Sipera Highlights Unified Communications Security Issues

Sipera Systems has highlighted a number of  security issues and best practices adopted by enterprises implementing UC through its newly released UC Security Trends to Watch list.

 

The findings indicate a trend toward addressing security for both control plane signaling and real-time application media. The results show that enterprises have begun to adopt radically differing security architectures in order to comply with unique business requirements, such as regulatory mandates and industry standards for privacy.

 

According to the UC Security Trends to Watch list, while implementing UC, Sipera’s customers are using security measures that reduce application-layer threats without affecting real-time communications performance.

 

Companies switch to UC in a bid to deliver a consistent user experience and interface across a set of real-time applications. But moving to UC presents challenges as well since unifying these applications results in a number of vulnerabilities and exploits that must be addressed without introducing delay in the signaling and media for this time-sensitive traffic.

 

Sipera informs that companies deploying UC include provisions for privacy and policy enforcement on a per-application, per-user basis. In addition, the real-time nature of UC media must be considered to comprehensively protect against threats. 

 

IT groups are also conducting periodic vulnerability assessments that evaluate the security risks associated with VoIP and other real-time UC media. Sipera has identified the UC threats that enterprises are frequently evaluating and protecting against: Number Harvesting, Call Walking, Denial of Service, SIP Worms, Service theft and Identity theft.

 

Sipera’s UC Security Trends to Watch list shows that a non-traditional approach to security is also being used by managers in some enterprises implementing UC. Under this approach, it is assumed that there are no assurances of security throughout most of the enterprise network and the security architecture for these enterprises is based on identifying particular applications and information that is to be secured, and then implementing targeted security.

 

While there are some companies that adopt targeted security, few enterprises secure the perimeter DMZ while still enabling rich, UC interaction with third parties outside this trust boundary.

 

Enterprises are also using UC to engage in new forms of communication and collaborate with people. Sipera points out that for several companies, a central requirement for all interactions is security for the perimeter and for communications to third parties that involve private customer or financial transaction information. This is especially important in industries such as financial services where virtually every communication between two partners has the potential to contain sensitive information, often protected by privacy statute or industry best practices. 

 

According to Sipera, the financial services IT managers involved in transformation to UC are using an extended enterprise security posture under which companies enforce policies, extend access control, employ 2-factor authentication, and ensure privacy across a range of applications that involve parties beyond the trusted limits of the traditional enterprise perimeter.

 

Enterprises implementing UC seek to provide a multitude of separate but integrated methods for interacting with end clients. Sipera cites the example of healthcare industry where firms migrating to UC want to create richer and more efficient interactions with patients. With this multi-application method of communications, a patient can easily access personal health data from a secure Web site and then click on a link to establish an instant message communication with a billing representative.   

 

Sipera said their customers are addressing this need with a unified security posture that applies appropriate access controls, policy enforcement and encryption across all applications, including IM, voice, video, and collaboration.