kras99 - stock.adobe.com
The explosion of remote workforces fueled by the COVID-19 pandemic forced enterprises to rethink their UC platform security architecture plans in a bid to protect sensitive business communications. Prior to 2020, unified communications and collaboration largely focused on perimeter-based security to guard sensitive business communications against attacks. While this tool remains important, it doesn't help safeguard UC data flows conducted outside the secure border of the corporate LAN.
This tip provides guidance on how to identify distributed UC security shortcomings native to on-premises UC platforms. It also provides information to help IT leaders identify more effective UC security architecture options and illustrates when it's the right time to assess whether a third-party provider is needed to augment security functions.
Remote workforces, what's the problem?
Larger businesses -- especially those that manage customer contact centers -- had to significantly re-architect their in-house UC and collaboration platforms to enable large numbers of employees and agents to work remotely. Because most companies had significant investments in existing UC platforms, they quickly realized that migrating to cloud-based UC tools was often out of the question. Thus, architects had to work with what they had -- even if it meant that security took a back seat.
As UC designers scrambled to provide access to these users, they often relied on legacy VPN services to simply tunnel voice and collaboration traffic from the remote location to the corporate LAN. Employees could then use their own computing hardware to access voice, collab and contact center services from their homes. While this architecture model worked, it unfortunately opened the door to a host of VPN-related security vulnerabilities that could lead to unauthorized access and data loss or theft.
The quick pivot to serving a remote workforce also raised another troubling issue: Managing session border controllers' (SBCs) increased exposure to the internet. SBC servers are commonly deployed in a secure demilitarized zone, and it's often the case that little work is done to protect lateral data flows between devices within a flat DMZ network. As a result, if an SBC server is compromised, bad actors can move laterally within the network in an attempt to attack more systems and applications.
Modern UC security options in a post-COVID-19 world
A virtual desktop infrastructure (VDI) is one way to eliminate the vulnerabilities found with traditional VPNs and within personal devices used to connect to business UC services. VDI platforms can securely transport traffic across the internet using cybersecurity and encryption techniques that are largely transparent to the end user. And, because virtual desktops are self-contained, this UC platform security architecture model eliminates any concern about using personal devices to access UC services.
Another technique to consider is microsegmentation, which protects UC services -- among them SBCs --exposed to the internet. Microsegmentation restricts lateral communications in the DMZ and the data center, thus shrinking an organization's attack footprint and significantly lowering the overall cybersecurity risk.
Finally, many businesses are examining third-party Secure Access Service Edge (SASE) providers to further safeguard latency-sensitive UC and contact center applications. SASE places network security functions closer to end users so they can directly tap into distributed Layer 4-7 firewalls, intrusion detection and intrusion protection systems, network sandboxing and other important features. Most importantly, these features are designed to protect UC without burdening it with excess latency.