IT and Business Insights for SMB Solution Providers

The Need for Secure-by-Design Architecture in UCC

Communications systems must have security measures built into their core design—not simply tacked on through updates. By Robert Cooper

The harsh truth for all things IT is that, as any given user base increases, so too do bad actors on the platform. With the pandemic-driven boom in videoconferencing and VoIP, we're seeing this principle hold true in unified communications (UCC).

As concerns over security gaps have grown, it's been left up to MSPs to focus more on securing UCC systems—no easy task, even under the best of circumstances. But even so, responses have often been lacking. The typical answer is to say that existing systems need to "beef up" their security: create more sophisticated firewalls, use a more complex VPN, or take other steps that will supposedly turn an unsecured system into a secured one. The logic is that a system with insufficient protection just needs more security added on, as if you're installing extra alarm systems in an office building.

Add-on security doesn’t work in practice, however. While an extra alarm or two might add some security to an office, bad actors can always find a way to break into a building that wasn't designed with security in mind. The same is true when it comes to UCC. All the patches, upgrades, and add-ons in the world won't do much good if the platform lacks security as an inherent part in its design. This entails encryption integrated from the ground up, direct peer-to-peer network connections, secure logins, and password storage systems.

Anything less is just a security breach waiting to happen, and there are three big reasons why.

1. The So-Called "User Error" Problem

This phrase gets thrown around a lot to explain cases where an end user's mistake causes a larger security issue in a UCC solution. Someone's password was guessed by hackers? "User error." People forgot to check a box and now their videoconference is hijacked? "User error."

Let's not mince words: Chalking up security breaches to "user error" is irresponsible at best, and at worst represents an outright dereliction of responsibility by the UCC vendor.

Cybersecurity is far too complicated to leave up to the end user alone. What's more, human error and simple mistakes are some of the toughest things to guard a system against; they are the single biggest attack surfaces for digital systems. While there are basic online security principles that every user should be taught, consumers expect developers to do most of the legwork in keeping them safe online.

The fix is to eliminate the possibility of so-called "user error" right from the beginning with secure password requirements, inflexible network security, standard videoconference limitation settings, and other features. Anything short of that means the platform is leaving far too much up to the end user, and therefore to chance.

2. The User Experience

Even with all those parts of user implementation that developers can't predict, there's one thing they can assume: If a system is complex or annoying to use, end users simply won't use it, no matter what company guidelines say.

In practice, bad usability most typically arises when security elements are tacked on: A VPN forces users to take extra tedious steps before using their system while also sapping bandwidth; meanwhile, an external SBC adds further management requirements onto the system and more hoops to jump through in setting up a UCC network. The same headaches are presented by other added-on measures, like external security programs or security update patches that require multiple steps to install.

The solution is much like in the first point: Don’t give end users the option to disable these features. And that simply can't be done if you tack the features on like duct tape over a leaky pipe; the measures have to be integrated into the core design. Anything else runs the risk of affecting the usability of that system, and therefore risks frustrating users to the point of circumventing (and therefore invalidating) those efforts.

3. The Threat of Obsolescence

Finally, it's worth addressing the ever-present issue of keeping a UCC security system updated. After all, the first thing any cybersecurity expert will tell you is that the online threats are always changing. Along the same lines of the usability issue, if patching in updates depend on the end user's request, there may be those who miss the update or just feel installing it is too much of a hassle. The catch is keeping the system updated in a way that's actually effective.

So on the one hand, there's a clear need for updates to come in smoothly, invisibly, and without any chance for end users to disrupt them. But at the same time, we must question exactly what kind of updates should be made at all.