You can call it one of those blessing-and-curse situations.
Unified communications holds the promise of productivity because it simplifies communication across networks and devices.
That sounds good for business until one considers the potential security implications — all those non-corporate-sanctioned devices. Home phones. Skype clients. Consumer access points. 3G data cards. The IP telephony features on the corporate router. All are potential vulnerability points.
That said, the problem with UC is that it simplifies communication across networks and devices.
“With UC, you’re getting more traffic in places where exercising control is more difficult,” said Victor von Schlegell, president at hosted VoIP and UC provider Appia Communications Inc. “There are hybrid networks now, so someone with a modem can gain backdoor access from one IP network across the PSTN to another IP network. Or say you get an unauthorized AP, and then all of a sudden a soft client can be used to perform toll fraud in a way you didn't have to worry about before. It’s just more complex to consider than ever before.”
Unified Communications - The Threat
The top potential security threats include voice spam, known as spit, toll fraud, DoS attacks and eavesdropping or interception. Spit, in particular, raises the specter of productivity-sucking trouble: made possible by VoIP, it’s essentially a junk phone call to any phone. And because it’s IP, it can take the form of mass junk phone calls. Imagine the flooding of voice mail boxes (and potentially e-mail inboxes and SMS repositories thanks to UC-enabled voice-to-text settings) and the constant ringing. It’s enough to cripple a business.
“As the cost comes down for connecting to global networks — regardless of how that access takes place — spit is going to become an increasing issue,” said Andy Zmolek, senior manager for GCS security technology development at vendor Avaya Inc. “Sure you have junk faxes and automated calling in the TDM world, but it’s sufficiently expensive so that it's not high-volume like spam. But VoIP can eliminate that barrier. It’s not yet a big problem now, but as interconnection costs get closer to zero it will increase.”
Then there’s toll fraud, where a ne’er-do-well makes calls using someone else’s network.
“Toll fraud's not new, but we're seeing new modes for attacking,” said Zmolek. “For instance, you can access IP telephony features on a LAN through a rogue AP, which may be outside of the office building. Or, you can do the same thing through the use of soft clients that don't protect the access credentials adequately.” Eavesdropping can be done this way as well — a potential nightmare for the health care, financial, legal and government verticals, all of which have privacy mandates.
DoS attacks — familiar to most as the culprit behind a legion of Web site crashes and e-mail outages — also have come to the UC world. “The problem in data is that you get delay with DoS,” said von Schlegell. “But people can live with it. If you get latency in voice or video, then the conversation degrades to the point where you can't hear or see at all, and that’s your mission-critical communications.”
All of these categories are being further enhanced with the ever-increasing mobility found in the enterprise world. “Apple’s iPhone has reignited the debate over consumerization — when new technologies are introduced into the consumer market and then brought into the enterprise market — with employees determined to integrate their personal devices with their enterprise applications,” explained Daniel Okubo, technology analyst with Datamonitor. He predicts global enterprise expenditure on mobile devices will grow from $6 billion today to an estimated $17 billion by 2012, which highlights the need for mobile device policies and services, reluctant though the IT department or service provider may be to take on such a wide array of potential endpoints.
Unified Communications - The Lock Down
With all the sub-threats encompassed in those four areas of danger to consider, what’s a service provider to do? Fortunately there are remedies.
“You have to look at security in a holistic way,” said Kevin Flynn, senior manager of security technology marketing for UC at Cisco Systems Inc.
“Moving from VoIP to all the things they can do on top of that means you have to look at the infrastructure, phones, applications, firewalls — and it’s not just about encryption and authorization. You want defense in depth.”
One good starting point is separating voice and data traffic on different virtual LANs. “You don’t want activities in data traffic — DoS, viruses, worms — to affect what’s happening on the voice side of the network, so separating traffic and allowing only certain aspects to coincide with the voice and UC framework is key,” said Flynn. “Sometimes data applications cross over into voice, as with a softphone, so the firewalls within the infrastructure need to be voice-aware to open up those ports as needed.”
