Security Best Practices for UCC Deployments

Without good security, UCaaS devices can be turned into vectors for DDoS attacks and entry points for malware.

UCC security

If you’re selling hosted VoIP or full-blown UCaaS solutions, it’s important that you don’t overlook the security of the technology you’re implementing. Many of today’s communication and collaboration solutions utilize network-enabled devices (e.g., VoIP phones) that can be entry points for hackers and would-be criminals.

The telecom industry has suffered DDoS attacks in the past, but it’s another thing altogether to be used as the instrument. Without good security, UCaaS devices can be turned into attack vectors for DDoS attacks. For example, a variant of the Mirai botnet leveraged thousands of compromised IP cameras to launch DDoS attacks. It’s not a stretch to imagine that UC devices could be used similarly. With this in mind, here are some best practices to ensure your UCaaS implementations are secure:

  • Ensure that all default passwords are changed. Use complex passwords and, to prevent your own company from being the vector, use unique passwords for each customer.
  • Segment UCC traffic from all other network traffic. Use VLANs.
  • Monitor and protect the network and all endpoints with malware solutions.
  • Implement intrusion detection and prevention systems to identify and stop threats that make it past your other security measures.
  • Use encryption. While voice encryption is typically turned on by default, video encryption is often disabled to improve quality. Regardless of whether or not your customers are mandated, turn on encryption to protect communications.
  • Implement firewalls and close unnecessary ports.
  • Use a Session Border Controller for supplementary security of UC data.
  • Ensure that the latest firmware, which often addresses security holes, is installed on all devices.
  • Consider adding a DDoS mitigation service to further reduce risk.
  • Consider a cloud-based UC solution where the task of admin, security, and backups is on the vendor who has more resources to dedicate than your customers.

Lastly, don’t assume that your customers are too small or have nothing of value to make them a target of criminals. Most hackers use tools that indiscriminately find and penetrate victims. They don’t care who your customer is or what they do. A breach of any sort will, at a minimum, create headaches for you and the customer. At worst, your customers may suffer a loss of reputation, be assessed fines, or even be forced out of business. Security, particularly with UCC deployments, is a serious matter. 

Mike Monocello

The former owner of a software development company and having more than a decade of experience writing for B2B IT solution providers, Mike is co-founder of Managed Services Journal (formerly XaaS Journal) and DevPro Journal.