Bringing Cloud Communications into Your Comfort Zone: 7 Key Security Considerations You Should Ask a UCaaS Vendor
By now, most IT professionals know the benefits of the cloud. They also share many of the same security concerns—because moving critical IT functions and corporate data beyond the physical data center typically means moving beyond their comfort zone.
Likewise, when you consider moving your business communications to the cloud, you need to make security a key consideration. However, according to the National Institute of Standards and Technology (NIST), “because of the integration of voice and data into a single network, establishing a secure VoIP and data network is a complex process that requires greater effort than that required for data-only networks. ”
In practice, assuring the security of an integrated voice and data network like cloud-based unified communications as a service (UCaaS) takes a robust, hardened infrastructure housing the core technology. These physical protections need to be combined with deep expertise in not only IP telephony and UC but also numerous security disciplines, including regulatory compliance and cyber security.
RingCentral is proud to have been named a leader—for the second consecutive year—by Gartner in its Magic Quadrant for UCaaS worldwide. And as a recognized leader, our goal is to enable organizations to gain the benefits of moving business communications to the cloud without sacrificing the reliability, security, or quality of service they expect.
We do this by controlling our own global network, which includes implementing a comprehensive security framework that assures not only the safety of customers’ critical data and voice communications, but also adheres to strict government and industry privacy compliance regulations. Our comprehensive approach to cloud security essentially maps to what we feel are the seven key things you should look for when considering a cloud UCaaS provider.
Seven key security considerations for cloud UCaaS
1) Secure data center: All technology infrastructure should be housed in facilities with strong physical protections, redundant power, and tested disaster recovery procedures. The highest levels of security and reliability should be backed by independent certifications.
However, this is not the case with all vendors. A credible cloud service provider should be able to show you evidence of verification and frequent validation by independent auditors. Without this type of comprehensive and certified security in place, your organization will risk loss of valuable competitive information or the significant consequences of non-compliance with state, federal, and industry privacy regulations.
RingCentral houses the critical UCaaS technology infrastructure and customer data in hardened, Tier 1 data centers located on both US coasts. Each is supported by redundant power and protected by an array of security equipment, techniques, and procedures to control, monitor, and record access to the facility. These facilities inter-work with international data centers to provide our global network. Security includes encrypted data transfer, comprehensive digital tracking with clear audit trails, and secure file storage. These facilities are monitored 24/7 and certified SSAE 16 (SOC 2 and SOC 3) compliant. All systems are audited on a monthly basis, and audit reports are available to customers.
Additionally, our hardened data centers are managed by highly trained, on-site engineering specialists, including experts in various aspects of security and regulatory compliance with privacy regulations such as the PCI DSS and the California Security Breach Information Act (SB-1386).
2) Secure voice: Eavesdropping on phone calls offers a lucrative target for hackers as it can compromise everything from competitive business information to protected patient or personal financial data. Optimally, all voice traffic within your corporate phone system should be encrypted to prevent eavesdropping on voice calls.
Intercepting voice conversations carried over legacy phone systems is quite difficult. It requires either physically accessing phone lines or compromising the Public Switched Telephone Network (PSTN) nodes or the on-site PBXs. But with IP telephony—whether cloud VoIP or an on-premise IP-PBX system—calls travel as data packets over the internet, making them susceptible to all the attacks that occur on public networks.
RingCentral addresses these vulnerabilities by safeguarding voice communications with an advanced Secure Voice technology that prevents eavesdropping on calls or tampering with audio streams between all endpoints—desk phones, as well as computers and mobile phones running a RingCentral mobile or softphone app. RingCentral is among the first in the industry to use two enterprise-grade security protocols to provide additional security for IP phone calls—TLS authentication and SRTP encryption.
3) Data encryption: To ensure the safety of confidential information, all data—from competitive proposals to patient private information to smartphone screens shots—should be encrypted in transit and at rest. In addition, numerous state, federal, and industry regulations regarding customer and patient privacy mandate encryption of data and auditable record-keeping and reporting.
