Real Time in the Real World: Meeting the Unified Communications Security Challenge

Date:   Thursday , May 07, 2009

A communications revolution has been slowly but steadily engulfing enterprises of all types, in various, industries over the past decade. Seamless deployment of Voice/Video/Instant Messaging/Chat/Collaboration/Presence over existing IP communications links made this possible with cost savings, and brought people closer, even across geographical frontiers.

This technology transformation - Unified Communications (UC) - can be loosely defined as a host of communication-applications managed in a coordinated fashion and often deployed across a converged, next-generation network infrastructure.

Consolidation of Voice, Video, IM, Collaboration tools and other real-time communication tools on enterprise IP networks forms the UC solution that can be ubiquitously deployed and managed. Consolidation eliminates redundant voice and data networks with data and voice carried on the same T1/E1 line (example) instead of on PRI lines, and their associated investment and maintenance, for traditional voice networks. In addition, presence-enabled applications create an even richer communications experience.

As UC is taken further, enterprises are adopting new forms of interaction with external parties, including:

* Multi-channel communication with customers

* Real-time collaboration with the supply chain

* More effective support of channel

* Flexible communications with an extended workforce, including distributed call centers, teleworkers, and remote offices.

These forms of UC can introduce dramatic benefits such as significant cost savings, tighter inventory control, improved customer service, reduced travel and the ability to secure workforce talent, regardless of location. All of these benefits can add up to distinct competitive advantages and easily quantified efficiencies.

However, these new forms of communications also present new challenges in information security/privacy, integrity, control of applications/corporate assets and above all – preserving Quality of Service and User Experience. Proliferation of UC over IP brings includes three major challenges:

1. Need for granular control, real-time application level security and admission control.

2. Confidentiality, integrity of communications.

3. QoS requirements for latency sensitive applications.

These challenges can be addressed with the proper amount of foresight, and planning, and - in fact - anticipating and exploring them can highlight new ways that UC can benefit an enterprise.

Privacy Matters
Confidentiality of communications can be easily compromised by simple sniffers and recording devices, call hijacking, call recording, media manipulation and other more sophisticated-but-easy-to-implement attacks. The ability to encrypt call establishment (signaling) and conversation (media) in addition to authenticating users, devices, locations, etc., is critical to ensuring UC privacy and authenticity.

At first, many enterprises assume that UC security will be adequately covered by data security measures, largely because UC traffic is converged onto an IP network originally built to carry data. Convergence of multiple applications – thereby requiring granular inspection and control to distinguish voice vs. video vs. data, etc., combined with the real-time nature of UC experience – breaks this assumption.

It is becoming increasingly clear that traditional data security methods can be inadequate for fully protecting UC traffic. Typical questions, that need to be answered by security and enablement devices that handle UC, include:

1. How can enterprises distinguish between traditional data, voice, video and other applications, with 100 percent accuracy, to enforce appropriate Quality of Service requirements?

2. Can partners call “this domain”?

3. How can enterprises restrict access to only “approved” corporate assets (phone models, soft clients, authorized click-to-talk users)?

4. IM may be OK, but how do enterprises prevent transmission of IM attachments?

5. How can enterprises prevent unauthorized downloads of video-on-demand applications?

6. User experience comes with remote enablement and extension mobility. How can enterprises provide secure access to traveling employees, while retaining their office extension numbers?

Deficiencies of traditional data security devices typically include:

* Inability to adequately distinguish and act on different types of content and media riding a converged infrastructure.

* Delay and performance degradation of time-sensitive traffic, coupled with encryption implementations that significantly cut throughput.

* No way to correlate traffic patterns and user behavior that can indicate an attack or policy violation that should be stopped.

* Complex, unwieldy access control and authentication schemes that undercut the full realization and ROI around UC.

In practice, these deficiencies mean that enterprises need to re-consider security postures and architectures as they adopt UC, and this security assessment should be a recurring process as the UC deployment evolves. To be sure, traditional data security methods are vitally necessary. What is also required is incremental security functionality, based on the acknowledgement that UC is different.

Real-time Security for Real-time Traffic
The most widely recognized difference between UC and traditional data security requirements is based on the fact that most UC applications are real-time.

VoIP, Video conferencing, Web collaboration tools and IM each require real-time communication between parties. This communication will not tolerate delay, traffic disruption or network performance problems. Email users may be willing to wait several seconds, or even minutes, for the transmission of their messages and - in fact - many performance problems that delay email delivery go entirely unnoticed by users. Apply the same scenario to UC and imagine if a call is delayed by two seconds.

At Sipera, we have worked with dozens of enterprises to facilitate the deployment of UC and, in doing so, identified four key UC security requirements that must be evaluated and addressed including:

Privacy (encryption): Protecting real-time traffic from eavesdropping, with all layer-7 heavy lifting done in a performance sensitive implementation to preserve real-time nature (low latency) and user experience.
Policy enforcement: Applying security and network traffic policies to traffic in real-time.

Access control: Authenticating users and facilitating appropriate access to communications resources, based on electronic fingerprints verified in real-time.
Threat mitigation: Detecting and blocking application-layer attacks from internal and external perpetrators in real-time.

Each of these areas requires a security practitioner to examine both the UC applications being utilized, as well as the underlying infrastructure that supports and manages this traffic. While certain areas — such as encryption — may be addressed by network configuration changes, other areas — such as threat mitigation — may require a re-examination of the security architecture to ensure the application layer is fully protected.

UC Security Life Cycle

As we continue to help enterprises re-examine and improve their security posture as part of a UC project, we have discerned a best practice for a UC Security Life Cycle, as illustrated below.

In effect, the security life cycle guides the enterprise between examining the overarching information security requirements associated with its line of business. A security or vulnerability assessment will then show the gap between these requirements and the reality of the security posture. Mitigation measures and compliance management follow. The cycle is repeated as mandates change, new privacy best practices emerge, or the UC implementation expands and evolves.

This simple cycle has familiar characteristics recognizable by those versed in change or project management in a typical enterprise IT environment. Perhaps the most important implication is that the UC security must be evaluated in light of overarching, application-affecting business rules and that this evaluation and modification must take place on a periodic, recurring basis.

This way, UC security is not daunting and the evaluation process can uncover new aspects to UC in ways more beneficial to the enterprise. For example, as access control is improved for UC to external employees, it could lead to opening certain networked IT resources to key members of the supply chain - which in turn can yield tremendous benefits for inventory management.

Such capabilities are just the first phase of benefits to be gained from the proper implementation of UC applications and UC security. Handled correctly, UC security can become a chief enabler of new ways of communicating and collaborating with a broad web of customers, suppliers and the extended enterprise. The new world of communications holds great promise to continue to revolutionize our way of doing

Author is Vice President of Engineering, Sipera Systems. He can be reached at