In unified Communications and Collaboration Solutions, Security and Usability Should Go Hand In Hand

Dear VoIP.ms blog enthusiasts, you will find below a guest blog article from one of our latest partners: Wildix, a robust Unified Communications and Collaboration Solutions provider.

In unified communications and collaboration (UC&C), there’s simply no overemphasizing the importance of security. As the beating heart of a company’s communications processes, a UC&C system makes a tempting target for malicious agents seeking data to use illicitly. If these online communications are left unprotected, companies run the risk of giving hackers everything from internal conversations to outright financial information; Managed Service Providers (MSPs), meanwhile, risk facing a furious customer who at best will demand improvements or, at worst, will seek to point fingers.

Of course, in most cases providing security for a UC&C system is easier said than done. This isn’t just because the implementation of security is difficult (although it’s certainly a factor); it’s also because, all too often, security works against the usability of UC&C systems and drags down initial positives. When implemented through additional plugins or external programs, system protections typically add bulk to the overall infrastructure of a UC&C platform, in turn hampering the speed and accessibility of the overall system. As a result, end-users can easily become dissatisfied with the solution on the whole, despite the good intentions behind bringing in those add-ons.

All this makes it difficult to present end-users with an attractive communications solution: why would they find your offer worth buying, let alone using in the long term, if it ends up running slowly or becomes unintuitive to use? Even in the event that businesses do purchase and stick with one of these systems with burdensome, tacked-on security, problems are still likely to persist, as users will be encouraged to disable or work around security measures to achieve a smoother experience.

With all these factors weighing on implementing security, how can an MSP add it onto their offer without outright inconveniencing their customer? The answer is as simple as it is ironic: they shouldn’t be adding security at all.

Rather, the key to effective security is establishing it at the foundational level of the system, incorporating key components such as encryption and peer-to-peer connections as part of the same groundwork that routes VoIP calls and transfers video conferences.

The Issues with External Security

As said before, when security is implemented as some form of external add-on, problems tend to ensue.

By “external add-ons,” We mean components like anti-malware solutions, external SBCs or VPNs — the common answers consumers have in mind when addressing that age-old question of system security. These methods are so well known and commonly used because they represent an old standard of IT security, wherein protective layers shield a system from outside threats. Anti-malware swats away threats before they reach the system; VPNs create a private tunnel of a network to communicate within; firewalls serve as another border keeping bad actors out of the system; and so on.

What this standard of security hides, however, is the fact that adding layer after external layer to a system cannot come without significant impact to usability. For one prime example, a VPN will typically take up additional network bandwidth when creating its virtual tunnel, in the process slowing down networks (the G.729 code, for one, takes up to double the regular network use). Additionally, having to sign into the VPN to actually use it can become an inconvenience if not an outright headache of its own. Additional login requirements inherently stand in the way of intuitively using a communications system. If an employee simply wants to pop open their laptop and work one day, perhaps while at their home, that extra sign in through the VPN will no doubt make for a bitter pill to swallow.

SBCs and similar external firewalling systems, while less egregious in this sense than VPNs, likewise by their very nature turn a unified communications system into a more unwieldy beast. Although they won’t eat up bandwidth and likely won’t take users through an additional login, SBCs, anti-malware, and firewalls inherently function outside of the control of the main UCC platform, meaning their setup and maintenance will always be in addition to that of the UCC system itself. Should these systems fail to be updated, fail to be appropriately connected, or even have some failing within their own code, not only does it jeopardize the security of that separate communications system, the signs of a potential breach will likely not be apparent from within the system itself. Needless to say, this hardly qualifies as “total” security by any stretch of the imagination.

Even from the standpoint of achieving security, these methodologies leave much to be desired. These external models implement what we might call the “walled city” approach to safety: in pushing away traffic, or blocking out unwanted visitors, VPNs, SBCs, and their comparable programs are much like barricades around a town. But what this approach fails to account for is if those walls are breached. Suppose a hacker cracks the firewall, or the VPN password leaks, or the SBC is bypassed — what measures are in place to stop attacks then? If those external measures are all that was put in place, the answer is there’s absolutely nothing to stop the spread of the attack; cracking that external armor means the system is ripe for the picking.

Consider also that this is far from a mere hypothetical. In addition to the very real problems described with external SBCs, firewalls can be bypassed simply as a result of additional external factors. On the other, VPNs have had issues of their own, with the alarmingly frequent password leaks from VPN providers causing real damage to systems they were intended to protect. As much as these specific leaks and system breaches may be addressed by updates and fixes, hackers are fully capable of jumping ahead of those patches to break in anew.

