When choosing a cloud communications vendor many companies focus on price, speed and efficiency. While these are important factors, few remember to think of the protection of their data. With more businesses moving to the cloud, asking the right questions about security when talking with your vendor should be a top priority.
Cloud security is a shared responsibility model, meaning that effective security relies on both the customer and vendor for implementation. There’s a lot your vendor can do to mitigate risks to your business, and in the spirit of strong partnership, all customers should ask their partners the questions that they need answered for trust and assurance. Here are five to start with for your UCaaS vendor.
1. Do you support encrypted VoIP?
Unencrypted data streams of any type increase your risk and attack surface. A VoIP call is not any different than web application data in this respect. Eavesdropping, man-in-the middle attacks and capturing registration credentials are all made easier with plain-text data. The bottom line is that VoIP traffic should always be encrypted. A vendor’s implementation of VoIP encryption should include both call signalling and media communications, so be sure to ask if both are encrypted.
2. Do you have an audit report you can share with me?
Trust is an essential part of the cloud services model. Cloud vendors should understand your efforts to look under the hood of their security controls. Cloud companies who take security seriously will do more than just pass along their data center’s audit report.
Look for vendors who have audit reports put together by an independent third party. Make sure the audit report covers the service organisation’s controls (i.e. your vendor) and not just the data center or cloud service where the application is hosted. Service operations are a key part of the cloud security model.
3. Do you have control points that will enable me and my team to secure our side of the voice network?
When revisiting the shared responsibility model for cloud security, it’s important to remember that there’s an entire customer side to the service, with VoIP phones, apps that run on desktop or laptop computers and users connecting to the service from their mobile endpoints. Does your vendor help educate you about the best practices that are within your control? Do they build security attributes and features into their product to take care of some things directly and to empower you with settings to control the rest?
Just like your data stored in the cloud, any of your data stored locally on these endpoints should be secured with encryption. Make sure your vendor offers an option that lets you mandate encryption for your data when it’s stored locally in an endpoint app. Make sure that you can implement roles and permissions for your users, and make sure that you have the ability to specify important usage parameters such as international calling.
4. How often do you conduct product security testing?
It’s no surprise to anyone that software has bugs. What’s important is that your vendor make investments to regularly test its application security to find security bugs so that they can be prioritised and addressed, rather than limiting product testing to one or two pen-tests per year.
Don’t get me wrong. Pen-tests serve a purpose. However, it’s likely that most vendors are releasing updates to their software at an interval that outpaces periodic pen-testing. Ask your vendors how often they test their application releases for security. In addition, when it comes to product security testing, it’s good to have a mix of in-house and third-party. No one person or team will find every bug. The idea here is that a more diverse set of eyes and methods will find more bugs than a single team or a single method.
5. Do you monitor for unusual activity or usage on customer accounts?
Cloud customers don’t always monitor their usage of a cloud service, and those with an on-premise PBX don’t always monitor their company’s PBX activity. As a cloud customer, you may not even have access to the service usage data. Ask your vendors whether they monitor for service abuse and anomalous usage. If you’re looking at cloud PBX, ask if any toll fraud monitoring is included.
The list of questions you should ask your vendor is by no means exhaustive, the more you ask, the more information you have to determine if a cloud vendor is ready to be your partner in the shared security model that cloud computing requires.