Unified communications security is a long chain that runs from end users through the network infrastructure and all the way to the UC application. Your company can benefit from a regular security check of its UC system, whether it's an on-premises platform or a UC-as-a-service model. Let's examine some best practices that will help improve your unified communications security.
1. Security roles
At most companies, security functions are usually distributed across multiple people. Some of these people or departments will be outside the UC group, and their actions can affect UC security. Identify the people in related departments that touch UC security elements, such as network firewalls, as their actions will help or hurt unified communications security.
2. Password policy
If your company uses a single sign-on (SSO) or federated ID service, then an extensive password policy requiring strong passwords and two-factor authentication is probably already in place. If you don't have centralized control of user IDs and passwords, then look at the options in your UC system to make sure you have password requirements that are stringent enough for your company's needs.
Theft of service -- a costly problem for companies in the old days of PBX systems -- and costly long distance have resurfaced in UC. Many UC systems are priced on usage. Thus, compromised credentials can give unauthorized users a free ride at your expense.
This article is part of
3. Software maintenance and patches
A hacker could exploit vulnerabilities in your software, even if you have tight security around your UC system. Thus, you should monitor the software maintenance and patches that address security issues.
However, software updates can introduce new vulnerabilities. Some vendors might not run adequate quality assurance testing before issuing code. Unless you know a code update is addressing a specific security issue, you might want to wait a week or two and let others find the bugs in a software update.
In most cases, your company network is, in reality, many networks. The most obvious other network would be the guest Wi-Fi access for visitors. Keeping that traffic separate from your corporate UC network prevents guest devices from becoming a security threat to your UC system.
Increasingly, companies also deploy IoT devices, such as security video cameras and sensors. Many of these devices have rudimentary OSes and easily guessed default passwords. Thus, they can become a target for hackers and, once infected, can pose a threat to your UC system. Work with your network team to make sure it is microsegmenting your network to keep potentially malicious devices away from your UC users.
5. Unused services
UC systems are, by definition, multiservice systems. Every service, from video to messaging, provides an opportunity for hackers. If you're not using a particular service, you should consider disabling it. Keep in mind that major system updates often add new services. Be sure to review any upgrades that could affect your unified communications security.
6. Monitoring and analytics
This is where you have the best chance to uncover anomalies and security incursions. UC vendors are increasingly adding analytics to their services, and these tools are a good starting point for UC monitoring. But don't forget other systems in your environment are producing log data that could be relevant to your UC security, such as SSO systems and firewalls.
7. Specialized security
Some vendors build advanced security into their systems. For example, Oracle's session border controller (SBC) provides security protection against Session Initiation Protocol denial-of-service (DoS) attacks. Ideally, a properly configured firewall placed before the SBC would detect and prevent a DoS attack, but you can't always be sure. Having specialized unified communications security, like SBCs, can give you belt-and-suspender protection for your environment.
By addressing these points, you should have a tighter, more secure UC system. Before you move on to the next task on your list, be sure to schedule another internal security check three to six months down the road.