Unified Communications Security Considerations



Introduction

Unified Communications (UC) platform extends various types of modalities; chat, presence, audio, video, file sharing, desktop sharing etc. to authenticated and anonymous users. These users connect from inside and outside of the organization's network. Types of modalities and end point locations make the UC platform vulnerable towards security threats. Hence, it becomes critically important to implement a mature framework to deal with security concerns around it.

This article is aimed at discussing security considerations to protect unified communications products and services from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. The framework involves dealing with a complex process which needs to be continually reviewed and updated.

Let’s look at the commonly seen security challenges to begin with;

  • How to protect sensitive data of the firm during meeting, chat, call, file sharing etc.?
  • How to ensure that no data is modified in unexpected manner?
  • How to ensure no violation of compliance and regulatory requirements?
  • How to enable maximum UC features for external users without compromising integrity?
  • How to handle malware\viruses?
  • How to secure traversal of data to external world?
  • How to regulate usage of BYOD?
  • How to authenticate various users (internal and external)?
  • How to manage encryption?

There are many more such challenges around security of unified communications platform. The list of challenges may grow further depending on profile of your firm.


Authentication for Services & End Points

There should be thoughtful planning behind authentication mechanism for real time communications products, services and devices. Proper design and configuration of authentication mechanism will have better chance to protect UC platform. It is recommended to use dual factor authentication for external communications.

Each of the UC platform have their own way to implement authentication mechanism. Ensure that you understand the options and validate them as per security standards of your firm. Authentication requirement assessment should consider following aspects of sessions;

Additionally, you should have a separate mechanism to address authentication needs of; internal and external end points. Last but not the least, weaker passwords are the softest target of an attacker. An organization should plan and implement complex password policy.


Security Risks of Bringing Your Own Device (BYOD) Program

Allowing employees to bring in their own devices has lot many benefits. It increases the efficiency of an employee and reduces cost of the firm. However, it comes with an added security risks. An organization should define the security risks while implementing BYOD program.

Data leakage on a personal device is a critical issue for a firm. There are hardly any UC vendor which provides near to perfect data leakage solution on a personal device. You should have an assessment of pros and cons to deal with the data leakage originating from BYOD devices.

Applying (security) patches to the devices is another aspect. Due to various shapes, sizes and types of devices, it becomes tactically difficult to apply updates on personal devices in a cohesive and centralized manner.

Planning and implementing Data encryption on personal devices is another challenge. Various types of personal devices support various types of data encryption.

Personal usage of devices has a greater chance to bring in malware to the devices. How do we treat various types of personal devices using a standard program?

Mostly, you need to relax the asset management standards to allow BYOD devices. You need to have a plan to counter each of the security relaxation extended to the devices.

By the end of day, you should not compromise security standard of the firm to increase productivity and to reduce the cost.


The Anywhere Factor

UC platform helps tremendously to make the mobile workforce productive. However, we should be thoughtful about deciding types of data and functionality that are exposed through the deployment. Mobile workforce operate from various places (hostile and friendly). Organizations should define a security standard for mobile workforce as per threat profile of the firm.


Encryption of Unified Communications Signalling, Data and Media Packets

It requires even greater encryption planning to secure signalling, data and media packets originated by UC platform. During my earlier career experience, I have seen organizations reluctant to implement encryption for VoIP infrastructure. Now a days, encryption is a must to implement for UC platform. There is an inevitable devastating risk if you implement a UC platform without encryption.

A UC platform should support standard encryption methods. This is to ensure that the packets are not distorted midway. As a result of weak or absent encryption methods, you can expect data loss and service disruption. Your organization’s encryption methods should consider following scenarios;

  • Server to server
  • Server to client\devices
  • Devices to devices

Also, you need to have a proper encryption planning for the end points (authenticated and anonymous) connecting from external world.


Signalling, Data and Media Packet Traversal via Firewall

You should have a clearly defined objectives for each of the services exposed through the firewall. The services could be presence, chat, remote management tool, audio, video etc.

You shouldn’t place UC servers and appliances outside the corporate firewall. Each of the service and post exposed through firewall should be justified. Always remember that fewer services that are exposed through firewall, the fewer potential attack points an internet based hacker could exploit.


Always implement best practices of vendor to deploy services inside a firewall.

Configure firewall traversal of media streams in appropriate manner.

Remote management ports should be disabled (outside of firewall) if you are unable to protect it.

Never open more than required ports to external world. Use sizing and proper calculation methods to define the number of ports required.

Have alert mechanism in place to scan any attack coming from external world.


Secure Unified Communication Sessions via VPN Tunnel

Many organizations need VPN devices to connect to the remote locations (offices or home). You should find a secure VPN solution to connect remote locations. Many of these VPN devices include built-in firewall capability as well. Ensure that the VPN device supports audio and video traversal provided by UC vendor. There are VPN devices with default VoIP related settings. It helps to have such devices if your VPN tunnel carrying VoIP traffic.



Update Unified Communications Systems & Endpoints

Unified Communications (UC) systems (servers, appliances and clients) should be updated with latest patches (especially security) as soon as the updates are released. In most of the cases, attackers don’t take much time to exploit vulnerabilities as soon as discovered.

Myriad of endpoints connect to the UC platform. This just increases the threat profile of a UC platform. An organization must ensure that the systems (servers, appliances, devices etc.) are applied the latest and appropriate updates.


Overall Summary

Unified Communications (UC) platform operates in real time, which means it needs to be secured in real time. Which means security planning for UC systems need to be handled a bit differently than other systems. It needs fresh ideas to establish security practices around UC platform.

It’s natural and wiser to ensure that the UC infrastructure is configured in alignment with compliance and audit requirements. This is the first step towards avoiding additional security risks.

You should get auditing conducted at regular interval. This is the best way to check if there exists any gap. An organization should deploy a proper intrusion detection and prevention system to secure UC platforms. External auditing, if allowed by firm’s compliance, is best way to find serious threat perception.

Understand the best practices suggested by vendor. Vendors evolve these practices after dealing with various customers. Debate these practices in detail before rejecting any of the suggestions.



7 Comments

Tom

May 8 2016 8:24PM

Securing UC systems is a tough task. Involves complex solutions. :(

Ram

May 4 2016 9:16PM

@Manak : Well, Microsoft claims to have obtained third-party audits and certifications which are listed on this site.

https://www.microsoft.com/online/legal/v2/en-us/MOS_PTC_Security_Audit.htm

Is there any specific sec concern?

Manak

May 3 2016 9:56PM

Is online service of SFB secure?

Ram

Apr 29 2016 8:00AM

@John SRTP is used to encrypt media traffic in Lync\SfB environment... TLS\MTLS is used during communication with foreign (PSTN etc) element.

John

Apr 29 2016 7:58AM

What encryption technique is used when a audio/video call session is established in SfB/Lync?

Jagat

Apr 29 2016 7:48AM

"Unified Communications (UC) platform operates in real time, which means it needs to be secured in real time."

THE MOST RELEVANT SENTENCE!!!

Roger

Apr 29 2016 7:45AM

Comprehensive and thoughtful!