In terms of applying security, it’s downright ineffective to consider the whole process just by fortifying the exterior; not only does it open the door to accidents caused by ineffective application or user error, but it also creates a system where a single crack in the solution’s armor is enough for the entire network to become compromised. And it goes without saying that if an end-user becomes the victim of this kind of attack, the first person they’ll blame is their MSP.

To build a lasting business relationship — and to do it with less overall labor and maintenance — security for any given UCC platform must instead be built from the ground up, incorporated within the system at a foundational level.

Becoming “Secure by Design”

The alternative to this previously described model is one that features security inherently within its actual system. Using current technology, a UC&C solution can easily be built with an architecture that is “secure by design” — that is, fully guarded against external threats without relying on external technologies or programs that add to an MSPs management workload.

This design philosophy is achievable by bringing the following qualities into the core design of the UCC system:

1. Complex password requirements and secure storage 2. DDoS protection 3. Encrypted communications 4. WebRTC architecture 5. System monitoring capabilities

Passwords are, of course, an integral part of any system, and demand utmost care and protection. As such, any UCC system will have to ensure that all user passwords are hard to guess and securely stored: the former by enforcing strict password creation requirements, the latter by protecting password archives with the SHA512 algorithm and salt cryptography. Adding in options for two-factor authentication and single sign on will both also increase security by allowing users to increase the complexity of their login process.

DDoS protection is likewise achievable through internal system workings, in part by working in tandem with protection against brute force attempts to guessing passwords: by blocking IP addresses that attempt multiple logins, the system will keep out those who try countless password guesses both to illicitly access accounts or to crash the system through overuse. These blocking measures should also naturally work alongside provisions to block excessive traffic transmitted from a single IP address. This method is a simple way for malicious actors to shut down a PBX without having to log in at all.

Perhaps at the heart of the secure-by-design methodology, however, is the practice of encryption, which in many ways can take the place of VPNs and external SBCs outright. Simply by utilizing up-to-date TLS protocols in tandem with SRTP, conversations established between two parties become so thoroughly coded that, even in the event that a hacker does break into the network or intercept the communications, the data itself will be nigh indecipherable. Through this measure alone, data transferred through the UCC system will be kept secure automatically, drastically increasing the safety of the solution without requiring any additional setup or maintenance from the MSP or even from the end-user.

At the same time, encryption alone will likely feel like a risky way of protecting an entire system. This is why additional protections should be worked into the innate architecture of the solution, ones which also work without additional maintenance from any immediate parties. WebRTC, the open source protocol for real-time web communications, is a perfect fit for these purposes, as the technology establishes direct user-to-user connections encrypted with DTLS and SRTP for a link that’s nearly impenetrable by hackers and completely independent from exploitable third-party servers. Furthermore, WebRTC lives and operates entirely within the browser or the proprietary app being used, meaning it remains separate from files on the end-user’s device and remains unaffected by any viruses or spyware that find their way onto the hardware; this infrastructure also allows WebRTC to update automatically each time the browser itself is updated, skipping the need for lengthy downloads or tedious installs for security improvements.

Finally, a system at its most secure needs methods for interior surveillance, or ways to track possible threats and attempted intrusions for a more complete picture of its security needs. As such, any UCC platform should have extensive monitoring capabilities that are easy for an admin to access and utilize within the system itself. While manual monitoring is essential, more vital still is to have automatic alerts rigged in order to immediately learn of potential system breaches and attacks, as quick response time to possible threats can easily make the difference in preserving system integrity. Put together, these components easily create a system with reliable, self-sufficient security that works at its best: without additional management, and without creating new possibilities for user error to undercut the fortifications of the system.

Security through Wildix

An example of these five components working in practice comes in Wildix. With this system, encryption is enabled on each and every message sent by default, with up-to-date TLS and SRTP ensuring the privacy of communications without ever requiring further input from the end-user. Similar protection is afforded to the entire organization with secure password requirements and well-encrypted password storage systems, which, alongside options for 2FA and SSO, create a reliably safe standard for managing logins. DDoS protection is likewise built in through automatic blocking of excessive login attempts or an overload of traffic from specific IP addresses.

These points are bolstered more thoroughly with an architecture based entirely on WebRTC without any additional downloads or installations. More importantly, WebRTC allows the system to establish direct peer-to-peer connections with additional built-in encryption for fully private data transfers.

On top of all this, it also features multiple ways for admins to track potential intrusions and hacking attempts into a system. Automatic alerts for suspicious activity can be easily set up to keep MSPs aware of dangers to their customers’ systems, and manual monitoring can also be performed within the admin view or even through an optimized integration with the external monitoring software Zabbix.

For more information on Wildix and how our security achieves its secure-by-design promise, be sure to check out our website and download our free security white paper.

Final note from VoIP.ms: Wildix is one of our newest partner, and we are very happy with we have been putting forward together. As a matter of fact, check out the co-webinar we hosted with them right here.