Another strategy is to implement a monitoring policy. “For intrusion detection, any anomalies are identified and isolated,” said von Schlegell. “Then we perform traffic analysis, where you can set limits and say, 'If certain kinds of traffic exceed the preset boundaries set on experience, then there's something going on, let's go look.' That way you can resolve it quickly before it gets out of hand.”
Paresh Mehta, VoIP product line manager at Nortel Networks Ltd., said other techniques for security include ensuring the privacy and integrity of conversations on switched networks by implementing the Layer 2 security features of edge switches, and employing network access control techniques to authenticate and validate all endpoints as they connect.
Also, as more interoperability happens between UC systems, traffic will begin to flow between companies, widening the threat. "Today's business model has drastically changed, with relationships and networks spanning the globe," said Kerry Bailey, vice president of Verizon Business security solutions. "While these intertwined global relationships can bring significant growth, they also introduce risk.”
To that end, Verizon Business announced in April enhancements to its Partner Security Program, which helps customers address the increased security risks associated with opening up corporate networks to partners, vendors, customers and other business units. Those enhancements consist of additional support for the Payment Card Industry Data Security Standard (PCI DSS), customized reporting capabilities across multiple security standards and regulations, as well as the ability to better manage supporting documentation. The enhanced program provides an extended enterprise — a business and all its locations, customers, suppliers, partners and employees — with a comprehensive view of its partners' information security activities and a Web-based platform for automated compliance management and reporting.
As for mobile device issues, basic security capabilities will include the ability to lock devices remotely, wipe them back to their factory setting and block certain applications being loaded. “Employees must be made aware that it is important to report lost or stolen devices immediately, and they should not use their mobile devices to transfer sensitive company data,” said Datamonitor’s Okubo.
Carriers like Vodafone have started realizing the problems that many enterprises face in managing devices, especially in a unified communications scenario, and have started offering hosted device management solutions that include remote lock and wipe, remote diagnosis and repair, and automatic over-the-air updates. These can be layered on top of a managed or hybrid UC service.
Unified Communications - The Holes in the Fence
Despite all the security techniques and strategies available for the service provider, however, a good chunk of the responsibility still lies within the enterprise itself.
“I don't think you'll find many companies and organizations willing to just let the service provider do it all, because there’s too much at stake,” said von Schlegell. “But some are starting to say, ‘In addition to our efforts, over and above what we do, you can provide another layer of security.’”
Another cultural issue service providers may run into is the problem of expertise, or rather, the lack of it. “If you're responsible for security, it’s likely that you were either trained on data security or voice, not both,” explained Zmolek. “Very few have enough experience in both realms to create an accurate threat model.
That tends to lead to most organizations staying on safe ground, scanning voice and firewalling it just like any other app, and meanwhile blind to threats outside traditional models.” That ends up leading to governance processes that either have gaping holes, or just don’t work. “When they try to address this new UC world without thinking about both sides, security becomes obstructionist,” said Zmolek. “A lot of things that map well from one app to another start to fall apart when you get to voice. I’m not seeing a coherent approach where people can agree on how we're going to change the security model. People are starting to realize how ugly the sausage is and they're holding off.”
For instance, alphanumeric passwords are fine for PCs and mobile handsets, but to enter such codes on a standard telephone requires the creation of a custom interface. “So it eliminates some endpoints,” said Zmolek. “Or it gets complex, as in, how do I enter a semicolon?”
Another issue arises when service providers are involved in offering hybrid services — a mix of on-premises solutions and managed services — or simply are providing the connectivity and nothing more.
“The primary concern from an enterprise perspective is securing and offering authentication access to the service provider for integrating with [a UC platform like] Microsoft’s Office Communications Server and Exchange, which is hosted in the enterprise LAN — and its interconnection with a service provider’s network,” said Mehta.
Zmolek noted that with so many different UC systems, infrastructure providers and carriers, it’s time to have an industry-wide conversation on security. “In the old days, there was one throat to choke,” he noted. “Now there’s no one dominant player. Carriers want one thing, vendors are concerned about interop — and the most interoperable solutions tend to be the least secure — and customer demands vary widely. We’ve got to get everyone to the table.”
