The Role of Security in a UC World
The UCStrategies Experts discuss what enterprises should be thinking about and asking in regards to security, in this Industry Buzz podcast.
The UC expert panel includes Blair Pleasant, Andy Zmolek, Marty Parker, John Bartlett, Art Rosenberg, Nancy Jamison, David Yedwab, and Steve Leaden.
Blair Pleasant: Hi, this is Blair Pleasant. I am here with the UCStrategies experts. Today we are going to talk about the role of security in a unified communications world, and what enterprises should be thinking about and asking about. We are not going to necessarily provide answers about what you should be doing exactly, but we are going to focus more on what you should be concerned about and thinking about. And in my opinion, there are really two main areas of security to focus on. One is technical and one is about personnel and your people. There are lots of things that you can do to secure your technology and your infrastructure. But it is much harder to control the people, what they do and don't say, and make public. And privacy is especially going to be challenging as we get more into social networking.
As far as the technology goes, Marty, you had a great suggestion that we could look at it in terms of the various layers or domains, so looking at the physical layer or the security of the network connections, firewalls, SBCs and also the transport layer, things like encryption and security of the transport, whether it's end-to-end or other methods. And the applications and the data layers or the management of the application data and application presentation layers for the security of the network, the transport, and proprietary information.
Michael Finneran is not on the call today, but he suggested that privacy should include the signaling, as well as the media - who you are calling can be almost as important as what you are saying. Security in intra-company communications is going to be very challenging. And along with privacy, the other big area in security is authentication, which we will be talking about. We need to be able to authenticate the user, regardless of what device they are using, and how they are accessing the network.
And with that, I am going to turn it over to Andy. Andy, I noticed that you are quoted in Dan York's book on Unified Communications and Security. You are our resident expert in security, so take it away.
Andy Zmolek: Actually, I was approached to do the book, and ended up bringing the Publisher over to Dan. So, interesting story there. What I would like to talk about a little bit is the notion that a lot of people have about security that it's something you can bolt on. It is a feature. And that is really the wrong way of looking at security. There are a few things that you can bolt on that are security related but in general, security is like quality. And it's something that you bake in. And understanding security, particularly in unified communications has a lot to do with understanding what it is that you are trying to protect, and are the mechanisms that you are using adequate for that kind of protection?
You want to know everything from is this device that I am using, has it booted up with firmware that I trust? Has that not been compromised at any level? Can I trust that this phone that has a microphone and a speaker is only being used for those purposes that I expect that it's going to be used for? And then once it's on the network...alot of people are aware, for instance, I'll use cellular phones as an example, because this is a common misconception that people have that because the radio portion of the cellular phone is encrypted, that that means that all the conversation end-to-end as it goes across the public telephone network is encrypted, which is not true. And in general, you actually have to have very expensive devices to get that end-to-end encryption, although I am talking with potential commercial solution providers that may be getting
into that space in a big way. But the important thing to look at is, what are you protecting, how are you protecting it, and is that adequate to meet those needs? So there was a mention earlier of protecting both the signaling and the media. Those are separate paths in most UC realms, and those in many cases have separate means of protection.
Also the identity itself - if you think about something as simple as Caller ID, which is what most people in our space would consider the first thing they think about with identity, there are means of spoofing that. And there are also countermeasures of ensuring that that identity that is being passed is being passed by the network provider, and not by the end customer that can supply something different.
Identity in fact, moving forward, is going to get even more interesting as we get this convergence of mobile devices that are integrated into that UC experience. If you think about what is happening with what is called a cell phone, it's become now a device that is replacing everything in your wallet. And that identity aspect is even more important. It is not just the authentication of the device to the network or the authentication that you have for instance, when you are using a smart phone to get to your Gmail account or your enterprise mail, it is also being able to know that in any given point in time that how I am using this device and the identity that I am putting out there is in fact what I intended to do. With new technologies like Near Field Communications where I am going to be replacing credit card functionality, can I use aspects of my identity like a biometric sensor, to be able to control when am I actually letting this device that is saying that I am for instance doing a credit card transaction, make sure that's me on the other side of the device, and not somebody who has stolen it.
