Myth busting: Unified comms isn't a security nightmare
There are remedies to eavesdropping, SIP trunking and toll fraud
As organizations begin to rely more heavily on unified communications — the management of voice, video and messaging through one unified system — many have developed concerns about the security of this IP-based communications infrastructure.
These concerns stem from several factors — not only the fact that UC is IP-based but that there are so many potential modes of communication, from video, instant messaging and Web collaboration to presence, e-mail and voice mail. Complicating the situation is the proliferation of mobile devices being used more frequently in business environments, devices that often aren’t as secure as those housed in the business environment.
One of the biggest security concerns in UC is eavesdropping, the idea that external parties can infiltrate the IP connection to eavesdrop on a Web conference, instant message exchange or other communication medium. The biggest concern is when organizations extend their UC capabilities outside their boundaries to external partners. Although there are no ironclad solutions for preventing eavesdropping, experts recommend employing the highest level of authentication and encryption techniques.
SIP trunking — a service that allows organizations to use voice over IP through an Internet connection — also has created a lot of concern. Simply put, when organizations move from a digital connection to an IP-based connection to receive and make phone calls, concern about hacking grows.
“The thinking is that before, you had an island where there was no way for anybody to hack across the connection from your phone system to your service provider because it was a digital connection, but now, with an Internet-based connection, it’s easier for someone to hack across or monitor where your calls are going or who you are talking to,” said Irwin Lazar, vice president and service director at Nemertes Research, based in Mokena, Ill.
The best way to mitigate this concern, Lazar said, is to make sure that your system includes SIP-aware firewalls or session border controllers as protective mechanisms. In addition, there are many products in the SIP security market that will help mitigate risks.
One concern that is as old as UC itself is toll fraud, in which hackers make their way into a VOIP network and use it to make long-distance calls at an organization’s expense. Another concern is vishing, or voice phishing, in which hackers use voice e-mail, VOIP, a land line or cell phone to gather sensitive information.
Another growing concern is denial of service, an attack method most often identified with the Internet but has become a growing UC threat. In the world of UC, it means flooding a system so that the UC infrastructure comes to a standstill.
The proliferation of mobile devices in the workforce has made them the newest entrant into the UC infrastructure. They are a valuable addition, allowing workers to participate in meetings and collaborative activities from wherever they are, but they also present challenges. An organization that allows employees to use their own cell phones, for example, has to worry about password protection, how to wipe the data from the phone if it’s lost, and how to make sure call data records aren’t compromised.
A research brief from Aberdeen Group on secure UC discusses the threat of mobile technology in the UC infrastructure. Its analysts share concerns about the physical security risk, where sensitive enterprise data can be compromised or exposed to uncontrolled or noncompliant software applications; the access control challenge of exposing the UC infrastructure that is used to communicate with mobile endpoints; and the communication itself, which travels on the Internet and noncontrolled public access points, such as Wi-Fi hot spots and Internet cafés.
Aberdeen recommends taking four steps to secure mobile devices in a UC environment:
- Securely authenticate all mobile users of organizational assets.
- Implement remote security management.
- Implement end-to-end message and data encryption.
- Install remote device lock and remote device kill in case of theft or loss.
For the device, best practices include shutting down unused services and ports and changing default passwords. For the network, best practices include deploying firewalls, router access control lists, virtual local-area networks, port-level switch security and authenticated network access. Other proactive moves include implementing host- and network-based intrusion detection and intrusion prevention systems or proxy servers to protect SIP trunking.
But it’s not all bad news. Security for UC has come a long way in the past few years, and it’s only getting better. Not only are SIP security capabilities much improved, but there is a lot of interest around security certificate authentication mechanisms. With this in place, users placing a call over an IP network would be able to validate the identity of the person on the other end.