How to deploy secure unified communication

By on
How to deploy secure unified communication

There is an uneasy tension between the concepts of unified communications (UC) and IT security.

On one hand, UC is commonly accompanied by promises of empowering employees with the communication tools they need to be more productive.

Security experts, meanwhile, have become associated ­ – often unfairly – ­ with preventing employees carrying out certain actions and locking down corporate assets.

One promises freedom, the other protection.

How can business leaders hope to ease this tension, and deliver these productivity-enhancing tools in a secure fashion? Our panel of experts give their views.

Jonathan Burt, network and infrastructure manager, Salford City Council

There is a fine line in network management between securing the infrastructure and allowing people to work efficiently.

On one hand, I have the security techies wanting to lock everything down, and on the other, the users wanting everything to work without hindrance.

Bringing in new methods of communicating through unified communications adds yet more challenges.

The introduction of telephony into the equation, which is an area in which security has traditionally been dealt with using logging methods rather than prevention, needs to be carefully considered.

The biggest issues that we have faced at Salford revolve around the misuse of instant messaging and the Big Brother connotations of presence tagging.

We have addressed these issues by using the logging capability of our UC system to both track usage and ensure all monitoring is recorded, justifiable and proportionate.

External threats can be addressed by extending existing security methods to cover these new forms of communications, for example adding antivirus protection to instant messaging (IM) in the same way we would for email.

As long as organisations plan UC implementation as carefully as they would any other potential internet-facing solution it can be made secure and usable.

Mark Deakin, unified communications product manager, Microsoft

One of my colleagues once said that when implementing security you should take on the multiple layer principle used by castle builders centuries ago.

In a similar way to how they would construct a castle on a hill with a drawbridge, inner and outer walls and a moat, you should be thinking about implementing multiple levels of security for UC.

As well as any network layer defences you may already have in place, look to see what protection is offered at the software level.

Communication is the lifeblood of your organisation so the capabilities within your UC platform that are new to your workplace, such as instant messaging and presence, should have the same policies and controls applied that you would have for existing channels, such as email.

If this is not the case, perhaps because you are using consumer or free software instead, you might want to think about how you would be affected if your accounts or the system as a whole was compromised. Can you imagine how quickly a virus would spread through IM?

The important thing here is to take security into account when implementing UC. Implementing nothing or banning access to public clients is not the way to protect yourself, as people always find a way round.

Instead, why not give them the tools they need to perform their jobs effectively, but do it within the confines of a system you have control over.

Graham Titterington, principal analyst, Ovum

IT leaders need to be realistic about the potential risks associated with UC. Like all major projects within an organisation there is a degree of risk.

But for UC projects, the main issue is IP-enablement, and whether that changes your exposure to risk.

In this new type of environment, users may well have their voice systems connected to their email systems, so potentially voicemails will be retrievable from there.

However, such capabilities carry risks, the main one being traffic analysis – potentially, a hacker with access to the system could see who is sending messages to whom.

The risk of a hacker actually being able to access the details of the voicemail are somewhat smaller. A voice file is not easily read by spyware.

Other potential problems include the dangers posed by malware.

In unsecure environments, it may be possible for hackers to install rogue dialling agents, which make potentially costly calls to premium rate numbers.

In the main, the principles of restricting access controls should enable enterprises to deploy UC technology safely.

As long as attackers are not able to gain administration rights, the organisation has a degree of protection.

Applying other general security principles, such as ensuring the UC server is secured, with anti-malware checks and filtering of outgoing traffic, will help minimise the risks of a UC deployment.
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2010 Computing

Most Read Articles

Log In

  |  Forgot your password?