There's also, when it comes to security, a need to understand who has what privilege level at each part of the system - not just the device, but also the backend servers and systems, and auto ability for that access. So there is an enormous range of functions that you could call security. In fact, one of the biggest challenges in our industry is being able to not oversimplify the core secure functions that exist. In many cases, if you ask a particular UC vendor what their security story is, they will take you down to maybe one or two basic features that have in some cases only a small portion to do with how those communications are secured both over the air, inside the device, how the firmware and software is protected, how the management functions are protected, and how identity is propagated.
So that's kind of a way of jumping into what are the issues here, and what are the considerations, and what does security really mean.
Marty Parker: Thanks Andy for that. I thought that was a really solid introduction you gave us to the concept. I really appreciate your recommendation that it is a pervasive program. I would like to build on your comments about authentication, and talk about the application and data layers.
One of the things that we are seeing more and more pervasively in business, but especially in those critical markets that have a concern or regulatory requirements such as health care, is that the authentication of the user, their identity and their authentication, actually drives the application interface. So most of the health care systems, such as say the Cerner system, mimic permission to a patient record to those people who are authorized to care for that patient. And sometimes even down to the shift level. The nursing staff will sign in to a patient for their shift and sign out. If they were to try to get to that patient record remotely even through a secure connection like the Virtual Private Network at some later time, they would be denied access to that patient information, because they are not the authorized caregiver at the moment.
And I think we will see that sort of distinction becoming more and more common, certainly in industries like I say where security means so much, health care, finance, public records, and so forth. But I think we will also see it happening in other places where permissions are going to drive what people are able to see and do when connected to an application.
Meanwhile at the other layers-transport and physical layers-I will say one thing then I will pass it to John Bartlett to talk more about some of the transport layer security options that exist. The thing that I would like to notice is that I do appreciate those unified communications suppliers who are taking at least some part if not all of what you recommended, Andy, to heart. And that is they are providing an end-to-end encryption model of both the media and the signaling. Those end-to-end models are held at both ends by the server and the devices with software clients on them, so that there can be an assurance that if I am going out through the firewall, say to a client with whom I am having a secure conversation about a legal matter, that I will have encryption, I will have protection.
The better of the vendors are also logging those communications to assure that I can go back in the audit process and find out where communications are going. I can trace things if I find that there is any reason for question. But I think that the transport layer is going to be so valuable. It has been of course already, but so valuable to the concept of security going forward. John, I expect you can add a lot of that.
John Bartlett: At the network layer, there are a couple of critical things, and this is where I think semantics come into play. It is really important as mentioned earlier to make sure that when you are talking about security everybody is on the same page. It is kind of like quality in that you can define it from so many different points of view.
At the network layer, one of the things that is important is ensuring that the devices that are connecting to the network are in fact authorized devices, and are allowed especially to use the QoS classes that we assign to network year. So there is an issue of making sure that really is a phone, or that really is a video conferencing end point, or that really is a PBX, that has to be addressed, and there are a number of different methodologies for that.
At the QoS layer, there is the issue of making sure that the bandwidth is managed in a way so that it's contained so that the network can protect itself from over utilization of the resources, because there are a number of different players on that network that all have to be maintained. That relies on authentication and also relies on an appropriate design in the network to make sure that applications are staying within their allocated bandwidths.
Another piece that has become more important as we cross network boundaries is to not violate the security that has been provided by the network firewalls. The firewall traversal is difficult because the asymmetric nature of a firewall is not set up to properly handle voice and video which needs to be symmetric. And so we have to have methodologies for getting across that firewall that will support the voice and video, and even the instant messaging and federation and all of those pieces that we want to enable communications without opening up the path for hackers or viruses or whatever to be crossing those network boundaries and getting into those spaces. So there are issues to address there as well.
Blair Pleasant: Thanks John. Does anyone else have anything to add to this?
