Like every other cloud-based, internet-connected application running within your business, Voice-over-IP (VoIP) apps require comprehensive security. Whether it's ensuring secure user authentication and network configuration or enabling end-to-end encryption in all VoIP communication and data storage, organizations need to be diligent in both overseeing IT management and working closely with their business VoIP provider to ensure that security requirements are being met and enforced.
Michael Machado, Chief Security Officer (CSO) at RingCentral, oversees security for all of RingCentral's cloud and VoIP services. Machado has spent the past 15 years in IT and cloud security, first as a security architect and operations manager at WebEx, and then at Cisco after the company acquired the video conferencing service.
Security considerations in your company's VoIP communications start in the research and buying stage before you even select a VoIP provider, and persist through implementation and management. Machado walked through the entire process from a security perspective, stopping to explain plenty of do's and don't's for businesses of all sizes along the way.
Selecting Your VoIP Provider
DON'T: Neglect the Shared Security Model
Whether you're a small business or a large enterprise, the first thing you need to understand—independent even of VoIP and Unified Communications-as-a-Service (UCaaS)—is that all cloud services in general need to have a shared security model. Machado said that, as the customer, your business always shares some responsibility in the secure implementation of all the cloud services you're adopting.
"It's key for customers to understand, especially when a company is smaller and has fewer resources," said Machado. "People think VoIP is a mechanical device connected to a copper line. It's not. A VoIP phone, whether it's a physical handset, a computer with software running or it, a mobile app, or a softphone application, it's not the same thing as a mechanical phone plugged into the PSTN [public switch telephone network]. It's not like a regular phone—you're going to have some responsibility for making sure the security has a closed loop between the customer and vendor."
DO: Vendor Due Diligence
Once you understand that shared responsibility and want to adopt a cloud VoIP service, it makes sense to do your due diligence when selecting your vendor. Depending on your size and the expertise you have on staff, Machado explained how enterprises and small to midsize businesses (SMBs) can go about this in different ways.
"If you're a large company that can afford to spend the time on due diligence, you can come up with a list of questions to ask every vendor, review their audit report, and have a few meetings to discuss security," said Machado. "If you're a small business, you might not have the expertise to analyze a [Service Organization Control] SOC 2 audit report or the time to invest in a heavy lift discussion.
"Instead, you can look at things like Gartner's Magic Quadrant report, and look to see if they have a SOC 1 or SOC 2 report available, even if you don't have the time or expertise to read through and understand it," Machado explained. "The audit report is a good indication of companies making a strong investment in security versus companies that are not. You can also look for a SOC 3 report in addition to SOC 2. It's a lightweight, certification-like version of the same standards. These are the things you can look for as a small business to start moving in the right direction on security."
DO: Negotiate Security Terms in Your Contract
Now you're at the point where you've selected a VoIP vendor and you're considering the possibility of making a buying decision. Machado recommended that, whenever possible, businesses should try to get explicit security agreements and terms in writing when negotiating a contract with a cloud vendor.
"Small company, big company, it doesn't matter. The smaller the company, the less power you'll have to negotiate those specific terms but it's a 'don't ask, don't get' scenario," said Machado. "See what you can get in your vendor agreements with regards to security obligations from the vendor."
Deploying VoIP Security Measures
DO: Use Encrypted VoIP Services
When it comes to deployment, Machado said there's no excuse for a modern VoIP service to not offer end-to-end encryption. Machado recommended that organizations look for services that support Transport Layer Security (TLS) or Secure Real-Time Transport Protocol (SRTP) encryption, and that do it, ideally, without upselling for core security measures.
"Don't always go for the cheapest service; it can be worthwhile to pay a premium for a more secure VoIP. Even better is when you don't have to pay a premium for security in your cloud services," said Machado. "As a customer, you should just be able to enable encrypted VoIP and off you go. It's also important that the provider is using not just encrypted signaling but also encrypting media at rest. People want their conversations to be private, not traversing the internet with plain text voice. Make sure your vendor will support that level of encryption and that it's not going to cost you more."
DON'T: Mix Your LANs
On the network side of your deployment, most organizations have a mix of handsets and cloud-based interfaces. Many employees may just be using a VoIP mobile app or softphone, but there will often be a mix of desk phones and conference phones connected to the VoIP network as well. For all those form factors, Machado said it's crucial not to mix form factors and connected devices within the same network design.
