Evaluating UCaaS Security

How to choose a cloud-based unified communications solution with confidence.

The global market for Unified Communications as a Service (UCaaS) is poised for “staggering growth” and will be worth nearly $38 billion by 2022, according to analysts with Transparency Market Research. The cloud-based model makes great economic sense because it delivers all the infrastructure required to support multichannel business communications as a managed service, allowing customers to conserve cash, improve efficiency and accelerate business opportunities.

However, as organizations look to take advantage of the flexibility, scalability, manageability and financial benefits of UCaaS, they should not overlook security and regulatory compliance concerns. As with any other cloud-based solution, UCaaS may be vulnerable to security threats if the proper protections are not in place.

While traditional phone systems could be subject to eavesdropping and toll fraud, IP-based phone systems open up a new realm of security issues. Voice calls become data packets that travel over the network, subject to the same risks as any other data. Thus, the IP phone system is only as secure as the underlying network and server hardware. The infrastructure must be protected against data breaches, denial-of-service (DoS) attacks, malware and other threats.

UCaaS ups the ante because it is hosted in a shared, multitenant environment. The service provider’s customers share a virtual instance of a system that provides UC services via the Internet. How does the service provider segment and isolate the data of each customer? How is access authenticated? How often is data backed up, and how quickly can it be recovered in a disaster? Is strong encryption applied to both data in motion and data at rest?

Get Answers

The UCaaS provider should be able to answer these questions, and explain in detail the security measures that are in place. For example, enterprise-class UCaaS solutions employ state-of-the-art firewalls and session border controllers (SBCs) to thwart intrusions and DoS attacks. An SBC sits between the customer and the carrier network, allowing authorized sessions to pass through while detecting and blocking malicious data packets.

Best-in-class UCaaS vendors often employ a dual-SBC strategy, with one customer-facing SBC and another facing the carrier. This setup provides both an extra layer of security and a backup should one SBC fail. Top vendors also host their services in carrier-grade data centers that are SSAE-16 certified, with strict physical security measures.

The UCaaS solution should use virtual private networks and encryption to protect signaling and media traffic as it travels across the network. Additionally, strong anti-malware features should be in place to protect information assets and prevent lost productivity due to spam or viruses.

Organizations subject to regulatory compliance requirements should also ask about the UCaaS provider’s experience dealing with compliance audits for their specific industry. It is important to know how frequently the provider performs internal security assessments.

Growing Trust

The service provider should store only enough information to maintain user accounts. However, the customer’s IT team should have the ability to add, change or revoke user credentials as roles and responsibilities change or as employees leave the company. Any delay can prevent employees from doing their jobs or allow a disgruntled former employee to steal or delete company data.

A recent survey by the IHS business advisory firm indicates there is growing trust in cloud-based UC. More than half of the midsize and large North American businesses surveyed say they will run at least some of their UC applications in the cloud by the end of this year — even though they have the infrastructure and expertise to run them onsite.

“Businesses continue to migrate their unified communications applications to the cloud, citing flexibility as the key reason,” said Diane Myers, principal analyst at IHS. “Cloud solutions are inherently more flexible than premises-based solutions, offering businesses the ability to scale users up and down, centralize management, and deploy new features and applications quickly.”

There is good reason for organizations of all sizes to trust UCaaS services. UCaaS can actually improve security by quashing consumer-grade solutions that employees might be using without the knowledge or support of IT staff. What’s more, a service provider’s enterprise-grade technology and security expertise probably surpasses that of the typical organization, making UCaaS even more secure than an on-premises phone system. With the proper due diligence, organizations should feel confident that a UCaaS solution provides maximum levels of security, reliability and flexibility.