This content is part of the Essential Guide: The basics of SIP trunking explained
Problem solve Get help with specific problems with your technologies, process and projects.

New UC security threats leave UC platforms vulnerable

Ensuring UC security has grown harder as UC platforms become more open to direct Internet access. Learn how to better manage SIP trunking security, cloud services and BYOD models.

When it comes to UC security, most IT leaders worry more about threats to the underlying data network than potential attacks against VoIP and UC systems themselves. Most see VoIP and UC platforms as closed entities, protected from the outside world by the PSTN. They think that so long as there’s no way to reach UC applications from the Internet, there’s little threat of attack. And by and large that approach is valid; less than 2% of enterprises that we’ve interviewed have ever experienced a direct attack on their UC servers. However, three emerging trends require IT managers to take a fresh look at UC security -- SIP trunking, cloud services and increasing acceptance of bring your own device (BYOD) mobility models.

Managing SIP trunking security

Thirty-five percent of companies are currently deploying SIP trunking, while 74% will deploy or increase their use of SIP trunking in 2012. SIP trunking replaces digital lines, opening a direct link between your telephony/UC systems and the outside world via an IP-based connection to the PSTN. This means that your IP telephony servers are now vulnerable to the threat of attacks such as Denial of Service (DoS) from the provider network. To protect against these threats, 90% of those deploying SIP trunking also deploy session border controllers (SBC), not only for security purposes, but also to manage call policies/routing and provide transcoding between IP and TDM platforms. Most SBC vendors offer security protections against SIP-based attacks, DoS and unauthorized attempts to gain access to IP telephony services.

Protecting company data in the cloud

Cloud services provide another potential threat as enterprises move their company-owned infrastructure onto a service provider’s infrastructure. Here the bigger threat is information protection, especially for companies operating under industry regulations, including HIPAA and PCI-DSS. Mandatory requirements typically include the use of encryption between the enterprise and the service provider, and auditing provider security models, such as SAS-70 certification, to ensure that your data is isolated and protected.

BYOD and mobile UC security

Finally, the rise of popular consumer mobile platforms such as the iPhone, iPad and various Android devices has placed IT under a great deal of pressure to allow employees to bring their own device into the enterprise (i.e., smartphones/tablets). More than 80% of companies are integrating or planning to integrate mobile devices into their UC systems, and almost 11% already support employee-owned devices. Securing these mobile devices is getting easier, thanks to both improved security controls embedded into popular mobile operating systems as well as a plethora of mobile device management solutions designed to give IT managers the ability to mandate controls such as encryption, strong authentication, limited application downloads and remote wipe of lost devices. MDM should be part of your device management strategy.

IT managers can no longer afford to hide behind the PSTN-as-a-fire-break approach to UC security. In order to minimize the risk of data loss or service disruption, it’s important to have a proactive strategy that addresses emerging security threats, integrates UC security with the broader overall enterprise security architecture, and leverages specific tools and/or services to mitigate threats from SIP trunking, cloud services and mobile devices.

Irwin Lazar, Nemertes ResearchAbout the author: Irwin Lazar is the vice president for communications and collaboration research at Nemertes Research, where he develops and manages research projects, develops cost models, conducts strategic seminars and advises clients. Irwin is responsible for benchmarking the adoption and use of emerging technologies in the enterprise in areas including VoIP, unified communications, video conferencing, social computing, collaboration and advanced network services.

Dig Deeper on Unified Communications Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.