A couple of months ago, Nissan's flagship electric Leaf car made news when a group of researchers discovered that one of the car's cloud-based apps lacked authentication. This created some remotely exploitable conditions as well as some data gathering risks. As the trend towards IoT and smart “everything” (TVs, cars, and so on) continues, we’ll be seeing more bugs, more design flaws and more product weaknesses.
Security is an important issue for cloud communications vendors to tackle. According to an IDC report commissioned by RingCentral, security ranks as the number-one concern in moving to cloud phone systems among IT decision makers. That’s not surprising: Security continues to be a top-of-mind concern for companies considering any type of cloud adoption. It’s important for businesses to take the time to understand what the transition to a cloud service means for their data. Can the vendor they choose answer key security questions? What are the right safeguards, and what are the right questions?
Cloud security is a shared responsibility model, meaning that effective cloud security relies on both the customer and the cloud vendor for implementation and effectiveness. There's a lot your cloud vendor can do to mitigate risks to your business, and in the spirit of strong partnership, I encourage all customers to ask their cloud vendors the questions that they need answered for trust and assurance. Here are five to start with for your Unified Communications as a Service (UCaaS) vendor.
1. Do you support encrypted VoIP? Unencrypted data streams of any type increase your risk and attack surface. A VoIP call is not any different than web application data in this respect. Eavesdropping, man-in-the middle attacks and capturing registration credentials are all made easier with plain-text data. The bottom line is that VoIP traffic should always be encrypted. A vendor’s implementation of VoIP encryption should include both call signaling and media communications, so be sure to ask if both signaling and media are encrypted.
2. Do you have an audit report you can share with me? Trust is an essential part of the cloud services model. Cloud vendors should understand—and welcome—your efforts to look under the hood of their security controls. Cloud companies who take security seriously will do more than just pass along their data center's audit report. Look for vendors who have audit reports put together by an independent third party. Reports should reference standardized frameworks, such as the Trust Services Principles, which guide the SSAE-16 SOC 2 audits; ISO standards; or the Cloud Security Alliance’s Cloud Controls Matrix.
A SOC 2 Type II is a good place to start, as it will list the vendor’s controls, explain any auditor findings and recommendations, and include the vendor's responses. Make sure the audit report covers the service organization’s controls (i.e. your vendor) and not just the data center or cloud service where the application is hosted. Service operations are a key part of the cloud security model.
Also look for audit reports that assess security control effectiveness over a period of time rather than only at a point in time. Perfection isn’t the goal; you want to know that your vendor is transparent with you about its security practices. You want to understand what those practices are and have confidence that your vendor’s safeguards operate effectively over time. You want to understand if an audit has reported any findings and what actions your vendor has taken in response. An audit report that shows data center safeguards—but none for service operations— or that only looks at security measures at a single point in time doesn’t give you the transparency and assurance that you need.
3. Do you have control points that will enable me and my team to secure our side of the voice network? Revisiting the shared responsibility model for cloud security, it's important to remember that there's an entire customer side to the service, with VoIP phones, apps that run on desktop or laptop computers, and users connecting to the service from their mobile endpoints. Does your vendor help educate you about the best practices that are within your control? Do they build security attributes and features into their product to take care of some things directly, and to empower you with settings to control the rest?
Just like your data stored in the cloud, any of your data stored locally on these endpoints should be secured with encryption. Make sure your vendor offers an option that lets you mandate encryption for your data when it’s stored locally in an endpoint app. Make sure that you can implement roles and permissions for your users. And make sure that you have the ability to specify important usage parameters such as international calling.
4. How often do you conduct product security testing? It’s no surprise to anyone that software has bugs. What’s important is that your vendor make investments to regularly test its application security to find security bugs so that they can be prioritized and addressed, rather than limiting product testing to one or two pen-tests per year.
Don’t get me wrong. Pen-tests serve a purpose. However, it’s likely that most vendors are releasing updates to their software at an interval that outpaces periodic pen-testing. Ask your vendors how often they test their application releases for security. In addition, when it comes to product security testing, it’s good to have a mix of in-house and third-party. No one person or team will find every bug. The idea here is that a more diverse set of eyes and methods will find more bugs than a single team or a single method.
5. Do you monitor for unusual activity or usage on customer accounts? Cloud customers don’t always monitor their usage of a cloud service, and those with an on-premise PBX don’t always monitor their company’s PBX activity. As a cloud customer, you may not even have access to the service usage data. Ask your vendors whether they monitor for service abuse and anomalous usage. If you’re looking at cloud PBX, ask if any toll fraud monitoring is included.
I’ve focused on five questions here, and of course this isn’t an exhaustive list. But the more questions you ask, the more you, as a customer, will have the information you need to determine if a cloud vendor is ready to be your partner in the shared security model that cloud computing requires.
About the Author: Michael Machado is CSO at RingCentral, Inc.