Published: September 4, 2019

Abstract

Unified Communications combines telephony, video, chat, email and presence together into one unified communications system. As the technology has become more complex and more accessible through the public Internet, the security threat has increased. In many ways it’s easier than ever to attack business communications. Companies must be diligent in protecting their Unified Communication services as they are vital to business operations.

Unified Communications (UC) applications can be the hardest to secure within an enterprise. UC clients, APIs, and services need a full security suite to ensure an enterprise stays secure. Too many enterprises attempt to apply standard application security measures to UC applications, which limit what users can do and still leaves enterprises exposed to the complex UC security challenges. Security managers and architects understand standard web applications, but not all the nuances of UC, and UC managers and architects lack sophisticated security knowledge.

Conventional IP security products (such as firewalls and intrusion detection and prevention systems) were not designed with these kinds of real-time communications in mind—leaving organizations vulnerable to security threats.

In this report we’ll describe the basics of UC security, the risks associated with poor UC security and how challenging UC security really is. We’ll then describe how the NIST Cybersecurity Framework can be applied to UC security and how to apply a tiered approach and advanced techniques for securing UC communications. We’ll highlight a few vendors that worth considering in this space and provide summary recommendations.

Authors:

Sorell Slaymaker Principal Consulting Analyst [email protected]

 

Executive Summary

Unified Communications (UC) is critical to the vision most organizations have when they consider how they are embracing the Digital Enterprise. Unified Communications is a business and marketing concept describing the integration of enterprise communication services such as instant messaging (chat), presence information, voice (including IP telephony), mobility features (including extension mobility and single number reach), audio, web & video conferencing, fixed-mobile convergence (FMC), desktop sharing, data sharing (including web connected electronic interactive whiteboards), call control and speech recognition. UC also includes non-real-time communication services such as unified messaging which integrates voicemail, e-mail, SMS and fax.

Unified Communications is not necessarily a single product, but a set of products that provides a consistent unified user interface and user experience across multiple devices and media types. UC allows an individual to send a message on one medium and receive the same communication on another medium.

UC brings the customer and enterprise experience to life and provides multi-platform and multi-media capabilities to the Digital Enterprise.  These multi-media features are particularly important to the customer experience and, increasingly, an expectation for customer digital offerings. That said, these added capabilities open up new threats and vulnerabilities that need to be addressed. Securing Unified Communications is the focus of this report and should be an important element of any enterprise UC program.

The reality is that conventional IP security products (such as firewalls and intrusion detection and prevention systems) were not designed with these kinds of real-time communications in mind—leaving organizations vulnerable to security threats. This requires security teams to craft new strategies and identify new security solutions to protect and control these diverse real-time communication flows.

Addressing these threats and securing UC can be addressed via a multi-tiered security approach. Of particular importance is the use of Session Border Controllers (SBCs) as they are designed to overcome the unique security challenges enterprises typically encounter when introducing VoIP/SIP. The role of an SBC is to be a voice application aware security solution that can control and log all voice sessions.  We also recommend the use of the NIST Cybersecurity framework as a foundation, although it doesn’t focus specifically on UC security.

In securing this challenging, but increasingly critical area, we describe several steps enterprises should take to improve their UC security posture. These are describe in greater detail in the report, but these are the key areas of recommended focus and should be part of an enterprise UC security strategy:

• Encrypt Everything
• Adopt a Zero Trust Strategy
• Build a Strong IAM foundation (MFA, least privileged access, etc.)
• Proxy All Services
• Secure UC Appliances
• Log and Event Monitoring for UC Services
• Conduct 3^rd Party UC Security Audits
• Implement UC-Centric Security Training
• Deploy Phone Number Authentication
• Implement a Tiered Security Model

It is critical that most large enterprises explicitly assess their UC security posture while integrating these approaches into an overall security architecture and roadmap.

Introduction

Unified Communications (UC) is a business and marketing concept describing the integration of enterprise communication services such as instant messaging (chat), presence information, voice (including IP telephony), mobility features (including extension mobility and single number reach), audio, web & video conferencing, fixed-mobile convergence (FMC), desktop sharing, data sharing (including web connected electronic interactive whiteboards), call control and speech recognition. UC also includes non-real-time communication services such as unified messaging which integrates voicemail, e-mail, SMS and fax.

Unified Communications is not necessarily a single product, but a set of products that provides a consistent unified user interface and user experience across multiple devices and media types. UC allows an individual to send a message on one medium and receive the same communication on another medium. For example, one can receive a voicemail message and choose to access it through e-mail or a cell phone. If the sender is online according to the presence information and currently accepts calls, the response can be sent immediately through text chat or a video call. Otherwise, it may be sent as a non-real-time message that can be accessed through a variety of media. If properly integrated, UC can increase productivity and is part of what TechVision refers to as the “digital workplace”.

UC is also moving (as are most applications and infrastructures) to the cloud, but current cloud platform offerings from Microsoft’s Teams to Slack and most others are not secure enough for highly sensitive information. Enterprises and government agencies looking to further protect their organizations’ intellectual property while meeting more stringent compliance and privacy regulations should add next- generation ultra-secure collaboration solutions to their portfolio. These platforms are based on a zero-trust architecture and multi-factor authentication.

