly for TechTarget, Tom's IT Pro, PearsonITCertification.com and GoCertify.

Next Steps

Hosted UC offers five main advantages over on-premises deployments

Selecting the right service delivery model for UCaaS

Quiz: Test your UCaaS knowledge

Dig Deeper on Unified Communications Security