Is It Safer? The Complexities of UC and Security - Page 2

Linking infrastructure elements and applications in a UC mesh clearly changes the security picture. What isn't clear is whether it is for better or worse. On one hand, a unified infrastructure can reduce the steps necessary to achieve a universal result, such as denying access to a terminated employee. On the other hand, it can enable a single vulnerability to affect the entire infrastructure.

 By Carl Weinschenk
Page 2 of 2   |  Back to Page 1
Print Article
"We had a vulnerability about a year ago which was a VoIP-to-data exploit,” he says. "If the company was running VoIP and had laptops with VoIP clients, in some cases attackers could attack the client and gain control of the laptop. That was an example of using one vector and jumping out to take control of a different system. [If successful], they would then own the entire network or PC and gain access to any network resource, including those on the data side.”

Boone added that presence data itself must be protected. Information conveyed in presence functions – that the CEO is traveling, for instance – is valuable to phishers, who have been known to do a lot of damage with even less information. 

The world is made of various shades of gray. Two distinct scenarios – one in which all communications services are unified and another in which they all are discrete – are not common. Far more often, Sears says, there are variations on the two themes.

Two Scenarios Mix, Complexity Ensues

The mix of the two scenarios is complicated by several other factors. Employees often use tools and applications that, in Sears' terms, are "self-adopted.” This was common several years ago in the wireless LAN segment, when workers would simply plug in a consumer-grade access point to create an ad hoc work group. It also is evident today in mobility, as more people use their powerful smartphones and other devices for work – many without thinking twice about it. The IT department generally is not even aware of these rogue devices and platforms and, consequently, can't secure them.

The second complication is that the seemingly exponential rise of mobility makes it almost inevitable that unsecured networks – such as the open Internet – are part of the security mix.

Finally, the desire to use Web 2.0 tools to reach to partners, suppliers, the public and other outsiders complicates the policies under which the organization works. A UC policy for internal use likely will be different from security steps taken to protect public-facing Web 2.0 collaboration tools, which in some cases come under the UC umbrella.

None of these issues are specific to unified communications. They simply change when they occur in a unified communications infrastructure.

That change can be for the better if the creation of an efficient multi-application security infrastructure is created. There is danger, however, if steps are not taken to limit the chances that an entry point into the unified communications infrastructure allows a worm, virus, phishing exploit or other kind of attack to affect the organization's entire communications infrastructure.


This article was originally published on Dec 22, 2009
Get the Latest Scoop with Networking Update Newsletter