Nemertes Research, a tech advisory firm, recently interviewed IT security leaders about their top enterprise security...
concerns and challenges. Unsurprisingly, participants rarely cited attacks on unified communications applications and infrastructure as a top security concern.
This lack of interest in UC security isn't just among security leaders. Even those responsible for IP telephony and unified communications platforms rarely cite security as a primary focus. Instead, they spend the bulk of their time on operational issues, architectural planning, vendor management and, increasingly, working with lines of business to support digital transformation.
Why the lack of UC security concern? Here are some reasons:
- Unified communications platforms have historically been closed. IP telephony systems, for example, are not easily accessible from the outside world. Calls entering or leaving the enterprise system go through a gateway to reach the PSTN via digital circuits, or they traverse Session Initiation Protocol (SIP) trunks protected by session border controllers.
- Unified communications platforms are not considered high-value targets. Instead, the perception is hackers are primarily interested in obtaining customer data, such as social security numbers, account information or other personally identifiable data that a criminal entity can exploit for financial gain.
- There haven't been any high-profile hacks of UC systems -- the kind that make the evening news or the front pages of newspapers and cause companies material harm in terms of lost earnings, reduced stock price or compensation to affected parties.
However, IT leaders would be wise to raise the profile of security protection for their unified communications platforms. Increasingly, UC platforms are opening up to the outside world.
Many systems, for instance, allow guest access for voice and video calls, or for screen sharing via native apps or WebRTC. Some systems federate presence, voice and video with partners or cloud providers.
The shift to the cloud, especially for hybrid services, creates new potential vectors for attack via connections to internal applications. Embedding communications into applications via APIs creates yet another potential avenue of attack for those who can exploit these interfaces.
SIP-based services also present a unique challenge for protection. Some firewall vendors, for example, advise turning off SIP application-layer gateways to avoid connection problems caused by nonstandard SIP implementations.
Be proactive, not reactive
Successfully securing unified communications platforms requires a multipronged approach that includes regular audits of on-premises systems, patch management to address new exploits as they are discovered and, typically, the use of session border controllers for securing external access points, such as SIP trunking and WebRTC.
A successful security approach also requires protecting against phishing, spam phone calls, telephony denial-of-service attacks and internal threats, including malicious use of internal phone resources and toll fraud.
Finally, a security strategy requires ongoing due diligence of cloud providers to ensure they are providing accurate reports on their own security mitigation efforts and any discovered breaches.
Make security a core tenet of your UC strategy. Shift from dealing with threats reactively after they occur to preventing them before they happen.
UC platforms incorporate contextual communications.
Is it time to upgrade your UC platform?
Embedded communications present new security threats.