UC Security Essentials Already in Place
Securing unified communication systems just comes down to doing what you already know how to do.
UC adoption, once seen as unavoidable around 10 years ago, got snared in the economic downturn. But now, say the experts, the time is here as more companies upgrade their communications and that will mean adopting the basic unified communications (UC) toolbox.
“Unified communications will be the big area of innovation in enterprise IT,” said Dave Martin, a vice president at Edgewater Networks, a company that focuses on security for VoIP systems. “The drivers are there. Enterprise will see lower costs and improved productivity with the right UC network.”
Question: what is unified communications in 2011? The question is good, but definitions vary. Dennis Usle, senior network engineer with Evolve IP, offers this baseline definition: “To me, UC means VM [voice mail], e-mail, IM [instant messaging], VoIP, and IP video in one system.”
Other definitions may add in faxing, data sharing, and presence (where you are geographically and if you are busy or not) info.
While no definition is "right," any definition of UC usually involves a substantial upgrade and expansion of workplace communications tools.
An irony is that UC, as defined at a baseline level, isn’t very different from the free or very low cost offerings from Skype and Google Voice that more and more of us have cobbled together on our own. But that reality is helping fuel UC adoption inside the enterprise.
“Smart employees will use UC whether the company supplies them or they bring their own. It is better if the company takes control,” said Mike Masters, vice president for secure messaging solutions at Telos, a secure network developer with many defense related clients.
The bad news is most UC installations, which typically involve piecing together a network of legacy assets with purpose-built UC tools, also comes with significant security vulnerabilities.
“New technologies bring new vulnerabilities,” said Usle.
The good news: “I have not yet heard of any high profile attacks on UC systems,” said Martin. But, just as quickly, he added substantial reasons for worry: “Attacks are however very, very possible.”
Note, too, many enterprise UC systems are frequently nibbled at by two-bit crooks. “The most prevalent risk? Someone finds a way to spoof your phone number,” said Steve Johnson, U.S. president for Ingate Systems. “Then they make expensive calls.”
In some cases that enterprising individual even sells access to the enterprise system “ ... this happens most on Christmas Day,” said Johnson. Significant charges can be incurred, particularly because the calls usually are to very high cost numbers in countries such as Bangladesh.
“This is the most common threat,” said Johnson, who added that, generally, it is easy to put a halt to this telephonic larceny. “You need strong passwords." But for employee convenience some companies use basic passwords; sometimes none at all from certain registered devices and this leaves a wide opening for petty crooks.
Beyond strong passwords, the other need is “an SBC that enforces rules,” said Johnson referring to session border controllers. These devices that are inserted into UC systems precisely to protect the perimeter. Set up right, an SBC should be able to thwart run-of-the-mill telephony crooks. But they also should be able to provide protections for data and other, more worrisome network penetrations.
Said Usle, “... so much of securing UC comes down to following the best practices we already know.”
Case in point: IMs. The way to do this wrong is to enable unencrypted IMs. “I cannot imagine allowing that,” said Masters, who added that IM encryption is proven, well-established technology, but not every company insists on encrypted IMs and those are the businesses that may find themselves with security issues in their UC. But it is easy enough to write rules that permit only encrypted IM on a network. Do that and the problem is solved.
Another, thorny issue in UC today: what to do with the many devices individual users brings to corporate networks and then they seek access to enterprise data. “Securing these devices requires an in-depth layering approach,” said Usle, who indicated that "layering" is the buzzword du jour in UC security circles these days. Layering is where different policies are implemented for different devices and different people.
“The question is how do we limit who is accessing the data?” said Usle.
Data protection represents a wholly new frontier for UC security. In the days of POTS (plain old telephone system), frankly few worried much at all about security. "It never was much of an issue with old telephones,” said Johnson. Voice call eavesdropping was about the only threat out there but now UC is a gateway to all an enterprise’s communications and that raises the security bar.
“There are lots of threats, lots of challenges that arise with UC,” said Usle. “Security starts with good enterprise policy.” Set out who can do what, with what devices, involving what password protections and that is a big step towards making UC as secure as it needs to be. “We know what security policies need to be followed. It comes down just to following them.”
As a busy freelance writer for more than 30 years, Rob McGarvey has written over 1500 articles for many of the nation's leading publications -- from Reader's Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain's New York, and Fortune Magazine.