But what about Unified Communications? What unique security challenges could we see when UC starts moving into enterprises?
Ted Ritter of Nemertes Research, who's a CISSP (Certified Information Systems Security Professional), suggests that UC will pose new security and compliance risks because of several factors. Ted will be discussing some of these challenges in a VoiceCon webinar today.
One of the issues he'll touch on is compliance. Since Unified Communications leverages more corporate data, there is greater risk of data leakages that violate corporate privacy policies, Ted points out. Also, expanded rules governing legal discovery mean that voice mails-including those embedded in voice mail as part of unified messaging-may be discoverable in litigation.
Ted's presentation will also touch on the gap between the relatively low incidence of security breaches in early generations of IP telephony, in contrast to the higher risk that's likely to exist in the world of UC. Several factors account for this; I'll start with one that Ted doesn't mention in his slides, but that I think is a legitimate concern: Microsoft will be a much bigger player in the UC future than they've been in IP telephony. Microsoft is the target that hackers most relish going after. You can't ignore this reality.
As Ted Ritter notes, some emerging issues relate to the way that IP telephony has been implemented so far. To date, IPT systems have been deployed largely as islands, connected via dedicated IP pipes or to the legacy PSTN via gateways. In other words, they haven't been Internet-connected.
One of the key assumptions about UC is that the boundaries of the enterprise will be much more fluid, with users' need for mobility and remote connectivity driving several trends that can only jack up the security threat level. Those trends include more connection via the Internet, and more use of softphones.
Ted makes an analogy that I'm interested to hear him flesh out in the webinar. He draws a parallel between UC and Service Oriented Architectures (SOA), the technology with which--it's widely believed--UC will combine to create Communications-Enabled Business Processes (CEBP), which integrates communications into business process apps. Ted's not trying to sketch out an all-encompassing security architecture for CEBP; rather, he's pointing out similarities between UC (or UCC, as Nemertes calls it) and SOA. His bullet points:
Like UCC, SOA benefits are increased business agility and flexibility
Like UCC, SOA security must be pervasive, with centralized management
Like UCC, SOA security is very sensitive to performance and must be performance-based to meet SLAs
Like UCC, SOA developers are not security experts
These points address the perimeter-less nature of the communications (perhaps reaching beyond the enterprise to partners and customers); the absolute requirement that performance not be sacrificed either to application behavior or to the security measures used to protect the app; and the organizational need for an even higher level of coordination among the various teams in the IT structure.
These points address the perimeter-less nature of the communications (perhaps reaching beyond the enterprise to partners and customers); the absolute requirement that performance not be sacrificed either to application behavior or to the security measures used to protect the app; and the organizational need for an even higher level of coordination among the various teams in the IT structure.