Security in Cloud Communications – How to Ensure Confidentiality
Security in Cloud Communications can be complex. Fortunately, there is a framework for thinking about security called the “CIA triad,” which stands for Confidentiality, Integrity and Availability. In two previous blog posts on Security in Cloud Communications, we discussed How to Ensure Integrity and How to Ensure Availability. In this third and final post of this series, we'll examine Confidentiality.
In the security lexicon, confidentiality means “information is not made available or disclosed to unauthorized individuals, entities, or processes.” CTOs and CIOs identified “data breaches,” which typically involves losing confidential data, as one of their top five concerns in an IDG Enterprise survey.
IT systems maintain confidentiality by controlling access both physically and technically, controlling permissions, and encrypting data both at rest and in transit. Voice over IP (VoIP) systems are a special case of IT systems with some unique considerations, but they generally enforce confidentiality through much of these same mechanisms.
As in all IT systems, VoIP systems should practice sound physical security. As we noted in our 2011 blog, 9 Tips to Secure Your Unified Communications System, your buildings, data centers and wiring closets should locked and accessible only by authorized personnel. The physical security of mobile devices is more problematic, of course. Devices that are carried through airports, into bars, and to the beach do tend to become lost. That's one reason why, in the ShoreTel white paper, Demystifying Unified Communications, we recommended a capability called “remote data bitwipe.” This allows an administrator to send a command to an errant mobile phone that deletes the data before they fall into the wrong hands.
An important technical means is password protection. Administrators should enforce strong passwords: over 12 characters long with a combination of lower and upper case letters, numbers, and a special character.
Permissions control assigns each user a role, with selectable powers to see and modify various aspects of the system. To help administrators exercise permissions control, ShoreTel provides “Director,” a web-based administration and maintenance tool. ShoreTel Director lets you manage all users, trunks, sites and features such as voice mail and Instant Messaging (IM). Through Director, the system administrator can also delegate authority to various users and sites to exercise access control.
Perhaps the most powerful weapon in defense of confidentiality is encryption. While some might want to encrypt all data at all times, in Unified Communications (UC), there are a few constraints to consider. Enabling encryption does increase the load on the network. Some encryption options may not be available for older phones. ShoreTel's in-depth System Administrator Guide can help you manage these complexities. In general, ShoreTel provides strong support for encryption.
Our 128-bit AES media encryption provides the ultimate protection against electronic eavesdropping and replay attacks. Even if someone successfully taps the media stream, they cannot decode and understand the conversation. Encryption is enabled or disabled through ShoreTel Director on a system-wide basis only; it cannot be enabled for individual devices or select calls.
One form of protection using encryption is the creation of a Virtual Private Network (VPN), which extends a private network across a public network. Because the traffic is encrypted, the information inside the VPN tunnel is protected from eavesdropping. In 9 Tips, and the more comprehensive IP Telephony from A-Z - The Complete IP Telephony eBook, we recommended the following best practices for using VPNs:
- Between buildings and even between floors.
- For departments such as human resources, finance, executive and legal, where conversations are often confidential.
- For employees working from home or the road.
Finally, we arrive at data at rest, within the cloud. Customers of a cloud service can choose whether to allow the cloud provider to encrypt the data, or to do it themselves. In our 2012 post, Encryption recommended to protect unified communications, we recommended doing it yourself. That way, even if a hacker breaches a cloud server, he still would not have the key, which only your company possesses.
With these best practices in place, an enterprise can have confidence that their data are Confidential, Integral and Available, and thus, secure.