We are living in a digital world. Our day-to-day life whether it is personal, or official is all or most of it is digital. Digital has become an integral part of our lives and is hard to image a life without digital. While digital technology is driving the global economy, cybercrimes are bleeding the globe economy.
Unified Communications (UC) which encompass phone voice and video calling, instant messaging, meetings are core to all the digital apps. Online shopping, ordering groceries & food, booking cabs, online classes, mobile banking is made easy because of the seamless digital interactions possible through multiple channels like SMS, Email, Calling, messaging, meetings between business and consumers powered by UC
Unified Communications (UC) data is sent as IP packets on the internet and is prone to cyber- attacks. According to the Jun 2021 report published by Communications Fraud Control Association (CFCA), revenue from global telecommunications industry in 2020 stood at $1.5 trillion and approximately 1.86% of global telecom revenues could have been lost to fraud.
Therefore, it becomes critical that the business communications networks and systems must be protected against cyber-attacks.
Businesses around the world are migrating their business applications from on premise to cloud to take advantage of the speed of innovation, reduce costs and maintainability overhead, scale as needed, network reliability so they can focus on achieving the business goals. Software as a Service (SaaS) is becoming the new norm and Unified Communications is no different.
Businesses are transitioning their premise-based UC solutions to cloud based Unified Communications as a Service (UCaaS).
Let us understand the security considerations to protect unified communications estate
1. Security Plan
An effective UC security plan requires a good understanding of threats to UC systems, how to mitigate these threats and how to proactively keep these systems safe and protected in the long term. UC Security plan includes UC Application Security and UC Infrastructure Security. UC Application Security includes security elements like host intrusion detection and prevention systems, firewall and security access points. UC Infrastructure security refers to physical hardware security like UC server, hard phones and network security like routers, switches, voice gateways etc.
2. End to End Data Encryption
UC capabilities like calls, video, messaging, meetings, screenshare breakdown to signaling, media and the data. These flow from one UC server to another UC server, from a UC server to UC end point and from one end point to other end point. These data transmits in plain text will
have a devastating effect on organizations. Hence every UC Platform must encrypt these data end to end and use latest encryption algorithms. TLS (Transport Layer Security) and SRTP (Secure Real Time Protocol) for media are two widely used protocols in UC ecosystem
3. Firewall and SBCs
Like for any other data network, Firewalls are the first line of defense for any Unified Communications network. Firewall monitors and controls the ingress and egress network traffic of corporate network. It blocks malicious software or un-authorized entry. However, firewall alone is not enough to protect real time UC traffic such as voice and video. Enterprises incorporate VoIP firewalls, Session Border Controllers (SBCs), and secured SIP trunk to protect UC networks from common attacks like DDoS and IP spoofing. SBCs also provide real time computational services such as Intelligent routing, SIP translation and QoS which help in network reliability
4. Role Based Access Controls (RBAC)
The biggest threats to UC security come from within the business environment if every user or a local admin have access to more than what they need to perform their work. Therefore, enterprises must control who should have access to different UC systems and tools and RBAC functionality within UC system helps on the same.
RBAC is the process of granting resources to users based on their role in the company. With individuals in each role granted just enough flexibility and permissions to perform the tasks required for their job, the organization reduces the overall attack surface and level of vulnerability for cyber-attacks.
5. Secure Remote Workforce
We are in a world of remote and hybrid work with a distributed workforce. UC solution provides a collaborative platform for distributed workforce to work efficiently as one team. Therefore, communication link between company UC systems and remote users must be secured to avoid data leak. VPN (Virtual Private Networks) as we know is the traditional mode of establishing a secure tunnel between the remote user system which can include a software UC app running on a laptop or a VoIP phone at home and the corporate UC systems in the data center. VPN has its own limitations and constraints and is not designed for cloud services. Modern cloud-based collaboration services provide a VPN less connectivity for remote workers which is easy and highly secure
6. Call Monitoring for Fraud Prevention and Detection
Vishing, scam calls, spam calls are common across businesses of all sizes. Black-Hat hackers can hijack UC services for long distance calls and other expensive communications which can cost business a huge sum. Businesses should choose UC solutions that have in-built toll fraud protection mechanism that can detect fraudulent call and alert the concerned personnel.
7. Authenticate Users, Products, Services and End Points
Every entity on the internet must migrate to Zero Trust security. An entity could be a user, product, service, or end point, the software must challenge these entities to prove their identity before establishing a connection. This prevents many security attacks. Password based and certificate-based authentication are the most used authentication mechanisms in UC systems, while modern UC systems support multifactor authentication or Biometric for stronger authentication along with oAuth for authorization and SAML 2.0 based single sign-on thus reducing the security surface attack
8. Compliance and Privacy
UC systems generate tons of customer and company data. Data originates from multiple channels like meetings, audio and video calls, SMS messages, chat. These data contain sensitive information which needs to be protected. Government bodies across the world have enacted laws for data privacy and protection. UC solutions from UCaaS providers must comply to these laws to do business in these countries and reduce the risk of cyber-attacks. For instance, General Data Protection Regulation (GDPR) is one such law on data protection and privacy in the European Union (EU)
9. Disable unnecessary services
Unified Communications bundle plethora of features and services but often organizations need subset of these features. Therefore, organization must assess their business needs and turn on relevant services. This will lessen the potential attack surface thus improving the security. It will improve the performance as there will be less traffic on the server and the network
10. Run latest UC software
As the saying goes security is a continuous journey. As technology evolves, new software adds up which will open holes for the hackers to sneak into the system and mess with it. UC system software is built with many open-source libraries. We have a larger community of developers testing the open-source software, reporting issues, and fixing them. In the same breath, UC providers are investing on ethical hacking (a.k.a white-hat hackers) for detection of security defects. The software updates with these security defect fixes release on regular basis. While for UCaaS, the UC providers shall keep the cloud UC software up to date but for premise-based UC businesses must timely update software to reduce cyber security threats