Moving UC to the cloud? Better rethink your security strategy

Image credit: bestfoto77 /

Chief security officers have a lot on their plate these days, from a daily influx of zero-day vulnerabilities to increasingly sophisticated denial-of-service (DoS) attacks. It’s a good bet that securing their unified communications (UC) application isn’t keeping them up at night. But maybe it should be.

Traditionally, enterprise security has centered around data: customer data, corporate data, credit card data, etc. There is a thriving, global, cybercriminal community built just around the goal of stealing data or, increasingly, encrypting it and holding it for ransom (known as ransomware). Enterprises collectively spend billions of dollars each year protecting their data through firewalls and other data-centric security devices. In a sense, enterprises have locked their data doors tightly, but may have inadvertently left another window open.

UC applications such as voice, video, messaging and file sharing are transmitted over the same IP network as web and data applications, and thus are prone to the same type of network attacks. Where UC applications differ from their purely data-based counterparts is in the fact that they are real-time applications that use SIP for signaling between UC stacks and endpoints. Unsecure UC expands an enterprise’s potential risk by introducing theft of service, DoS, voice phishing, telephony denial-of-service (TDoS) attacks and eavesdropping into the equation. And even advanced next-generation firewalls aren’t adequately built to protect SIP-based real-time applications.

This is a major concern – a report from IBM’s Security Intelligence group shows cyber-attacks using the VoIP SIP grew in 2016, accounting for over 51% of the security event activity analyzed in the 12 months. Therefore, protection of SIP-based real-time applications requires a session border controller (SBC).

As many enterprises are adopting a zero-trust model for security, every application must be secured. SBCs play many important roles in enterprise communications networks by providing intelligent routing, signaling interworking, and media services to ensure quality of experience. But the SBC’s primary function is to protect the UC network from SIP-based attacks. With inherent security features such as per-session state awareness, protocol filtering, topology hiding, encryption and dynamic blacklisting, SBCs can secure voice calls and prevent telephony-based attacks from happening.

According to a report by TMR Research, in terms of growth rate, the SBC market in Asia Pacific is expected to outpace all other regions as enterprises in the region are swiftly adopting VoIP networks coupled with SBCs, owing to the huge cost benefits they offer.

As traditional circuit-switched communications evolves into SIP-based UC, the attack surface has grown. It’s now possible, and easier, to mount a DDoS attacks, spoof caller IDs for toll fraud, or eavesdrop on unencrypted communication paths.

Thus, the importance of SBCs to secure UC has grown. Many enterprises today use SBCs as a UC firewall, a demarcation point for SIP trunking services, and a tool to encrypt and protect their UC assets.

The cloud factor

These perimeter-based SBCs are intended to secure UC applications that are deployed within the enterprise – for example, on an internal Skype for Business server. But what happens when UC moves into the cloud? It’s a question that many enterprises will need to answer in the coming years. According to IHS, the number of UC and VoIP subscribers in the cloud will double over the next few years, reaching over 75 million by 2020.

The cloud represents a much larger surface area for attack, and not just in terms of its overall breadth. Cloud-based services are comprised of many different virtual machines (VMs) and potentially dozens of different microservices, each with their own API. Every VM and API call could expose an application to a potential security breach, and once an endpoint is hacked, intruders can move laterally within a cloud-based network to access other applications and data. You can think of a cloud service as being composed of hundreds of different Lego-like blocks. In the cloud, your security posture is only as strong as your weakest block.

Enterprises cannot solely rely on their cloud service provider to completely secure the myriad of UC connections taking place – especially if the enterprise is in a compliance-restricted industry, such as finance or healthcare. The increased surface area of the cloud provides more attack points for hackers. And compared to an on-premises UC deployment, enterprises will have a significantly smaller grasp on who is controlling security.

For these reasons, enterprises need to harshly scrutinize their security practices so that they can ensure they’re protecting their networks appropriately.

To create a consistent defense system against network attacks, it is critical for enterprises to integrate SBCs into their security posture at the edge of their network. Just as an enterprise wouldn’t think of connecting its data network to the internet without a firewall or performing commerce over the internet without encryption, an SBC is just as critical to real-time SIP communications.

But enterprises need to be mindful that not all SBCs are created equal. They may support static blacklists, but not the dynamic generation of new blacklists. They may identify malformed SIP packets, but not anomalous network behavior that could indicate an attack. Or encryption may be turned off, because turning it on causes scalability issues. And these security gaps are points of exposure that cybercriminals can, and will, exploit.

The cloud is already the future of IT and, for many enterprises, it is the future of UC as well. There is much intrinsic value in UC-as-a-Service (UCaaS), from cost stabilization to unified messaging across multiple devices/locations and companies have recognized this. According to Micro Market Monitor, the Asia-Pacific UCaaS market is expected to grow to $3.88 billion by 2020, at a CAGR of 12.5%.

However, UCaaS does require a different security posture than an on-premises system. Cybercriminals are actively targeting cloud platforms, and enterprises need to be proactive in their defense against cloud-based attacks – particularly from traditionally under-secured vectors such as SIP-based communications.

The best approach is to remember that moving an application into the cloud doesn’t shift the responsibility of security to the service host. To maintain the security posture of unified communications, enterprises must implement a holistic approach to security that extends from their infrastructure to the cloud.

kevin riley CTO SonusWritten by Kevin Riley, CTO of Sonus Networks

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.