The HIPAA-compliant RingCentral solution ensures that customer calls and messages are secure with encryption in transit and at rest. It includes everything from physical protections at data centers to encrypted storage to comprehensive digital tracking with clear audit trails.
4) User access controls and management: To ensure only authorized users access cloud communications accounts and services, the vendor should implement at a minimum strong password policies and ideally two-factor authentication as well as single sign-on (SSO) to avoid log-in fatigue.
While SSO is convenient for users, it presents new security challenges. For example, if a user’s primary password is compromised, attackers may be able to gain access to multiple resources.
The RingCentral Duo Access Gateway (DAG) provides strong authentication and a flexible policy engine. It authenticates users leveraging existing on-premise or cloud-based directory credentials and prompts for two-factor authentication before permitting access to RingCentral. Admins can define policies that enforce unique controls for each individual SSO application.
Admins can also define policies that enforce unique controls for each individual SSO application. This entails checking the user, device, and network against an application’s policy before allowing access to the application. For example, admins could require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing RingCentral.
Other user controls include front-end settings that customers control to manage their policies and end users. These settings include: adding/removing extensions, setting user permission levels, managing extension PINs, enabling/disabling international calling, allowing specific international call destinations, and blocking inbound caller IDs.
5) Fraud prevention: Toll fraud, healthcare fraud, and credentials theft represent significant financial and legal risks for businesses. The service provider should have protections built in to the service layer and should conduct continuous monitoring for dangerous anomalies or other indicators of fraud. The provider should also offer guidance on best practices to eliminate the human factor in fraud risk.
The RingCentral platform includes security capabilities to detect potential toll fraud and service abuse. These capabilities and settings reside in the application and infrastructure layers, within the service delivery and operations processes, and in the RingCentral security policies and governance practices.
In addition, RingCentral has a full-time security and fraud-prevention department with a security program that is based on industry best practices. This program also provides intelligent communications fraud detection, which includes RingCentral staff monitoring customers’ service for anomalous calling that may be toll fraud.
6) Account management and administration: To prevent data loss, the solution should have provisions to instantly revoke user rights or demote an administrator’s credentials of employees who leave the company or are terminated. Whether it concerns control over Sales staff, a key employee in Finance, or virtual contact center employees, enterprise-grade security requires methods to prevent insider threats, which include enabling administrators to revoke the user rights of former employees.
The RingCentral cloud service includes front-end settings that customers control to manage their policies and end users. These settings include: adding/removing extensions, setting user permission levels, managing extension PINs, enabling/disabling international calling, allowing specific international call destinations, and blocking inbound caller IDs.
It also gives administrators robust mobile app control. Administrators can instantly revoke the remote user’s access to the cloud network—and thereby to customer contacts, CRM info, and other corporate information—and almost no data resides on the device itself.
7) Robust network security: In addition to all the defenses that organizations typically put in place at the network perimeter to safeguard data, the UCaaS vendor must now add unique protections designed to prevent attacks on the voice infrastructure.
RingCentral deploys best-of-breed network protections that are optimized for voice and data. These defenses, together with RingCentral experts continuously monitoring systems for anomalies, help to prevent service disruption, data breaches, fraud, and service high-jacking.
In addition, an advanced suite of intrusion prevention technologies protects against malformed packets and fuzzing techniques, which can be used to confuse or overwhelm border controllers resulting in service disruption, system restart interruption, and endpoint resets. Advanced RingCentral border session management is immune to many of the forms of attack that have disrupted the services of other VoIP and UCaaS vendors.
RingCentral security also protects against spoofed messages by validating the value of ‘Call-ID,’ ‘Tag,’ and ‘branch’ while processing control NOTIFY messages.
Finally, RingCentral security also overcomes the typical set of firewall traversal problems in VoIP systems with network address translation (NAT) support for static IP configuration and “Keep-Alive” SIP signaling. This maintains user addressability without providing attackers the opportunity to infiltrate further.