Art Rosenberg: Yeah, it has different layers as you can see. Some of it has to do with capacity and functionality, and some of it has to do with security in terms of accessed information. And last but not least, there is privacy, which is access to particular people who want to manage their time. All three of these areas need to be taken care of, but not necessarily by the same management within an organization. In fact, I like to maintain that at this point in time that an individual user is going to be having to deal with applications from different companies, as a customer, as a supporter of a customer...customer-facing, whatever. So you have got to be crossing all kinds of boundaries as far as information access, and also for controlling access by people. It has to be something that is standardized in some way, and the right people are exerting the kind of control we are talking about. It is not like IT is going to do it all. Some people know what the problems are; some people know what some parts of the solution are, but getting structured for that is what I think we face as a challenge with UC.
Nancy Jamison: I agree with Art, because there are a lot of little siloed solutions, too. One of the areas that I look at is voice verification. And we have the ability to do that now on the phone or through the network. You can see the protect devices and applications that way, and people are using it. But there are other things too. I was at this mobile voice conference a couple of weeks back. There is a German company called Biometry, and they have many layers of verification in the applications that they have. One of them I had not seen before. It was really interesting. It is a way of protecting your notebook. Say you get up and you have everything including UC running. It has a video camera on you and it does face recognition. So when you get up and leave, it turns the screen off. When you come back and it recognizes you, it turns it back on. I thought that was a unique way. But as I said before there are all little silos, because they are all in various stages of development. So, I am not sure what the answer is as to how you get the end points to be part of the security whole.
Art Rosenberg: I think that points out something that you have to look at from two sides. On the one hand, there is the protective side. And on the other hand is the user side. Hopefully you have to keep it simple for the user. And so the protective side is going to say, "we can do it this way; we can do it that way." But number one is to protect the information as best as you can, but keep it simple as far as the end user.
Nancy Jamison: Yeah, very simple. Especially in health care and banking, we can do multi-factor authentication and do it really simply for the end user. That is one of the goals of all the people putting these products out. But you still have some push back, because people do not understand if their voice print is actually stored somewhere and it could be stolen, or is it Big Brother and all of that? We are still getting some of that even though people are much more comfortable with the technology than let's say five years ago.
Art Rosenberg: Well, it is getting too complicated for people to take care of themselves.
David Yedwab: Two other points that I think we need to add to the security discussion. Number one, dealing with security at the same we are trying to deal with the consumerization and the bringing of your own device into the network is something that is going to be a continuing challenge over time. And second, we are hearing more and more about as the networks are becoming more and more IP, the threat of cyber warfare, cyber security, and cyber terrorism. We need to keep that in the back of our minds as we are planning for our networks going forward.
Steve Leaden: Absolutely. In fact, I have a couple of talking points. We have to look at external, firewalls, and intrusion protection prevention policies, as well as internally across border amongst divisions. So if we need to set up a UC strategy within a division versus another division, what are those security policies that we need for sharing and non-sharing? And then of course, we've got the expanded element of federation and federating outside companies, vendors, partners, customers into this trusted environment, and what are the policies and security tools that we are going to use to bring these external groups together?
Then of course, we have the cloud, which is a very big topic coming into play from your SaaS emails and UC integration, which is right on the horizon and starting to be implemented. What are the security policies around a cloud-based solution? Those are some of the things that we are seeing. And even to the point where call recording is becoming very, very common for a lot of our customers, therefore what is the security policy that they have around call recording in a non-call center kind of UC-only environment? What do they use for turning and turning off, or call recording conversations, if you will-there is just a lot of policy around that. A lot of things to think about.
Blair Pleasant: I think those are all great points. There is some great technology out there, but I think focusing on policies is just as important. As the saying goes, "you can't cure stupid," so having policies and procedures that make it clear to employees about what they can and cannot say and divulge is just as important as not having things like encryption and firewalls. So I think this gives enterprises a lot to think about and hopefully we will have more conversations about this in the future. Thank you to all the UC experts and see you all next time.
