Cloud Collaboration Security Concerns

December 19, 2016 Collaboration, Trends

The move to the cloud has offered many advantages.  Many cloud providers can roll new features out as soon as they are ready with no disruption to the end user.  Upgrades and patches can be applied by the cloud provider, removing this burden from IT staff.  There are disadvantages too, and the decision to move to cloud should be based on a thorough examination of the needs, costs, and benefits involved. Security is one area that should obviously be thought through a topic that I’m happy to address in today’s post. Moving to the cloud certainly doesn’t eliminate security concerns; in some ways it even compounds them.  Depending on the cloud service, a great deal of data can pass to and from the cloud and can be stored there.  Traditional security concerns such as toll fraud, eavesdropping, and data theft all still exist.

Toll fraud has been around since the advent of voice communications.  There are modern examples of a hacked phone systems being used to call all over the world.  This is still a concern.  One of the chief ways to prevent toll fraud is through the use of class of service controls on phones.  In other words, the lobby phone can call internal phones, 911, and perhaps local, but not long distance international or 900 numbers.  It’s important to know that a cloud provider can provide the same level of control.

Eavesdropping in the voice over IP world usually involves capturing the flow of IP packets between two phones and then turning them into audio.  This process is very simple and can be done by packet capture tools.  On a corporate network, the security of the network may be enough to prevent this from being a concern.  If the cloud provider connects to the corporate network with a dedicated circuit, like MPLS, this may still be considered safe.  In the first case, only a user on the corporate network could intercept the packets.  In the second only those users and users on the provider’s circuit could intercept the packets.  The big concern begins when devices connect to the cloud across the Internet.  When the Internet is involved many different paths are possible allowing the potential for many different people to have the opportunity to intercept the packets.  In the case of the Internet, all signaling and media should be encrypted.  Secure Real-time Protocol encrypts both signaling and media and should be a requirement for cloud voice or video that traverses the Internet.

Collaboration concern is data theft.  With modern virtual conference rooms that allow the sharing of data and messages, there can be a lot of critical information stored in the cloud.  These applications should also encrypt and traffic that will traverse the internet.  That isn’t the only concern though; even if the data is encrypted, who can access it?  Can the provider access the data?  Is that acceptable?  This depends a lot on the sensitivity of the data, but the best answer would be ‘no they can’t.’  Ideally this information would be protected by keys that only the customer had access to.

Administration of the system is also a possible security concern.  Can the provider make changes to the system?  Sometimes this is an advantage of cloud systems, removing the need for internal IT to do moves, adds, and changes.  It’s important that this access be clearly understood and the process and change control spelled out.  There should be a process for verifying that someone calling for a change has the permission to request that change.  What kind of access does internal IT have?  Some cloud providers make all the changes themselves.  This may or may not fit the needs of the customer.  If internal IT has access, are there levels?  It is very advantageous to be able to give the entry level person who will be making changes to the phone and the senior engineer who will oversee everything different levels of access.

The key takeaway here is that collaboration security concerns are just as important for the cloud as they are for an on-premise system.  In fact, systems that use the Internet for connectivity need a higher level of scrutiny.  Keeping security in focus and weighing the pros and cons when deciding to move to a cloud solution can help avoid issues in the future.

curtis-stabler-1Curtis brings over 25 years of collaboration experience to ABS. As the Collaboration Team Manager, Curtis works to ensure that ABS is consistently providing the latest collaboration technology and support to ABS clients.