Network and cloud security can be challenging for many of the same reasons that cloud computing is so powerful for accelerating digital transformation.
Cloud infrastructure can be scaled up or down automatically without adding additional burden to development or security teams. Technologies like containers, serverless computing, and autoscaling also mean that cloud environments are rarely static and constantly changing according to momentary needs. This is made even more challenging by the increasing popularity of hybrid environments that comprise both on-prem and cloud networks.
It makes getting an accurate sense of overall network security difficult and can make it hard to track down malicious actors as they move between networks, especially if security teams need to switch between various systems and security tools.
In addition, network security in cloud computing is a shared responsibility between the customer and the cloud provider. Shared responsibility models vary according to the provider. As the network owner, you are typically responsible for securing what’s in the cloud—your network controls, identity and access management, data, and applications. It’s important to make sure these duties are clearly defined as any misunderstanding could lead to serious gaps in coverage.
As more businesses move toward unified communications in the cloud, securing sensitive information becomes a primary concern. Several security threats exist including call fraud, phreaking, malware, and denial of service attacks to name a few. Though the cloud communication service provider offers security protection as part of its services, enterprises must also take measures to ensure data and information are secure.
Often, your cloud communications provider will offer security measures such as data encryption authentication protocols to help secure your voice communication in the cloud. A virtual private network (VPN) is often used to achieve this encryption. A VPN also helps protect the authentication process as the username and password may not be sufficiently encrypted or disguised before moving across the one Internet.
A common misconception is that cloud-based service providers offer complete security measures for cloud communications. While this may be true for the applications residing in the cloud, it does not apply to your network, call flows, media, or endpoints not in the cloud. When deploying cloud communications, enterprises must determine what is secured by the service provider and what must be secured on the business end.
Most companies deploy firewalls to protect their data; however, this is not in real time. IP-based Session Initiation Protocol (SIP), which is used on VoIP based communication, operates in real-time passing both voice and video between the cloud and the network. Not implementing security measures to handle your unsecured SIP communications increases the risk of real-time VoIP based attacks, such as Denial of Service (DoS) and eavesdropping. While your firewall will protect data flow, it is not adequate to protect VoIP communication because you may have to turn off firewall features to get your voice and video communications to work; thus, opening your network up to potential attacks.
Adding a session border controller (SBC) to the servers that come in contact with the cloud will significantly increase your cloud communication security on the network element end. The SBC is a SIP firewall that protects and encrypts real-time communication by:
DoS attacks overwhelm the network with malicious traffic in an attempt to look for weakness in the VoIP system. An SBC will protect your network by separating VoIP traffic from malicious activity and protecting it from any degradation in quality that frequently occurs during a DOS attack.
SBCs use secure real-time encryption, making communication invisible to hackers.
An SBC can mitigate voice traffic on a network; thus, limiting the number of allowable sessions that can take place at the same time. This is similar to DoS protection, and it helps ensure Quality of Service.
Many hackers only break into a VoIP system just to make person toll calls, but an SBC can deny secondary dial tones and prevent this type of attack.
When using a cloud communications service provider, you should develop a security plan and determine your responsibilities versus the cloud communication provider’s responsibilities. A joint security plan will ensure you cover all your bases. Also, don’t forget to use and update your virus protection and malware software locally as well as updating your softphones and other endpoints. Finally, adding SBCs at all sites that connect to the cloud will not only protect the SIP call flow but ensures high-quality voice and video is delivered.
It is important to understand that a secure transmission is not the only factor in IP-based communications. While your cloud communications partner can offer secure transmissions, you must also protect your endpoints and network to achieve complete security.