Tags
Start YourCustomized Search
SOLUTION AREA
SOLUTION PROVIDERS
- 8x8 (40) Apply 8x8 filter
- Alcatel-Lucent Enterprise (50) Apply Alcatel-Lucent Enterprise filter
- AT&T (44) Apply AT&T filter
- AudioCodes (49) Apply AudioCodes filter
- Avaya (397) Apply Avaya filter
- Cisco (574) Apply Cisco filter
- Dell (11) Apply Dell filter
- Five9 (54) Apply Five9 filter
- Fuze (39) Apply Fuze filter
- Genesys (100) Apply Genesys filter
- HP (98) Apply HP filter
- IBM (171) Apply IBM filter
- Jabra (9) Apply Jabra filter
- Logitech (56) Apply Logitech filter
- Lumen (4) Apply Lumen filter
- Masergy (50) Apply Masergy filter
- Microsoft (766) Apply Microsoft filter
- Mitel (233) Apply Mitel filter
- NEC (128) Apply NEC filter
- Nectar (58) Apply Nectar filter
- Polycom (95) Apply Polycom filter
- Ramp (37) Apply Ramp filter
- RingCentral (126) Apply RingCentral filter
- Sennheiser (18) Apply Sennheiser filter
- Slack (13) Apply Slack filter
- Tata Communications (59) Apply Tata Communications filter
- Unify (186) Apply Unify filter
- Vonage Business (80) Apply Vonage Business filter
- Yealink (8) Apply Yealink filter
- Zoom (21) Apply Zoom filter
- Acme Packet (24) Apply Acme Packet filter
- Allworx (2) Apply Allworx filter
- Arkadin (22) Apply Arkadin filter
- Aspect (34) Apply Aspect filter
- BT (25) Apply BT filter
- CaféX (8) Apply CaféX filter
- CallTower (14) Apply CallTower filter
- Clarity Connect (10) Apply Clarity Connect filter
- Continuant (1) Apply Continuant filter
- Damaka (4) Apply Damaka filter
- Dialogic (5) Apply Dialogic filter
- Dimension Data (44) Apply Dimension Data filter
- Empirix (11) Apply Empirix filter
- Enghouse Interactive (17) Apply Enghouse Interactive filter
- Inference Solutions (9) Apply Inference Solutions filter
- IntelePeer (27) Apply IntelePeer filter
- IR (11) Apply IR filter
- Jive (21) Apply Jive filter
- Kurmi Software (21) Apply Kurmi Software filter
- Lifesize (33) Apply Lifesize filter
- Lightware (3) Apply Lightware filter
- Mavenir (6) Apply Mavenir filter
- Modality Systems (8) Apply Modality Systems filter
- Momentum (36) Apply Momentum filter
- Netfortris (5) Apply Netfortris filter
- NetSapiens (6) Apply NetSapiens filter
- NewVoiceMedia (31) Apply NewVoiceMedia filter
- Nureva (26) Apply Nureva filter
- NUWAVE (5) Apply NUWAVE filter
- Orange (32) Apply Orange filter
- OVCC (8) Apply OVCC filter
- Panasonic (18) Apply Panasonic filter
- PanTerra Networks (9) Apply PanTerra Networks filter
- ScanSource (21) Apply ScanSource filter
- SIPPIO (3) Apply SIPPIO filter
- Snom (20) Apply Snom filter
- Star2Star (8) Apply Star2Star filter
- StarLeaf (12) Apply StarLeaf filter
- Tadiran Telecom (2) Apply Tadiran Telecom filter
- TekVizion (9) Apply TekVizion filter
- Unimax (7) Apply Unimax filter
- Verint (42) Apply Verint filter
- Voice4Net (2) Apply Voice4Net filter
- VOSS (85) Apply VOSS filter
- Voxbone (14) Apply Voxbone filter
- West (28) Apply West filter
- XO Communications (3) Apply XO Communications filter
- Yorktel (17) Apply Yorktel filter
- Zultys (2) Apply Zultys filter
- 3CX (8) Apply 3CX filter
- ADDASOUND (1) Apply ADDASOUND filter
- Aerohive (1) Apply Aerohive filter
- Aryaka (1) Apply Aryaka filter
- Asurion (22) Apply Asurion filter
- Avnet (7) Apply Avnet filter
- Bandwidth (5) Apply Bandwidth filter
- Calabrio (5) Apply Calabrio filter
- Consilium Software (13) Apply Consilium Software filter
- Drum (5) Apply Drum filter
- ESI (6) Apply ESI filter
- Esna (16) Apply Esna filter
