Is It Safer? The Complexities of UC and Security

Is securing unified communications infrastructure and applications fundamentally different from securing the various elements when they are not linked in a UC web? Does securing UC ultimately simply come down to using the security best practices for each of the pieces of the system? The answer to both questions is a resounding yes.

That seems to be a contradiction: How can securing UC be the same and different from securing a group of separate applications and network elements?

UC is nothing more than cleverly knit together applications and infrastructure. Thus, a big piece of the security picture is using best practices for each of those elements. At the same time, integrating these systems introduces its own potential risks and efficiencies that are absent if each operates in a vacuum.

This dichotomy – the difference between protecting a group of independent elements versus protecting a single holistic system – is something that IT departments must think hard about as UC platforms become more sophisticated and take over an increasing percentage of the organization’s communications.

The common wisdom is that good security on each of the applications spells good security for the entire UC platform. To a great extent, this is true. And, to a great extent, the security discussion is the same whether applications are linked by UC or not. “Whether [apps] are separate or in a UC platform, the same security considerations exist,” says Nick Sears, the Vice President of Europe, the Middle East and Asia for FaceTime. 

While it is true that good security on each application is a huge step toward good overall security, the use of UC dictates some changes.

From the corporate and operational point of view, a holistic UC approach increases the chances that security equipment purchases are focused on a single vendor or vendors that work together. “In a UC platform, you are more likely to find a single vendor to deal with all modalities across the UC mesh,” says Sears. “There are solutions that enable you to deal with a single policy management framework.” 

A second difference is that the unification of communications means that policies, as well as their execution and enforcement, are centralized. If executed well, this will greatly benefit the organization. For instance, most IT policies mandate that a departing employee’s access to communications tools – his or her communications modalities, in UC parlance -- be revoked in a timely fashion. This process can be done far more effectively in an environment in which all or most of that employee’s applications are linked. Of course, it also is possible that he or she will have access to more things for a longer period of time if that element of the UC platform is poorly managed.

“In a unified security scheme, when someone pulls the plug on an authenticated user, the system will shut all the openings that may be exposed,” says Dieter Rencken, a senior product manager for ShoreTel. “If it’s a piecemeal system, that might be harder to do. You may have to interact with different authenticated databases. You may even overlook some.”

Risky Business

Such unification brings challenges. Adam Boone, the vice president of marketing for security vendor Sipera Systems, said that his company essentially sees UC and real-time communications – VoIP, streaming and other synchronous applications in which exchanges happen in real time – as synonymous. Boone acknowledges the possible risks of a broader vulnerability or infection entering through one application and spreading to others.