Features

Top UC Security Issues and Steps to Mitigate Your Enterprise Risk

By TMCnet Special Guest
Frank Semmler, UC security services portfolio manager at Siemens Enterprise Communications
  |  June 01, 2011

Collaboration demands, prevalence of handheld devices and increased communication flexibility within enterprises are driving the adoption of unified communications as the main strategy to manage effectively the integration of real-time multimedia communications. Since the benefits of UC are well recognized in the industry, the focus is shifting to a more critical mandate: protection directives that arm the enterprise with countermeasures to limit the threat of failure or a security breach.

A Changing Landscape Increases VulnerabilityIn the past, applications were developed and designed in silos, allowing companies to expand their productivity and capabilities. But they were hindered by integration issues with other systems. Today, enterprises demand information to flow across software products and devices. Building a bigger and more efficient network through UC is an advantage when it comes to managing workflows. Unfortunately, when multiple systems are tied together, the impact of any type of security breach or attack can be major. Security features and solutions need to be a mandatory part of the UC deployment process. Understanding compliance and corporate governance, limiting potential exposures to security risks and business resiliency all need to be addressed in UC security planning.

Let’s take a look at some of the common security objectives:

Availability

As services are being centralized, availability is a major concern when a business can be harmed by services that fail due to a major security incident. Prevention needs to be the focus; know the alternatives and options when a service or channel becomes comprised. Protection of your data center deployment against denial of service, spoofing protection, and audit and oversight measures should be employed.  

Confidentiality

Granting access can make for more productive employees. However, understanding the impact of unauthorized access to presence data and sensitive information can help prevent unwanted distribution of data. Applying user and device authentication coupled with encryption assures confidentiality is preserved.

Integrity

Service-oriented companies pride themselves on providing real-time information. A two-way channel relies on mutual trust; however companies need to ensure information exchange is valid and hasn’t been comprised. This level of security is achieved by using certificate-based authentication wherever possible.

Accountability

Tracking usage of sent and received messages, the amount of voice and video communication efforts and consumption of data from different parties sounds like Big Brother is watching, but it becomes critical when determining accountability. Enterprises need to be careful about privacy issues. Having identity and access management in place and deploying security information and event management within the organization facilitates auditing and helps to make users accountable. 

Use control

Placing rules and restrictions on data may diminish the user experience, but it can save the company in other areas including budget, legal issues and security of data transfers. Establishing proper security policies, rights management, content security and data loss prevention can form a foundation of controls that if communicated correctly ensures authorized users’ productivity within accepted boundaries.

SIP Threats and Countermeasures

To adopt UC successfully, the enterprise must address security risks to limit the chance of failure or security breach, which could potentially damage a company’s reputation, not to mention risking vulnerability of sensitive proprietary information. The session initiation protocol is the open standard for real-time communication and is the foundation of UC. To mitigate risks it is very important to protect SIP-based communication and SIP servers from being intercepted, compromised or put out of service.

Examples of common SIP threats and countermeasures an experienced UC provider should implement.

SIP-based attacks

Countermeasures

Denial of service

SIP deep message inspection and rate limiting using session border controllers and SIP-aware firewalls

Embedding malicious code in SIP messaging

SIP deep message inspection using session border controllers and SIP-aware firewalls

Registration hijacking or removal

Authentication and signaling encryption

Generate logical error in SIP protocol syntax

SIP deep message inspection using session border controllers and SIP-aware firewalls

Call-flow manipulation attacks

Authentication and signaling encryption

Unauthorized interception of VoIP (eavesdropping)

Authentication and signaling and payload encryption

Redirected voice calls

Authentication and signaling and payload encryption

Setting a UC Security Roadmap
As UC becomes a mission-critical business imperative, setting a clear and strategic security roadmap can form the foundation of an efficient, enterprise IT infrastructure. Anticipating attacks and knowing how to handle them takes pre-planning, strategy and foresight. Below are four key areas to help formulate an action plan.  1) Perform a Risk AssessmentPerforming a risk assessment before undertaking a UC project allows you to gauge additional IT requirements needed to protect the organization from an attack; only then is it possible to take steps to mitigate the risks. This can also help prioritize activities from a risk, budget and resources impact.

Once priorities are in place, an enterprise can define specific security policies for managing the overall UC infrastructure. For example, implementing an identity and access management solution ensures that only authorized employees have the right to access systems. As you progressively work through control measures, you will define UC activities that become part of an umbrella information management program.

2) Partner Provisions
As collaboration with service providers and partners becomes commonplace in a UC environment, communications criteria also need to be scrutinized from a security standpoint. Clearly establishing an on-boarding protocol and identity provision will allow for increased productivity coupled with an underlying security function. By anticipating the security impact of federated identity on UC communications and real-time transactions, you will gain efficiencies without worrying about breaches or ambush of data. 

3) Legal Considerations
The open world of data transfer becomes a minefield for legal issues. As with any other electronic communication tool, corporate messages sent via IM are just as binding and open to litigation as those sent using e-mail. Legally, no difference exists between them; both messages have the ability to be stored, recorded and disseminated. As such, they need to be retained in accordance with government and industry legislation. In the case of a services provider, the liability implies that you have implemented best practice security measures to prevent your organization and your customers from harm while affected by a major incident.

4) Establish Clear Security Management Policies and Controls
Lastly, the enterprise must implement security management policies and controls. Establishing user authentication and a system of controls will help limit threats that can come from real-time communication applications often installed by end users, under the radar of central IT, and thus bypass security and management controls. Programs like unauthorized IM, peer-to-peer file sharing and web conferencing can use highly evasive techniques to circumvent existing security infrastructures such as firewalls. Once policies and controls are in place, they can stop, track or monitor any suspicious or routine downloads via the network that might cause issues.

Moving to a unified communications environment is the future. Working in a secure platform to increase productivity and mitigate risk is more important than ever. When initiating an integrated communications strategy with your trusted UC provider, make sure you account for the implementation of best practices and a comprehensive security plan to protect your business. Taking the right precautions and steps to ensure information integrity can make all the difference in your successful UC implementation.

Frank Semmler is UC security services portfolio manager at Siemens (News - Alert) Enterprise Communications (www.siemens-enterprise.com).


TMCnet publishes expert commentary on various telecommunications, IT, call center, CRM and other technology-related topics. Are you an expert in one of these fields, and interested in having your perspective published on a site that gets several million unique visitors each month? Get in touch.

Edited by Rich Steeves
blog comments powered by Disqus