Security & Compliance - Unified Communications as a Service (UCaaS)

"If you spend more time on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked." Richard Clarke, White House Cybersecurity Advisor, 1992-2003

Extending the entire spectrum of Unified Communications (UC) features to remote and guest users has opened up another pandora box from security and compliance point of view. Nowadays, Unified Communications (UC) service is hosted by the OEMs in the cloud. Does it mean that it’s only their responsibility to secure communications of your enterprise? Of course, not! In this article, we would explore some of the important security factors that an organization needs to consider before deploying a secure and compliant unified communication system.

Data Residence,Organizations operate under certain local regulations. There are countries which make it mandatory for organizations to store data specific to citizens inside the country. Leading OEMs like Microsoft, Cisco & Zoom are quite sensitive about this requirement. Their cloud locations are spread across regions to support this requirement. An organization should review the location of data at rest for third party services (integrating with for example Ms Teams) as well.

Data Residency in Microsoft Teams

Data Residency in Cisco WebEx

Data Residency in Zoom

Privacy Control, Many organizations are not comfortable with sending certain types of data to OEMs or third parties. It’s important to list down such requirements in detail, followed by a check if proposed collaboration platforms like Microsoft Teams, WebEx or Zoom allow you to configure privacy settings at required level or not. OEMs like to receive various sets of data for diagnostic purposes. It helps them to keep applications secure, up to date, remediate problems etc. It is for an organization to decide what level of data could be shared with the OEMs.

Privacy Controls in Microsoft Teams

Privacy Control in Cisco WebEx

Privacy control in Zoom

Data Encryption,Growing adoption of UCaaS means increased amount of your data over the internet. Which means increased chances of security breaches like denial-of-service attack, identity theft, spoofing and malware attacks. An effective way to neutralize these threats is End-to-end encryption (E2EE). A platform supporting E2EE encrypts the content before it's sent and decrypted only by the intended recipient.

End to End Encryption in Ms Teams

End to End Encryption in Cisco WebEx

End to End Encryption in Zoom

Firewall Protection,Experiencing call or video quality issues? One of the tricks is to turn off the SIP Application Layer Gateway (ALG) feature of the firewall to fix these issues. So, what's the big deal about it? Nothing, just that it invites cybercriminals to steal data or direct DDoS attacks. Isn't it a standard security issue faced by an organization? Securing UCaaS is not only a responsibility of an OEM. It's a shared responsibility as the end points, call flows etc are still in your network despite platforms like Teams or WebEx residing in the cloud. Your firewall must be configured following the best recommendation of an OEM. Also, an ideal way to design and implement SBC helps organizations to secure media traffic.

Zscaler and UCaaS

Identity Management,Single Sign On (SSO) and Multi Factor Authentication (MFA) are essential ingredients of UCaaS solutions nowadays. Together, these features provide ease of access and security. An organization must assess and evaluate the related configuration options provided by UCaaS platforms. Target UCaaS platform should be able to protect access to resources and data using strong authentication and risk-based adaptive access policies without compromising user experience.

Spam & Fraud Control,This article suggests that Americans got 50 billion spam calls in 2020. These spam calls are not only annoying but dangerous too. There could be a design to siphon money and personal information from unsuspecting recipients using spam calls. An organization must have a plan to control these spam or fraud calls at different levels like service providers, gateways and end users. Platforms like WebEx or Teams do provide spam control features but that’s not sufficient. An organization needs to have a broader strategy in close coordination with service providers, SBC manufacturers and third parties to control spam and fraud calls.

Certifications,By the end of day, it’s important for an organization to check the level of security and compliance certifications that the proposed UCaaS platform offers. Broadly speaking, there are three types of certifications; GDPR, HIPAA and ISO/SEC.

Compliance & Certifications – WebEx

Compliance & Certifications – Ms Team

Compliance & Certifications – Zoom

0 Comment