How does UC in the cloud impact your security posture?

By Kevin Riley April 27, 2017

Cybercriminals are actively targeting cloud platforms
Unsecure UC expands an enterprise’s potential risk

How does UC in the cloud impact your security posture?

How does UC in the cloud impact your security posture? CHIEF security officers have a lot on their plate these days, from a daily influx of zero-day vulnerabilities to increasingly sophisticated denial-of-service (DoS) attacks.

It’s a good bet that securing their unified communications (UC) application isn’t keeping them up at night. But maybe it should be?

Traditionally, enterprise security has centred around data: customer data, corporate data, credit card data, etc. There is a thriving, global, cybercriminal community built just around the goal of stealing data or, increasingly, encrypting it and holding it for ransom (known as ransomware).

Enterprises collectively spend billions of dollars each year protecting their data through firewalls and other data-centric security devices. In a sense, enterprises have locked their data doors tightly, but have they left another window open?

UC applications such as voice, video, messaging and file sharing are transmitted over the same IP network as web and data applications and thus are prone to the same type of network attacks.

Where UC applications differ from their purely data-based counterparts is in the fact that they are real-time applications that use the Session Initiation Protocol (SIP) for signalling between UC stacks and endpoints.

Unsecure UC expands an enterprise’s potential risk by introducing theft of service, Denial of Service (DoS), voice phishing, telephony denial-of-service (TDoS) attacks and eavesdropping into the equation.

And data firewalls – even advanced next-generation firewalls – aren’t adequately built to protect SIP-based real-time applications.

This is a major concern, and as a report from IBM’s Security Intelligence group shows cyber-attacks using the VoIP protocol Session Initiation Protocol (SIP) grew in 2016, accounting for over 51% of the security event activity analysed in the 12 months.

Therefore, protection of SIP-based real-time applications requires a session border controller (SBC).

As many enterprises are adopting a zero-trust model for security, every application must be secured.

SBCs play many important roles in enterprise communications networks by providing intelligent routing, signalling interworking, and media services to ensure quality of experience.

But the SBCs primary function is to protect the UC network from SIP-based attacks.

With inherent security features such as per-session state awareness, protocol filtering, topology hiding, encryption and dynamic blacklisting, SBCs can secure voice calls and prevent telephony-based attacks from happening.

As per a report by TMR Research, in terms of growth rate, the SBCs market in Asia Pacific is expected to outpace all other regions as enterprises in the region are swiftly adopting VoIP networks coupled with SBCs, owing to the huge cost benefits they offer.

As traditional circuit-switched communications evolved into SIP-based UC, the attack surface has grown. It’s now possible, and easier, to mount a DDoS attacks, spoof caller IDs for toll fraud, or eavesdrop on unencrypted communication paths.

Thus, the importance of SBCs to secure UC has grown. Many enterprises today use SBCs as a UC firewall, a demark point for SIP trunking services, and a tool to encrypt and protect their UC assets.

These perimeter-based SBCs are intended to secure UC applications that are deployed within the enterprise — for example, on an internal Skype for Business server.

But what happens when UC moves into the cloud? It’s a question that many enterprises will need to answer in the coming years.

According to IHS, the number of UC and VoIP subscribers in the cloud will double over the next few years, reaching over 75 million by 2020.

The cloud represents a much larger surface area for attack, and not just in terms of its overall breadth.

Cloud-based services are comprised of many different virtual machines (VMs) and potentially dozens of different microservices, each with their own application programming interface (API).

Every VM and API call could expose an application to a potential security breach, and once an endpoint is hacked, intruders can move laterally within a cloud-based network to access other applications and data.

You can think of a cloud service as being composed of hundreds of different Lego-like blocks. In the cloud, your security posture is only as strong as your weakest block.

Enterprises cannot solely rely on their cloud service provider to completely secure the myriad of UC connections taking place — especially if the enterprise is in a compliance-restricted industry, such as finance or healthcare.

The increased surface area of the cloud provides more attack points for hackers. And compared to an on-premises UC deployment, enterprises will have a significantly smaller grasp on who is controlling security.

For these reasons, enterprises need to harshly scrutinise their security practices so that they can ensure they’re protecting their networks appropriately.

To create a consistent defence system against network attacks, it is critical for enterprises to integrate SBCs into their security posture at the edge of their network.

Just as an enterprise wouldn’t think of connecting its data network to the internet without a firewall or performing commerce over the internet without encryption, an SBC is just as critical to real-time SIP communications.

But enterprises need to be mindful that not all SBCs are created equal.

They may support static blacklists, but not the dynamic generation of new blacklists. They may identify malformed SIP packets, but not anomalous network behaviour that could indicate an attack. Or encryption may be turned off, because turning it on causes scalability issues. And these security gaps are points of exposure that cybercriminals can, and will, exploit.

The cloud is already the future of IT and, for many enterprises, it is the future of UC as well. There is much intrinsic value in UC-as-a-Service (UCaaS), from cost stabilisation to unified messaging across multiple devices/locations and companies have recognised this.

According to Micro Market Monitor, the Asia-Pacific UCaaS market is expected to grow to US$3.88 billion by 2020, at a CAGR of 12.5%. However, UCaaS does require a different security posture than an on-premises system.

Cybercriminals are actively targeting cloud platforms, and enterprises need to be proactive in their defense against cloud-based attacks — particularly from traditionally under-secured vectors such as SIP-based communications.

The best approach is to remember that moving an application into the cloud doesn’t shift the responsibility of security to the service hoster. To maintain the security posture of unified communications, enterprises must implement a holistic approach to security that extends from their infrastructure to the Cloud.

Kevin Riley is CTO of Sonus Networks (www.sonus.net). Sonus brings the next generation of Cloud-based SIP and 4G/VoLTE solutions to its customers by enabling and securing mission critical traffic for VoIP, video, IM and online collaboration.