- Exinda (2) Apply Exinda filter
- EZuce (3) Apply EZuce filter
- GUnify (6) Apply GUnify filter
- Highfive (4) Apply Highfive filter
- Huawei (47) Apply Huawei filter
- Imagicle (3) Apply Imagicle filter
- IPCortex (1) Apply IPCortex filter
- KnoahSoft (1) Apply KnoahSoft filter
- KOVA (1) Apply KOVA filter
- Logmein (9) Apply Logmein filter
- Metropolis Technologies (4) Apply Metropolis Technologies filter
- Mutare (2) Apply Mutare filter
- NextPlane (27) Apply NextPlane filter
- Ooma (16) Apply Ooma filter
- Patton (11) Apply Patton filter
- Radish Systems (1) Apply Radish Systems filter
- Radisys (3) Apply Radisys filter
- Shango (1) Apply Shango filter
- SMART (163) Apply SMART filter
- Stack8 (1) Apply Stack8 filter
- Swyx (1) Apply Swyx filter
- TrueConf (4) Apply TrueConf filter
- UJET (13) Apply UJET filter
- Voximplant (3) Apply Voximplant filter
CONTENT TYPE
- BC Expert Insights Market (43) Apply BC Expert Insights Market filter
- BC Expert Insights Objective - Vendor Neutral (42) Apply BC Expert Insights Objective - Vendor Neutral filter
- BC Expert Insights Planning (15) Apply BC Expert Insights Planning filter
- BC Expert Insights Solution (12) Apply BC Expert Insights Solution filter
- BC Expert Insights Vendor (80) Apply BC Expert Insights Vendor filter
- BC Expert Insights Vendor Solution (146) Apply BC Expert Insights Vendor Solution filter
- BC Expert Roundtable (133) Apply BC Expert Roundtable filter
- Bcs Webinar (0)
- Bcs Webinar Registration (0)
- Best Practice (38) Apply Best Practice filter
- Buyer Guide (14) Apply Buyer Guide filter
- Case Study (29) Apply Case Study filter
- Executive Interview (145) Apply Executive Interview filter
- Expert Roundtable (450) Apply Expert Roundtable filter
- Guest Contributions (35) Apply Guest Contributions filter
- Multimedia (38) Apply Multimedia filter
- News Analysis (2081) Apply News Analysis filter
- Newsfeed Article (1303) Apply Newsfeed Article filter
- Newsfeed Article (1) Apply Newsfeed Article filter
- Thought Leadership (21) Apply Thought Leadership filter
- Vendor Collateral (211) Apply Vendor Collateral filter
- Vendor Resource Best Practices (24) Apply Vendor Resource Best Practices filter
- Vendor Resource Buyers Guides (2) Apply Vendor Resource Buyers Guides filter
- Vendor Resource Multimedia Content (4) Apply Vendor Resource Multimedia Content filter
- Vendor Resource White Paper (4) Apply Vendor Resource White Paper filter
- Webinar (13) Apply Webinar filter
- Webinars (7) Apply Webinars filter
- White Paper (64) Apply White Paper filter
MORE FILTERS
INDUSTRY
- Banking And Investment (800) Apply Banking And Investment filter
- Education (446) Apply Education filter
- Energy And Utilities (487) Apply Energy And Utilities filter
- Finance (12) Apply Finance filter
- Government (675) Apply Government filter
- Healthcare (482) Apply Healthcare filter
- Hospitality (180) Apply Hospitality filter
- Insurance (100) Apply Insurance filter
- Manufacturing (704) Apply Manufacturing filter
- Media/Publishing (422) Apply Media/Publishing filter
- None (43) Apply None filter
- Professional Services (745) Apply Professional Services filter
- Retail & Distribution (798) Apply Retail & Distribution filter
- Technology (1611) Apply Technology filter
- Transportation (110) Apply Transportation filter
PUBLICATION DATE
Latest Articles
Latest Resources
Comments
There are currently no comments on this article.
You must be a registered user to make comments