In-Depth
Mitigating the Security Risks of Unified Communications
How to protect yourself from the threats posed by unified communications.
By Marie Bowman
Enterprises are opening up -- in the way they provide employees with access to company data and applications (either on or off company campus) and in the way they interact with customers, partners, and suppliers. This openness paves the way for more collaborative, interactive and co-dependent business models -- the promises of unified communications (UC).
Although the reasons for making these changes are often compelling, enterprises should recognize that the move to more open and flexible working practices brings new challenges for compliance and corporate governance, along with potential exposures to security risk and business resilience that are not necessarily addressed by existing plans and contingencies.
Security is a major concern for businesses in all areas of IT, and unified communications is no exception.
Unified communications includes instant messaging (IM), the telephone, VoIP, web and audio conferencing, desktop video and other real time communications which can each present a company with serious security risks if proper security controls are not put in place.
Moving to a UC structure can be a daunting task, but it affords many benefits to an organization including:
- Off-campus access to company applications and data: Allowing employees to access applications and information from another fixed location (such as the home office) or through a combination of networks and devices that are accessible from either fixed locations or on the move, via wired or wireless networks.
- Flexible access to data and information as employee needs change: P rovisioning an information access policy that is flexible and dynamic to reflect the changing requirements of employees as they move between projects and virtual teams -- as opposed to implementing and policing flat, hierarchical, umbrella data and information access policies.
- Integrated, collaborative systems for value-added partner, customer, and supplier interaction: Integrating applications and data-access points to company applications with core suppliers, partners, and customers to provide a more enriched customer experience and better collaboration, efficiency and stronger partnership with core partners and suppliers.
- Transformation of IT architectures from "silo" systems to virtualized, SOA-based operating structures. This may include completely integrating the operation and function of core IT infrastructure and applications to allow for flexible, on-demand access across applications to build the information model needed -- according to the current business process.
Any changes to technologies or strategies raise issues about security and resilience. To adopt UC successfully, an enterprise must address the risks associated with the changes in these areas to limit the chance of failure or security breach that could damage a company's reputation, not to mention risking vulnerability of sensitive proprietary information.
The risks also need to be considered from a governance perspective. Increasingly, enterprises are required to take further action to mitigate risk, and must be able to prove compliance, not only to auditors and to their current and prospective customers.
Without considering all of these factors, as well as business resilience and recovery, an organization cannot successfully begin the move to a UC environment and realize the benefits of a truly flexible and secure architecture.
CIOs are concerned with UC security issues, particularly the unauthorized interception of VoIP, instant messaging, spoofed caller ID or IM identities, and denial-of-service attacks on the communications infrastructure. These breaches can compromise confidential information and seriously disrupt business processes.
An example of this is eavesdropping, or the unauthorized interception of VoIP, instant messaging or other traffic. It is now possible with hard or softphones, once they are compromised, to have their conferencing or handset/headset microphones activated without being taken off the hook. This could enable remote eavesdropping on private conversations taking place in person.
In addition, attackers can create spoofed caller ID or IM identities to suggest that they are contacting employees in an official capacity (such as IT support). The attackers coax recipients into revealing confidential information (such as passwords) so further attacks or information leakage can occur.
A denial-of-service attack is another method with new and specific applications in the UC world. Although it was virtually unknown with traditional telephony, today's attackers can aim to disrupt the communications infrastructure by swamping or crashing phones or networks leading to the organization's inability to communicate via e-mail or phone, rendering it effectively closed for business.
Performing such compromises may not be easy, but the changing nature of security attacks -- from amateur to professional, from general to targeted -- means that these techniques will be developed and available to anyone for a price.
How can your enterprise protect itself against these threats?
First of all, knowledge is power. Perform a risk assessment before undertaking a UC project. Assess where additional support is needed to protect the organization from an attack; only then is it possible to take steps to mitigate the risks. This can also help prioritize already pressured security budgets by tackling the areas of greatest risk first.
Based on these priorities, your enterprise can implement the required technologies and services to mitigate risks. This could be the implementation of an identity management solution to ensure that only the authorized employees have the right to access systems, allowing collaboration but preventing unauthorized access. It could also be the implementation of network security controls such as firewalls and content security solutions to prevent attacks by hackers or viruses which could render your systems offline.
Then, consider the legal angle. As with any other electronic communication tools, corporate messages sent via IM are just as binding and open to litigation as those sent using e-mail. Legally, no difference exists between them; both messages have the ability to be stored, recorded, and reproduced. As such, they need to be retained in accordance with government and industry legislation. Also note that even acts that are expressly forbidden can lead to potential liability -- the fact the IM is not allowed is not necessarily a valid defense.
In addition, the enterprise must implement security management policies. Peer-to-peer (P2P) programs are one example of greynets: real-time communication applications often installed by end users under the radar of central IT and that bypass security and management controls. Programs such as unauthorized IM, P2P file sharing, and Web conferencing can use highly evasive techniques to circumvent existing security infrastructures such as firewalls.
If unmonitored, these programs can allow employees to send confidential company data outside the network, either accidentally or maliciously. Without strict security management policies in place, no matter how secure the firewall, data could still be at risk of falling into the wrong hands.
Moving to a unified communications environment is the future. It gives companies a competitive edge, reduces costs, and allows greater collaboration. However, these companies must ensure a UC security plan is properly implemented with a trusted partner who understands their particular security risks and can mitigate them effectively.
- -- -
Marie Bowman is the global marketing manager for security at Siemens Enterprise Communications. You can reach the author at marie.bowman@siemens.com.