Technology evolves at a breakneck pace and nowhere is that more apparent than in the heart of Silicon Valley. Alas, no matter where we’re located, hackers find a way to keep pace with technological developments. The only truly secure system is one that no one can access, (which certainly makes it less than desirable for enterprise-wide deployment).
While CIOs continue to name security as their primary concern, this has not slowed the adoption of cloud services. Anytime you combine services, the threat level automatically increases. Every time you bring separate points of entry together, you increase vulnerabilities. There are also inherent vulnerabilities when you have portals where different people can log in. A single point of failure will leave you wide open.
As a technology communications company, our job is to create roadblocks that keep such deviants at bay, which is actually a smarter strategy than a never-ending game of escalating Chutes and Ladders for complex barriers. Given enough time and patience, it is possible to breach any system. This is not what users want to hear, but acknowledgement of such reality is what makes data safer.
Security is always a concern when sensitive data is involved, and that concern is heightened when it comes to cloud services that sit outside the corporate firewall. Cloud is not new. It’s a large amorphous term that has long been in existence (think email — have you ever had a Hotmail, Yahoo or Gmail account?) Instead, the technology is changing implementation methods. We are shifting to a world where specific hardware is no longer as relevant as the user experience — the latter of which includes some semblance of control over the content we create and its associated metadata.
Although the terms have become interchangeable, it is worthwhile to note that there is a difference between privacy and security. Security is the state of being free from danger — no one is maliciously corrupting your system (e.g., Target’s recent credit card system breach that compromised nearly 40 million credit and debit card accounts). Privacy is the state of being free from observation — no one is watching what you are transmitting (e.g., the 2013 NSA spying scandal).
So what are we so afraid of?
- Loss of control: Turning to the cloud means relinquishing primary control on the top-to-bottom daily management of your systems. This isn’t a negative if the cloud company focuses on its systems 24/7 and its reputation is staked on success.
- Data breaches: The nightmare of any service provider, a breach is not solely relegated to the cloud. Any issue can be mitigated with measures such as encryption.
- Data loss: Not always a malevolent problem, as natural disasters or other simple errors can be the root cause (redundancy, redundancy, redundancy).
- Service hijacking: Sadly, phishing scams and other fraudulent social interactions still produce results. Keep your credentials confidential.
- Insecure APIs: Organizations often build their brands on the integration of third-party apps, a system reliant on companies sharing their APIs far and wide. Education around strongly built interfaces and consistent monitoring prevents far-reaching consequences.
- Downtime: An overabundance of eager prospective customers, an unexpected hurricane or anonymous denial of service attack are issues that result in a shutdown of operations until the problem is resolved. Consistent monitoring can help narrow the impact point of origin and bring you back online.
- Malicious insiders: This concern is mostly human-initiated vs. a technological breach and a concern of businesses throughout time. Corporate espionage is not a new concept. The key is to maintain an easy-to-use checks-and-balance management system that prevents unauthorized users access to data above their clearance level.
Ultimately we are only as secure as our clients are. It is imperative to make use of the security measures available or they will become worthless. Many vulnerabilities are well known and methods and best practices are readily available. Others are still being studiously investigated.
People tend to trust encryption via its default, which is a dangerous assumption. For example, the standard-issue 1234 password provided with VoIP infrastructure becomes quite a security risk if the PIN is never altered.
In the telephony industry, people tend to construct networks based on voice quality, not security. This is one of the aforementioned compromises since no one can hack your call if no one can connect. As SQL databases break down into chunks and shuffle information like IP addresses out across networks, a lot of information is theoretically there for the taking.
In fact, many don’t encrypt traffic at all. However, “securing” an infrastructure by assigning it a unique VLAN could potentially be hot for a hacker in less than 10 seconds.
Yet all is not lost. The solution is in the ability to react. As soon as an incident is discovered (ideally within seconds from a monitoring solution) it’s time to mobilize. Track down the point of compromise and mitigate it. A hacker’s time and energy aren’t worth much value if the efforts constantly lead to a dead end.
Ensure your communications are secured with robust authentication and encryption authorization credentials. Further, a setup or registration process can validate user information using digital certification. Ideally a solution will automatically detect when the system is accessed from outside the corporate firewall and automatically secure the session in progress.
The unfortunate reality is that the criminal subset of society will always do its best to thwart the “good guys.” But the beauty of constantly evolving technology is that we are able to keep pace both with simplifying tasks as well as making sure business continues as usual despite potential security threats.
Pejman Roshan is the vice president of product management at ShoreTel, where he is responsible for product strategy, definition, and delivery for ShoreTel’s unified communications cloud, on-premises and hybrid solutions.