Security risks when adopting a cloud based phone system

cloud
Using the cloud for your business is very convenient, but also carries some risk. Image: 4832970, Pixabay.

The Cloud Security Alliance (CSA) says that over 70% of the world’s businesses operate at least in part on the cloud today. This makes sense when you consider the benefits like lower fixed costs, higher flexibility, automatic software updates, increased collaboration, and the freedom to work from anywhere.

Unfortunately, though, the cloud does have its share of security problems – something that about 90% of companies are at least moderately concerned about. Concerns include vulnerability, having accounts hijacked, and full-scale data breaches. While this has changed the way that we transmit and store data today, there are still many companies who are hesitant to move to the cloud. Others make the switch to a hosted phone service without a clear security plan in place.

Password Hijacking

Today, Atlan Tech says too many companies are implementing high-quality networking equipment (e.g. handsets) without changing their passwords from the default settings, which are things like “admin.” These passwords are designed to be replaced when they’re installed, but too many IT pros say they’ll “deal with it later” and then they never do. When this happens, hackers have an easy entry point to eavesdrop, intercept calls, and attack your business in many other ways too.

Another issue that must be dealt with, for this very same reason, is account hijacking. Here attackers are using you or your employees’ login information to remotely access sensitive data that you’ve stored on the cloud. They’re also falsifying and manipulating information in much the same way. Other hijackers are scripting bugs so they can easily steal credentials without being detected. This is what happened to Amazon in 2010.

As business owners, we also must watch for phishing, keylogging, and buffer overflow threats too. For instance, the “Man in the Cloud Attack” involves the theft of user tokens that cloud platforms use to verify individual devices without requiring logins during each update and sync.

Internal threats

When you switch from a traditional phone service to a cloud-based business phone system, your voice data becomes a part of your Local Area Network. This means that if you have any weaknesses that already exist in your network security they become vulnerabilities in your phone service too. This is especially true if you have any outdated firewall technologies. They’ll become a risk after you implement this new technology. As such, you don’t want to implement a hosted PBX and cross your fingers in hopes that your firewall is tough enough. Instead, you want to make sure you understand your network and security needs before you make this change.

When you work with the right VoIP vendor they’ll have the staff and knowledge to walk you through a full-scale network assessment. Sangoma says this is something you’ll want to take advantage of, especially if you don’t have the resources to make sure everything is always covered. In specific, you’ll want to be concerned with DDoS attacks, which can prevent you from reliably accessing your cloud because your network becomes overloaded when under such attacks. This greatly reduces how your cloud-based phone system performs. It’s particularly concerning for a VoIP service because voice data doesn’t tolerate buffering and insufficient bandwidth.

IT Toolbox says that no company is too small for an attack. Kaspersky Lab conducted a survey that shows 21% of businesses cited malware and 22% cited hacking as the number one threats to their business. However, attacks aren’t the only thing you should be concerned with. Verisign says the size of these attacks are also growing. As such, if your business has a few gigabytes per second of upstream bandwidth, a 5-10 Gbps attack could be catastrophic. This is because hackers are sending malformed packets which can crash your apps or render your hardware almost unresponsive to users. This caused victims $4.73 billion globally in 2013. VOIP security expert, Mark Collier says the newer unsecured systems are even bigger targets of more expensive attacks.

BYOD environments

Another important threat is being caused by companies’ bring your own device (BOYD) policies. While this is a popular way to lower your hardware costs and increase your employees’ productivity, things like outdated operating systems, malware, and insecure applications create significant security risks to your network. This is why before your employees use their own devices to connect to your VoIP solution, you need to make sure that you add them to your security equation and create a security strategy just for this purpose. Don’t overlook this because of the potential for leveraging smartphones and tablets for a major attack looms and it’s something you can’t afford.

Weak encryption tools

It’s important to understand that end-to-end encryption of voice data packets is necessary so there’s no interception of the data at any point along the transmission path. This can typically happen with your network, your internet service provider, or at all points in-between. Unfortunately, this isn’t something that’s easy to understand since voice encryption is slightly complex and varies depending on factors like how sensitive your transmitted voice data is. This is why Cisco has made some core recommendations for best practices regarding basic encryption, including:

  • Keeping costs as low as possible while balancing encryption with business-specific security needs
  • Making sure that your vendor enables SIP over TLS security in their switch fabric
  • Using packet encryption protocols (e.g. SRTP) and when they’re not available, encrypting mobile device calls with VPNs
  • Encrypting voice channels to prevent eavesdropping as packets travel through public networks

APIs’ very nature makes them a threat to your cloud security. While they do let you customise your cloud’s features so they fit your business’ needs, they also authenticate, provide access, and effect encryption. Incapsula says that these are just some of the reasons why you need an end-to-end protection strategy. Of course, encryption is just one way of protecting your data. This is why it’s so important to have an end-to-end approach, instead of treating your vendor and your network as two separate entities. With this approach, you’ll be better equipped to combat any potential threats.