kras99 - stock.adobe.com
3 ways to retool UC platform security architecture models
Hybrid workers moving between home and office environments create a UC security gap. But adopting modern tools to augment traditional security policies can mitigate risks.
The explosion of hybrid workforces in the past few years has caused IT teams to rethink their legacy unified communications platform security architectures. Prior to 2020, UC and collaboration largely focused on perimeter-based security to guard sensitive business communications against external threats. While this level of protection remains important, it doesn't help safeguard UC data flows conducted outside the secure border of the corporate LAN.
Another consideration for IT teams is cloud-delivered security tools known as secure access service edge (SASE). This framework converges firewall, secure web and zero-trust network access into a cloud service that enables users to securely access their organization's network from any location, including at home and the office.
This tip provides guidance on how to identify distributed UC security shortcomings native to on-premises UC platforms. It also provides information to help IT leaders identify more effective UC security architecture options and illustrates when it's the right time to assess whether a third-party service provider is needed to augment security functions.
Hybrid workforces, what's the problem?
Larger businesses -- especially those that manage customer contact centers -- had to significantly rearchitect their in-house UC and collaboration platforms to adapt to hybrid workforce policies and enable large numbers of employees and agents to work remotely. Because most companies had significant investments in existing UC platforms, they quickly realized that migrating to cloud-based UC tools was often out of the question. Thus, architects had to work with what they had -- even if it meant that security took a back seat.
As UC teams scrambled to provide access to these users, they often relied on legacy VPN services to simply tunnel voice and collaboration traffic from the remote location to the corporate LAN. Employees could then use their own computing hardware to access voice, collaboration and contact center services from their homes. While this architecture model worked, it unfortunately opened the door to a host of VPN-related security vulnerabilities that could lead to unauthorized access and data loss or theft.
The quick pivot to serving a hybrid workforce also raised another troubling issue: Managing session border controllers' increased exposure to the internet. SBC servers are commonly deployed in a secure demilitarized zone, and it's often the case that little work is done to protect lateral data flows between devices within a flat DMZ network. As a result, if an SBC server is compromised, bad actors can move laterally within the network in an attempt to attack more systems and applications.
Modern on-premises UC security options for hybrid workforces
1. Virtual desktop infrastructure
Virtual desktop infrastructure (VDI) is one way to eliminate the vulnerabilities found with traditional VPNs and within personal devices used to connect to business UC services. VDI platforms can securely transport traffic across the internet using cybersecurity and encryption techniques that are largely transparent to the end user. And, because virtual desktops are self-contained, this UC platform security architecture model eliminates any concern about using personal devices to access UC services.
2. Zero trust with microsegmentation
This protects UC services, like SBCs, exposed to the internet. Zero trust ensures access to network applications and services is based on strict user and device verification and continuous validation. Microsegmentation restricts lateral communications in the DMZ and the data center, thus shrinking an organization's attack footprint and significantly lowering the overall cybersecurity risk.
3. SASE
Many businesses are examining third-party SASE providers to further safeguard latency-sensitive UC and contact center applications. SASE places network security functions closer to end users, regardless of where they are working from, so they can directly tap into distributed Layer 4-7 firewalls, intrusion detection and intrusion protection systems, secure web filtering and other important features. Most importantly, these features are designed to protect UC without burdening it with excess latency.
Andrew Froehlich is founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.