"You want to set up a separate voice LAN. You don't want your hard-voice phones co-mingling on the same network with your workstations and printers. That's not good network design," said Machado. "If you have, there are problematic security implications down the line. There's no reason for your workspaces to be talking to one another. My laptop doesn't need to talk to yours; it's not the same as a server farm with applications talking to databases."
Instead, Machado recommends…
DO: Set Up Private VLANs
A private VLAN (virtual LAN), as Machado explained, lets IT managers better segment and control your network. The private VLAN acts as a single access and uplink point to connect the device to a router, server, or network.
"From an endpoint security architecture perspective, private VLANs are a good network design because they give you the ability to turn on this feature on the switch that says 'this workstation can't talk to the other workstation.' If you have your VoIP phones or voice-enabled devices on the same network as everything else, that doesn't work," said Machado. "It's important to set up your dedicated voice LAN as part of a more privileged security design."
DON'T: Leave Your VoIP Outside the Firewall
Your VoIP phone is a computing device plugged into Ethernet. As a connected endpoint, Machado said it's important for customers to remember that, just like any other computing device, it also needs to be behind the corporate firewall.
"The VoIP phone has a user interface [UI] for users to log in and for admins to do system administration on the phone. Not every VoIP phone has firmware to protect against brute-force attacks," said Machado. "Your email account will lock after a few attempts, but not every VoIP phone works the same way. If you don't put a firewall in front of it, it's like opening that web application to anyone on the internet who wants to script a brute force attack and log in."
VoIP System Management
DO: Change Your Default Passwords
Regardless of the manufacturer from which you receive your VoIP handsets, the devices will ship with default credentials like any other piece of hardware that comes with a web UI. To avoid the kind of simple vulnerabilities that led to the Mirai botnet DDoS attack, Machado said the easiest thing to do is simply to change those defaults.
"Customers need to take proactive steps to secure their phones," said Machado. "Change the default passwords immediately or, if your vendor manages the phone endpoints for you, make sure they're changing those default passwords on your behalf."
DO: Keep Track of Your Usage
Whether it's a cloud phone system, on-premises voice system, or a private branch exchange (PBX), Machado said that all VoIP services have an attack surface and eventually may get hacked. When that happens, he said one of the most typical attacks is an account takeover (ATO), also known as telecom fraud or traffic pumping. This means that, when a VoIP system is hacked, the attacker tries to place calls that cost that owner money. The best defense is to keep track of your usage.
"Say you're a threat actor. You've got access to voice services and you're trying to make calls out. If your organization is watching its usage, you'll be able to spot if there's an unusually high bill or see something like a user on the phone for 45 minutes with a location that no employees have any reason to call. It's all about paying attention," said Machado.
"If you're cloud-ifying this (meaning, not using a traditional PBX or on-premises VoIP), then have a conversation with your vendor asking what you're doing to protect me," he added. "Are there knobs and dials I can turn on and off with regards to service? Are you doing back-end fraud monitoring or user behavior analytics looking for anomalous usage on my behalf? These are important questions to ask."
DON'T: Have Over-Broad Security Permissions
On the subject of usage, one way to cap potential ATO damage is to turn off permissions and features you know your business doesn't need, just in case. Machado gave international calling as an example.
"If your business doesn't need to call all parts of the world, then don't turn on calling to all parts of the world," he said. "If you only do business in the US, Canada, and Mexico, do you want every other country available for calling or does it just make sense to shut it off in the case of ATO? Don't leave any over-broad permissions for your users for any technology service, and anything that's not necessary for your business use qualifies as over-broad."
DON'T: Forget About Patching
Patching and keeping current with updates is critical with any kind of software. Whether you're using a softphone, VoIP mobile app, or any kind of hardware with firmware updates, Machado said this one's a no-brainer.
"Are you managing your own VoIP phones? If the vendor releases firmware, test and deploy it quickly—these often deal with patches of all types. Sometimes, security patches come from a vendor managing the phone on your behalf so, in that case, be sure to ask who controls patching and what the cycle is," said Machado.
DO: Enable Strong Authentication
Strong two-factor authentication and investing in heavier identity management is another smart security practice. Beyond just VoIP, Machado said authentication is always an important factor to have in place.
"Always turn on strong authentication. That's not any different if you're logging into your cloud PBX or your email or your CRM. Look for those features and use them," said Machado. "We're not just talking about phones on your desk; we're talking about web applications and all the different parts of the service. Understand how the pieces come together and secure each piece in turn."