Early adopters of unified communications need to ask about security

As unified communications finds wider adoption, businesses can't forget to make security a part of the equation.

"Security will increasingly become an issue as you have so many disparate pieces of technology becoming part of a business' unified communications solution," said Nora Friedman, senior research analyst with IDC. "As you introduce multiple points of vulnerability the general feeling is that more companies should be paying attention to how this plays out if you have all these different devices connected to the network."

There is no question the vulnerabilities are out there. Last week Cisco released a patch for a heap overflow vulnerability it found in its Unified Communications Manager product.

But in a young unified communications (UC) market, security is not top of mind for vendors or the businesses that are adopting the technology.

"I think we're still trying to educate people on what unified communications is," said Matthias Machowinski, directing analyst for enterprise voice and data at Infonetics Research. "Once we've got that done, then we can move on to security. We don't see security talked about much in the context of UC. Is it a bad thing? Not if the underlying architecture is built in such a manner that it's protected."

Friedman said awareness of security for VoIP [Voice of Internet Protocol] is prevalent, but there isn't much discussion in the industry about the broader issue of UC.

"A lot of it has to do with the fact that there is no comprehensive security solution," Friedman said. "Part of it is vendors' reluctance to call attention to it. No vendor is anxious to talk about a strong security solution when none are geared to having a solution. No one would put Nortel or Avaya and strong security in the same sentence."

Friedman said this could all change quickly if there were a well-publicized "apocalyptic" security breach of a UC system.

"Now that Microsoft is in the market [with Office Communications Server] and the fact that the major kinds of email attacks have been Microsoft-based it's only a matter of time before something happens," Friedman said. "If Microsoft enters the game, someone is going to try to take them down."

"It's really hard to address," she said. "I have such an issue when I'm talking to customers about UC security, to extend one layer beyond to talk about user profiles and authentication. It's a bigger leap. They have an easier time securing pieces. But holistic security is just one more solution on top of all that. They say, 'I just don't get it. I have stuff today that works fine.'"

When VoIP was nothing more than a replacement for traditional phone systems, security was not quite as critical, according to Brendan Ziolo, director of market for Sipera Systems, a vendor of VoIP and UC security technology. VoIP was really segmented off from other parts of the enterprise, he said.

"UC has extended VoIP to a number of different applications such as messaging, video, presence," Ziolo said. "Enterprises are starting to open the VoIP island up. A lot of it is being done with soft clients today. Unified communications is also being extended outside the enterprise network, extending to people's homes so they can telework. Also the whole mobile WiFi phone as well, using phones on a cellular network but also connecting on WiFi to do VoIP calls.

Machowinksi said extending these communications capabilities to a number of different devices will open up new holes in the network. With people carrying around softphones on their laptops, enterprises are vulnerable to unauthorized access to communications if a device is lost..

"My thinking is you want to make sure you have good overall security measures in place," Machowinski said. "One of the problems is that you could have more devices floating around now. When a device is stolen, it's not just going to give you access to email and access to confidential information. You can also get access to communications services. You could pretend to be somebody and extract information by having a chat message with somebody."

Many adopters of UC will attempt to secure their deployment in pieces, with good architecture, encryption and traditional network security technologies. Sipera Systems offers a specialized UC security appliance called Sipera IPCS.

Sipera's appliance offers basic threat prevention against known vulnerabilities. It also enforces UC policy compliance, such as controlling who can talk to whom based on user, device, network and time of day. If someone logs onto a softphone at a time that an authorized user couldn't possibly be using it, the appliance locks that phone out.

Sipera also ensures secure UC access. All SIP or other UC traffic gets routed to the appliance to handle network translation issues, decryption and other session border controller (SBC) functions.

"When VoIP became UC, that's when security became part of the conversation," Ziolo said. "Instant messaging, video, presence, whiteboarding -- when you bring that to the remote worker, security is going to be at the top of the list. These applications aren't going to roll out unless they are secure."