Managing security and uptime in the cloud

Time and again, surveys reveal that cloud computing raises security and reliability worries with CIOs and other execs. Two-thirds (67 per cent) of respondents in an Autumn 2013 IDG Enterprise survey chose security as one of their top three concerns, with integration a distant second (46 per cent). Security is more of an issue for large companies than for small and midsize companies, according to the report.

While these concerns are more often associated with public cloud providers, securing internal networks and ensuring uptime is a perennial challenge. Plenty of harmful and costly incidents happen inside the firewall due to employee error and gaps in protection.

With unified communications (UC), protecting data and managing uptime is more complex because the technologies have not evolved in an integrated fashion, says Andy Zmolek, a UC security expert and director of technology partnerships at Divide, 
a mobile device management software provider.

“There are lots of services that interact and many pieces that are being tied together by the vendor or by the IT department, which can make it harder to manage,” he says.

Across industries, many IT departments are struggling to keep pace with new threats from the proliferation of mobile devices and web apps in their companies. This has led to a dearth of qualified information security staff, according to a 2013 survey by Booz Allen Hamilton and Frost & Sullivan. About 56 per cent of participants admitted that their organisations are less prepared to handle security incidents today than in 2011. If your company lacks current security skills, consider the merits of using a cloud or managed services provider for your UC deployment.

Here are some tips for ensuring sound security and uptime across private and public cloud UC infrastructures.

Security considerations in UC

How you manage security and uptime shouldn’t differ dramatically across applications and delivery models. Yet, there are some specific, continually evolving considerations for UC. Access privileges are critical for securing communications and collaboration applications, given the high number of potential users and sharing over the internet. Ensure that your UC system has role-based access control (RBAC) to separate administrative responsibilities.

To simplify access management in UC and ensure that admin privileges are turned off when employees leave the company, look for the incorporation of the Security Assertion Markup Language (SAML) standard to enable web-based single sign-on.

While SAML is not widespread in UC solutions, says Zmolek, it’s the best way to secure and simplify access to multiple applications so that users don’t have to log in separately for each application or feature. At a minimum, systems should authenticate using Lightweight Directory Access Protocol (LDAP), which allows for the same username and password when logging in to multiple applications or services.

At the network layer, IT must ensure that devices connecting to the network are actually authorised devices, according to John Bartlett, a Principal at communications consulting firm NetForecast, Inc.

“So, there is an issue of making sure that [the device] really is a phone, or that it really is a video conferencing endpoint, or that it really is a PBX, and there are a number of different methodologies for that,” Bartlett says.

With smartphones, a common misconception is that because the radio portion of the smartphone is encrypted, the entire conversation as it goes across the public telephone network is encrypted, which isn’t true, says Zmolek.

“In general, you have to have very expensive devices to get that end-to-end encryption.”

Many UC systems can configure encryption for calls that stay inside the company or are made across the Internet with other VoIP systems that support encryption. Be sure to take advantage of these features when they’re available.

Public vs. private cloud security

If your company is managing communications and collaboration technology internally, your IT team must do all the heavy lifting, including auditing security and privacy practices and mechanisms. If a provider is hosting UC for you, understand what to look for regarding the latest cloud security standards.

Companies must update security systems to address new mobile or cloud requirements while paying attention to policies.

“When adding a private cloud, a security review is more important than ever,” says Marc Randall, senior vice president and general manager at Avaya Networking.

“Get rid of policies that do not add value to the business and conflict with cloud use.”

New policies should be fully automated and nonintrusive for employees so as to not impede collaboration.

A high-quality UC-as-a-service (UCaaS) offering will enable sophisticated access control and prevent sharing of administrator accounts, says Zmolek. 

“Your organisation will spend more on having that separation, but keep in mind that not all software applications even enable it,” he warns.

Ask about the vendor’s policies regarding separating administrative and general user access in the system.

Also, find out what happens when an employee leaves your company or the vendor. His or her access should be shut down immediately and, ideally, automatically.

In the public cloud, it’s easier for someone to gain access to administrator credentials from the web, says Zmolek.

“Your vendor, however, can institute limits on the number of times one can enter incorrect administrator credentials, among other protections,” he adds. This prevents attackers from mounting a brute-force assault to obtain a password.

Expect more from a hosting vendor, and ask for exactly what you need. Sixty-eight per cent of IT managers and executives want regular security updates, while nearly 60 per cent want to see vendors conduct on-site security audits, adopt industry standard frameworks, and meet internal security standards, according to the IDG survey. More than half of participants also want vendors to incorporate security into their development life cycle, implement monitoring and access control policies, and conduct background checks on employees.

Uptime and disaster recovery

Dropped calls in a corporate setting are not acceptable. However, when you add online collaboration technologies such as video and document sharing, the load on the network can get heavy without proper planning, optimisation, redundancy, and recovery practices. Also, some large companies have a patchwork of PBX systems that were acquired or are the result of decentralised business units. That makes managing quality of service extremely difficult.

Take, for example, the Angus Knight Group, an Australian staffing and e-learning company that managed several PABX phone systems before moving to IP telephony. “Our voice systems constantly were offline, and we needed to move to a standard telephony system that was more flexible and scalable and would provide a better return on investment,” says Greg Maginnity, infrastructure manager with Angus Knight.

The company’s IP system delivers redundancy features that ensure the phones stay online if the company’s ISDN link fails. If this occurs, calls are automatically routed over the IP network with no impact on incoming and outgoing calls. “We haven’t experienced any downtime since the system was installed,” Maginnity says.

With IP telephony and UC, companies will need to spend more time testing failover scenarios and validating when they make changes to their systems to ensure that service levels remain high.

“We used to only worry about managing redundancy across circuit boards,” Zmolek says.

“Today, when switching to a software-driven model, it’s not always clear where redundancy should exist.”

Small changes in one part of a system can have unanticipated impacts on failover, he says. Deploying a staging system to test failover scenarios or making use of the production system on the weekend for testing is just part and parcel of good operational practices, he adds.

Unplug equipment from the network or take a router or switch out of service to make sure that the UC system responds the way you expect.

“It’s always better to learn the true redundancy limitations of your UC system in testing than wait to discover them in a real-world outage,” says Zmolek.

UC technologies have much higher bandwidth requirements, according to Russell Bennett, principal of consulting firm UC Insights. While you’ll only need 9.6 Kbps in each direction for analogue telephony, that requirement increases by a factor of more than three or six, depending on the specification. For HD video, the bandwidth requirement starts at 500 Kbps and can grow into multiple Mbps, he says. If bandwidth is not provisioned appropriately, you can create congestion in the data centre and, as a result, users will see sluggish response times. Also, LANs and WANs in some smaller companies may not be designed to handle UC media codecs (compressions and decompressions) and will need to be upgraded, says Bennett.

With bandwidth-hogging applications such as video, an organisation can protect against performance issues by isolating them from other workloads on their private cloud. You can add more applications to this environment once you have a performance baseline, says Randall.

Latency is a related and common problem in managing UC applications, especially when outsourcing your systems to a cloud or other hosting provider.

“Even a conference call between parties in the same building must still be aggregated in a data centre that could be hundreds or thousands of miles away,” Bennett says.

This can create delays that make applications very unpleasant to use. One way to mitigate this, he suggests, is by hosting local conference/recording servers on-premises.

Steve Regini is senior director, sales engineering for worldwide service providers and systems integrators/cloud, at Avaya