By Heather Clancy
Be forewarned: While unified communications security incidents aren’t dominating headlines, the potential for vital corporate data to slip out via this technology solution is very real.
“There has been zero recognition of this as being an issue for consumers, but grabbing voice packets out of places like people’s homes can actually be very easy. People would be shocked to know how easy,” said Richard Newman, managing partner and certified information security systems professional for technology solution provider Reliant Security in New York.
The good news is that by focusing on core network security solutions and processes, technology solution providers can diminish the chances that breaches will occur.
“The real threat is sensitive information leaking out of the company, accidentally or otherwise,” said Ali Elahi, practice lead for unified communications (UC) and collaboration at Unis Lumin, a network integration company in Toronto.
UC applications — including instant messaging and conferencing sessions where data is being shared via text, video or graphics — can only be as secure as the underlying network infrastructure, Elahi said. “The rules you would apply to other applications would apply here as well.”
Russell Dietz, vice president and chief technology officer for information security technology company SafeNet, said UC is probably the second-most vulnerable application from a security standpoint, after email — and for many of the same reasons, most of which have to do with broader network security policies.
Dietz categorizes the UC security threats into two buckets. First, he says UC applications offer a good channel for individuals to share information, either covertly or by accident. So, for example, he has heard of companies that have accidentally shared video files or presentations via conferencing sessions that were not ready for primetime. In other cases, individuals have circumvented security applied to email because the same measures had not been applied to their UC applications.
“There is more opportunity for individuals to get around the traditional corporate channels for approval and distribution of information,” Dietz said.
Another, albeit less common internal UC security threat surrounds the possibility that someone could co-opt an employee’s internal caller identity and use it to phish for information they don’t have the right to see or to make outbound calls that they aren’t authorized to make. This is known as a call-hijacking scheme, and it’s something that small businesses using hosted services should be especially diligent about watching, solution providers say.
Carl Mazzanti, founder and CEO of eMazzanti Technologies, a technology solution provider in Hoboken, N.J., said that aside from costing money, call-hijacking can damage a company’s reputation. He cites the example of a hacker who was using the caller identification associated with a company’s IP phone solution to make unsolicited calls. “We tell our customers that they must treat their IP phones like the intellectual property that they use to run their business,” Mazzanti said.
So what can a technology solution provider do to maintain a customer’s UC security?
Solution providers say protecting corporate UC and collaboration sessions via a virtual private network is one best practice they recommend to any customer considering a UC implementation.
“Generally speaking, if a UC session is running over a VPN, it will be secure,” said Brian Gregory, president of Network Innovations, a networking solution provider in Olathe, Kan., which has been selling unified communications solutions for years. “We always run everything over a secure network.”
Gregory said that some of the key UC vendors are beginning to add encryption to their technologies, although this can introduce undesirable latency into a UC session.
Enforcing a strong strategy for role-based authentication and access control is an approach recommended by Unis Lumin’s Elahi. It’s important to apply the same policies for audit and archiving of corporate information to UC conversations as you would to any other network application. “This will only become more important as UC-enabled collaboration becomes more prevalent,” he said. “Especially when you’re extending outside your own firewall.”
About the author
Heather Clancy is an award-winning business journalist with a passion for emerging technology and corporate sustainability issues. She can be reached at [email protected]