maxkabakov - Fotolia
3 key questions to ask about unified communications security
Unified communications security can be tricky. Learn how to craft a strategy that addresses security challenges and the requirements of individual UC tools.
Keeping a unified communications environment secure is no small task as the different communications tools that comprise a UC system have their own security needs. And organizations can't push all the security responsibilities onto their UC vendor.
Organizations must take steps to lock down their networks to support unified communications security. Learn how to build a strategy that addresses the security needs of the tools that make up a UC system.
What are the challenges of unified communications security?
The biggest challenge is in the unification of UC tools. Traditionally, communications tools, such as voice and video, were separate services and, therefore, secured separately. But the unification of these tools with UC platforms creates the need for a unified security strategy.
But, even with unified platforms, each tool has its own security needs and attack vectors. Organizations need to build a unified security strategy that encompasses the security requirements of all the UC components.
A unified security strategy should have three goals. The first is to keep content secure with encryption and VPNs. Second is to keep the UC environment secure from credential threats and denial-of-service (DoS) attacks. Third is to protect the UC security from hijacking, such as via a usage-based component, like a phone system that could be abused by an attacker.
How do you support unified communications security?
Securing UC is the responsibility of both the organization and its provider, whether the environment is on premises or in the cloud. Organizations have several options to support unified communications security and keep their vendors accountable.
Organizations can secure their end of the network with firewalls, session border controllers and VPNs. These tools will protect UC services from certain threats, including DoS attacks, SQL injection and fraud. A VPN will also secure office-to-office connections.
Organizations should quiz their vendors on the level of protection included with their services, such as end-to-end encryption (E2EE), and ensure vendor upgrade and maintenance cycles address security exposures and patches in a timely manner.
How do you address security for individual UC tools?
As mentioned earlier, UC tools have different security requirements. Organizations must proactively address the various threats to these tools as part of a unified security strategy.
Voice over IP (VoIP), for example, is most vulnerable to DoS attacks. A good firewall will mitigate most DoS attacks. VoIP should also be secured with encryption and a VPN to prevent call traffic from being intercepted by call jacking and man-in-the-middle attacks.
Users should also be wary of evil twin attacks, which occur when a wireless access point is mimicked to phish for information. Public wireless networks should be encrypted to mitigate attacks, and users should be mindful when using VoIP on public networks.
Furthermore, team collaboration presents a unique challenge to unified communications security as some apps may be deployed as stand-alone to a UC system or adopted by employees without IT approval, which could put sensitive information at risk.
IT should select an app that offers a level of security that aligns with the organization's security and compliance policies, with features such as E2EE and audit capabilities. IT should also prevent employees from deploying freemium apps without IT's approval.
For organizations using video, a hybrid option is often more secure than a pure cloud deployment but has additional security considerations compared to on-premises video. In a hybrid setup, local video calls stay on the corporate network -- and under the organization's control -- while offloading external calls to the cloud.
But, because the provider may handle data storage, organizations need to ensure a hybrid deployment meets their compliance requirements. Organizations should also evaluate the level of encryption offered by their provider to verify that all data is encrypted at rest and in motion.