How Does UC in the Cloud Impact Your Security Posture?

Thursday, July 20, 2017

Myk Konrad


Session border controllers (SBCs) provide the protection UC applications require – and data firewalls lack – enabling enterprises to make the leap to the cloud

Chief security officers have a lot on their plate these days, from a daily influx of zero-day vulnerabilities to increasingly sophisticated denial-of-service (DoS) attacks. It’s a good bet that securing their unified communications (UC) application isn’t keeping them up at night. But maybe it should be?  

Traditionally, enterprise security has centered around data: customer data, corporate data, credit card data, etc. There is a thriving, global, cybercriminal community built just around the goal of stealing data or, increasingly, encrypting it and holding it for ransom (known as ransomware). Enterprises collectively spend billions of dollars each year protecting their data through firewalls and other data-centric security devices. In a sense, enterprises have locked their data doors tightly, but have they left another window open?    

UC applications such as voice, video, messaging and file sharing are transmitted over the same IP network as web and data applications, and thus are prone to the same type of network attacks. Where UC applications differ from their purely data-based counterparts is in the fact that they are real-time applications that use the Session Initiation Protocol (SIP) for signaling between UC stacks and endpoints. Unsecured UC expands an enterprise’s potential risk by introducing data exfiltration, Denial of Service (DoS), telephony denial-of-service (TDoS) attacks and eavesdropping into the equation. And data firewalls – even advanced next-generation firewalls – don’t have the deep, stateful knowledge of SIP to protect SIP-based real-time applications. For that, you need a session border controller (SBC).  

As many enterprises are adopting a zero-trust model for security, every application must be secured. SBCs play many important roles in enterprise communications networks by providing intelligent routing, signaling interworking, and media services to ensure quality of experience. But the SBC’s primary function is to protect the UC network from SIP-based attacks. With inherent security features such as per-session state awareness, protocol filtering, topology hiding, encryption and dynamic blacklisting, SBCs can secure voice calls and prevent telephony-based attacks from happening.  

As traditional circuit-switched communications have evolved into IP-based UC, the attack surface has grown. It’s now possible, and easier, to mount DDoS attacks, spoof caller IDs for toll fraud, or use media or signaling UDP/TCP ports to exfiltrate data. The importance of SBCs to secure UC has likewise grown – many enterprises today use SBCs as a UC firewall, a demark point for SIP trunking services, and a tool to encrypt and interwork their UC assets.    

These perimeter-based SBCs are intended to secure UC applications that are deployed within the enterprise—for example, on an internal Skype for Business server. But what happens when UC moves into the cloud? It’s a question that many enterprises will need to answer in the coming years. According to IHS, the number of UC and VoIP subscribers in the cloud will double over the next few years, reaching over 75 million by 2020.  

The cloud represents a much larger surface area for attack. Cloud-based services are comprised of many different virtual machines (VMs) and potentially dozens of different microservices, each with their own security weakpoints. Every weakpoint – whether in code, access or protocol – can expose an application to a potential security breach, and once an application is hacked, intruders can move laterally within a cloud-based network to access other applications and data. You can think of a cloud service as being composed of hundreds of different Lego-like blocks. In the cloud, your security posture is only as strong as your weakest block.  

Enterprises cannot solely rely on their cloud service provider to completely secure the myriad UC connections taking place—especially if the enterprise is in a compliance-restricted industry, such as finance or healthcare. The increased surface area of the cloud provides more attack points for hackers. And compared to an on-premises UC deployment, enterprises will have less control. For these reasons, enterprises need to scrutinize their security practices so that they can ensure they’re protecting their networks appropriately.   

To create a consistent defense system against network attacks, it is critical for enterprises to integrate SBCs into their security posture at the edge of their network. Just as an enterprise wouldn’t think of connecting its data network to the internet without a firewall or performing commerce over the internet without encryption, an SBC is just as critical to real-time SIP communications.  

But enterprises need to be mindful that not all SBCs are created equal. They may support static blacklists, but not the dynamic generation of new blacklists. They may identify malformed SIP packets, but not anomalous network behavior that could indicate an attack. Or encryption may be turned off, because turning it on causes performance and jitter issues. These security gaps are points of exposure that cybercriminals can, and will, exploit.   

The cloud is already the future of IT and, for many enterprises, it is the future of UC as well. There is much intrinsic value in UC-as-a-Service (UCaaS), from cost stabilization to unified messaging across multiple devices/locations. But it does require a different security posture than an on-premises system. Cybercriminals are actively targeting cloud platforms, and enterprises need to be proactive in their defense against cloud-based attacks—particularly from traditionally under-secured vectors such as SIP-based communications.  

The best approach is to remember that moving an application into the cloud doesn’t shift the responsibility of security to the cloud. To maintain the security posture of unified communications, enterprises must implement a holistic approach to security that extends from their infrastructure to the cloud.  

About the author: Mykola Konrad is the Vice President, Product Management and Marketing at Sonus Networks. At Sonus, Mykola is leading the introduction of the Sonus portfolio of products to the Enterprise customer segment.

Possibly Related Articles:
Cloud Security Enterprise Security
Cloud Security Unified Communications SBC UCaaS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.