Cloud-based communication solutions are becoming more and more popular. No wonder, after all, they offer many advantages compared to conventional telecommunications systems. But at the same time there are doubts: Can cloud telephony become a security risk for companies?
The way from ISDN to cloud telephony
In order to be able to assess the topic correctly, let’s first take a look at the differences between ISDN and cloud telephony.
Since the ISDN fixed network will be shut down across Germany in the course of 2022, the days when telephony had its own connections to the telephone network are over. It is similar with the end devices: Here, too, the IP network is used for the connection.
Telephony is now just a communication service. Telecommunication systems are developing into Unified Communications & Collaboration Solutions (UCC) that provide a client for chat, presence, audio, video and web conferencing as well as voice and video telephony. These clients should be able to run in the company, but also via the home office and on mobile devices. In addition, UCC functions should also work with external customers and partners. A cross-company chat function, for example, makes collaboration easier. Data can be stored in locations that both companies have access to, and screens can be shared between each other in conferences.
EXTRA: Cloud Computing for SMEs: You need to know that
For many companies, this is a reason to get their UCC solution directly from the cloud. This makes complex security design in your own DMZ obsolete. Second-level concepts using an internal and external DMZ, as is often required by financial institutions, do not support UCC solutions or only support them with immense additional effort. The manufacturers of UCC solutions are also pushing the cloud and in some cases do not provide any solutions that are installed at the customer’s premises.
What are the security risks of cloud-based telephone systems?
At the beginning it should be noted that a cloud-based telephone system, properly protected, can be more secure than an on-premises solution. It is important to know the security risks and to prevent possible attacks.
The connection to the Internet offers hackers a multitude of attack options that are not available in an analog system. The aim of these attacks is to slow down or even paralyze the network used, to steal data or identities or to eavesdrop on phone calls.
When talking about the cloud, a distinction must be made between two approaches. Cloud solutions, including the cloud infrastructure, can be made available by the provider as a shared solution. In the second option, a provider hosts a solution for the customer from the cloud. Here the customer has a say in the design of the solution, depending on the characteristics. With both approaches, the customer has to trust his provider. Because he has no influence on the security of the systems in the cloud.
A common misconception is that cloud service providers offer complete security measures for cloud communication. This might apply to applications in the cloud, but not to your network, call flows, media, or endpoints that are not in the cloud.
Therefore, companies must also take measures to ensure the security of their sensitive data.
EXTRA: Beware of malicious software: This is how you protect yourself [practical tip]
What security measures can companies take?
Voice signals and data packets pass through several interfaces during their transport via a cloud-based UCC system. Each of these places carries the risk of a security breach. This means that you have to ensure that the sent and received data are encrypted at every point if they are to be optimally protected.
The encryption of the signaling and user data is a standard, but ultimately only helps if the encryption mechanisms used are secure and protected. When encrypting the voice, there is also the fact that this is possible internally between the endpoints and the UCC cloud, but the transport is unencrypted in public networks. Some manufacturers offer separate key management solutions for their cloud solutions, but use often fails due to the costs and complexity.
Manufacturers usually keep a secret about their internal security functions and justify this with the protection of all customers. Cloud operators generally do not agree to the possibility of verifying the security of the cloud by means of their own penetration (PEN) test. In contrast to their own solution, the large providers in particular are faster when it comes to closing gaps. One example is the recently discovered vulnerability in Microsoft Exchange. In the Microsoft 365 Cloud, the gap was closed before it became known. However, many customer installations still have the vulnerability or were hacked before they could act.
The greater risk, however, comes from the user, especially when mobile devices are integrated and BYOD approaches are used. Here, device monitoring and protection through appropriate MDM solutions are elementary. The most frequent attacks are still directly traced back to users, when opening email attachments through which software is infiltrated, which can then calmly wreak havoc. The only thing that can help here is appropriate security solutions that can recognize when such malware or ransomware becomes active and stop it immediately.
Cloud telephony security risk?
In conclusion, it can be said that there is no such thing as 100% security. Cloud solutions need some trust and a secure infrastructure to the cloud.
Security gaps in a cloud product are usually closed much faster than could be implemented with any on-premises solution. The weak points are endpoints and users – thus the same as with an on-site installation. Appropriate security solutions help to quickly identify gaps and stop attacks.
Organizations must therefore continue to be concerned about security when using cloud solutions, although the cloud can take away some concerns as well.