Unified Communications Security Considerations
Unified Communications (UC) platform extends various types of modalities; chat, presence, audio, video, file sharing, desktop sharing etc. to authenticated and anonymous users. These users connect from inside and outside of the organization's network. Types of modalities and end point locations make the UC platform vulnerable towards security threats. Hence, it becomes critically important to implement a mature framework to deal with security concerns around it.
This article is aimed at discussing security considerations to protect unified communications products and services from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. The framework involves dealing with a complex process which needs to be continually reviewed and updated.
Let’s look at the commonly seen security challenges to begin with;
- How to protect sensitive data of the firm during meeting, chat, call, file sharing etc.?
- How to ensure that no data is modified in unexpected manner?
- How to ensure no violation of compliance and regulatory requirements?
- How to enable maximum UC features for external users without compromising integrity?
- How to handle malware\viruses?
- How to secure traversal of data to external world?
- How to regulate usage of BYOD?
- How to authenticate various users (internal and external)?
- How to manage encryption?
There are many more such challenges around security of unified communications platform. The list of challenges may grow further depending on profile of your firm.
There should be thoughtful planning behind authentication mechanism for real time communications products, services and devices. Proper design and configuration of authentication mechanism will have better chance to protect UC platform. It is recommended to use dual factor authentication for external communications.
Each of the UC platform have their own way to implement authentication mechanism. Ensure that you understand the options and validate them as per security standards of your firm. Authentication requirement assessment should consider following aspects of sessions;
Additionally, you should have a separate mechanism to address authentication needs of; internal and external end points. Last but not the least, weaker passwords are the softest target of an attacker. An organization should plan and implement complex password policy.
Allowing employees to bring in their own devices has lot many benefits. It increases the efficiency of an employee and reduces cost of the firm. However, it comes with an added security risks. An organization should define the security risks while implementing BYOD program.
Data leakage on a personal device is a critical issue for a firm. There are hardly any UC vendor which provides near to perfect data leakage solution on a personal device. You should have an assessment of pros and cons to deal with the data leakage originating from BYOD devices.
Applying (security) patches to the devices is another aspect. Due to various shapes, sizes and types of devices, it becomes tactically difficult to apply updates on personal devices in a cohesive and centralized manner.
Planning and implementing Data encryption on personal devices is another challenge. Various types of personal devices support various types of data encryption.
Personal usage of devices has a greater chance to bring in malware to the devices. How do we treat various types of personal devices using a standard program?
Mostly, you need to relax the asset management standards to allow BYOD devices. You need to have a plan to counter each of the security relaxation extended to the devices.
By the end of day, you should not compromise security standard of the firm to increase productivity and to reduce the cost.
UC platform helps tremendously to make the mobile workforce productive. However, we should be thoughtful about deciding types of data and functionality that are exposed through the deployment. Mobile workforce operate from various places (hostile and friendly). Organizations should define a security standard for mobile workforce as per threat profile of the firm.
It requires even greater encryption planning to secure signalling, data and media packets originated by UC platform. During my earlier career experience, I have seen organizations reluctant to implement encryption for VoIP infrastructure. Now a days, encryption is a must to implement for UC platform. There is an inevitable devastating risk if you implement a UC platform without encryption.
A UC platform should support standard encryption methods. This is to ensure that the packets are not distorted midway. As a result of weak or absent encryption methods, you can expect data loss and service disruption. Your organization’s encryption methods should consider following scenarios;
- Server to server
- Server to client\devices
- Devices to devices
Also, you need to have a proper encryption planning for the end points (authenticated and anonymous) connecting from external world.
You should have a clearly defined objectives for each of the services exposed through the firewall. The services could be presence, chat, remote management tool, audio, video etc.
You shouldn’t place UC servers and appliances outside the corporate firewall. Each of the service and post exposed through firewall should be justified. Always remember that fewer services that are exposed through firewall, the fewer potential attack points an internet based hacker could exploit.
Always implement best practices of vendor to deploy services inside a firewall.
Configure firewall traversal of media streams in appropriate manner.
Remote management ports should be disabled (outside of firewall) if you are unable to protect it.
Never open more than required ports to external world. Use sizing and proper calculation methods to define the number of ports required.
Have alert mechanism in place to scan any attack coming from external world.
Many organizations need VPN devices to connect to the remote locations (offices or home). You should find a secure VPN solution to connect remote locations. Many of these VPN devices include built-in firewall capability as well. Ensure that the VPN device supports audio and video traversal provided by UC vendor. There are VPN devices with default VoIP related settings. It helps to have such devices if your VPN tunnel carrying VoIP traffic.
Unified Communications (UC) systems (servers, appliances and clients) should be updated with latest patches (especially security) as soon as the updates are released. In most of the cases, attackers don’t take much time to exploit vulnerabilities as soon as discovered.
Myriad of endpoints connect to the UC platform. This just increases the threat profile of a UC platform. An organization must ensure that the systems (servers, appliances, devices etc.) are applied the latest and appropriate updates.
Unified Communications (UC) platform operates in real time, which means it needs to be secured in real time. Which means security planning for UC systems need to be handled a bit differently than other systems. It needs fresh ideas to establish security practices around UC platform.
It’s natural and wiser to ensure that the UC infrastructure is configured in alignment with compliance and audit requirements. This is the first step towards avoiding additional security risks.
You should get auditing conducted at regular interval. This is the best way to check if there exists any gap. An organization should deploy a proper intrusion detection and prevention system to secure UC platforms. External auditing, if allowed by firm’s compliance, is best way to find serious threat perception.
Understand the best practices suggested by vendor. Vendors evolve these practices after dealing with various customers. Debate these practices in detail before rejecting any of the suggestions.