Unified Communications applications can be the hardest to secure within an enterprise. UC clients, APIs, and services need a full security suite to ensure an enterprise stays secure. Too many enterprises attempt to apply standard application security measures to UC applications, which limit what users can do and still leaves enterprises exposed to the complex UC security challenges. Security managers and architects generally understand standard web applications, but not all the nuances of UC, and UC managers and architects often lack sophisticated security knowledge.

Conventional IP security products (such as firewalls and intrusion detection and prevention systems) were not designed with these kinds of real-time communications in mind—leaving organizations vulnerable to security threats. When introducing UC platforms, IT teams must craft new strategies and identify new security solutions to protect and control real-time communications flows. Session Border Controllers (SBCs) were designed to overcome the unique security challenges enterprises typically encounter when introducing VoIP/SIP.

CISSP and standard IT security training focuses securing transactions, not interactions. This leaves UC security as a vulnerability within an enterprise’s security strategy.  In this research, we focus on the security vulnerabilities of real-time voice and video communication and phone number security. Someone’s phone number can be used as part of their identity, but this attribute/identifier can be easily spoofed and should not be solely relied upon. Short Messaging Service (SMS) security is a focus in this research since many enterprises use SMS as part of their MFA strategy as TechVision described in detail in our recent report on MFA. This research does not cover email or voice-mail security.

Why Today’s Collaboration Platforms Are Not Secure Enough

Gone are the days when are primary form of real-time communications was the phone and we could trust that the caller ID was accurate. These days we are inundated with robo-calls that have learned how to spoof caller ID. Robo-calling or spam has already infiltrated email and fax and is moving into SMS and conferencing.

Many enterprises and users assume that their mobile devices are secure and that using a corporate Mobile Device Management (MDM) solution is all the security that they need. As part of this assumption, many organizations are using Short Messaging Service (SMS) to a mobile device as part of a multi-factor authentication strategy. While this generally provides better security than just a standard username and password, using SMS for highly sensitive information is not good enough. But securing collaboration platforms have several major security shortcomings as described below:

• SMS Vulnerabilities
  1. No Encryption – SMS messages are sent as clear text that is readable by anyone on the sender’s carrier network, anyone on the carrier-interchange network, and anyone on the recipient’s carrier network. There is no integrity in SMS, it is vulnerable to many types of attacks, including the one suffered by German banking customers in 2017 as reported in The Register. Even the reliability of SMS is to be questioned – text messages can experience delays or even non-delivery as a result of cellular data network connectivity issues. To be sure, reliability and availability requirements are key security tenets and innately lacking in SMS.
  2. SMS Hijacking – Organized crime constituents and sophisticated hackers may motivate international mobile network operator employees to mis-direct SMS messages from the legitimate user to an attacker’s device for a period of time to capture the private keys associated with a user’s account. SMS services are not a high-integrity system as the legitimate user would not be notified of the misdirection nor the keys being sent to the attacker until after they are finished with their attack.

The US Department of Homeland Security is recommending that government agencies and enterprise stop using SMS for sensitive communication. SMS can be exploited by criminals and nation-state actors.

Last year Twilio, the cloud communication as a platform service provider, became aware of an incident regarding Voxox, a wholesale SMS provider, in which an unsecured database was accessible to the Internet and exposed details of SMS messages and the companies that sent them. Media articles report that many of these SMS messages contained sensitive information such as authentication passcodes and delivery tracking numbers linking to unauthenticated details on the web.

• SIM Swapping Exposure – The Subscriber Identity Module (SIM) inside a smartphone is used to uniquely identify its owner. Criminals who gather details about a victim such as their mobile phone number can get a wireless network company to transfer a phone number to a new phone for a short period of time. Attackers can then trick banks and other companies into granting a password reset sent to a new phone, enabling them to gain entry into a victim’s most sensitive online accounts. This problem was recently reported in the Wall Street Journal
• iMessaging Weaknesses – iPhone users often claim that iMessage is a superior technology, but it is also vulnerable to many of the same problems. For example, every iPhone inherently trusts over 150 organizations, some of which are affiliated with known-cyber-attackers and authoritarian regimes. Apple makes the list of these trusts available on their help website. A list of some of the countries which are allowed full eavesdropping on iMessage

Figure 1. Countries That Have Access to Apple’s iMessage

• Spying Application Risks – If you’re not using biometrics to protect your mobile devices, jealous lovers, frenemies, and other acquittances with physical access to your mobile device(s) (while you are sleeping, in the shower, at the gym, etc.) can load spyware on your mobile device. Once running they can monitor and record phone calls, track GPS location, read emails and instant message chats, check online activities, view photos, videos, and calendar entries, and remotely control the device. XNSPY is an example application that anyone can acquire for a monthly fee. This is reportedly how Jeff Bezos’s wife caught him cheating and used this evidence for a multibillion-dollar divorce settlement.
• Enterprise Cloud Messaging Susceptibility – Cloud-based messaging allows the back-end server operators access to all data that is sent through the system. While there are rules operators should adhere to that minimize the possibility of eavesdropping, it is still possible for their employees to violate those policies or for attackers to design exploits which bypass these policies. Permission models are also lacking, especially for guest accounts. This means that guests (those that are not employees of your organization) can access documents in channels, resources, chats, and applications. Thus, enterprises struggle to control what the organization is sharing. This is especially true when the service operator is presented with lawful intercept demands, in which a government law enforcement or espionage team orders the service operator to share all of the enterprise’s information with them, many times without the enterprise’s knowledge or consent. For companies that consider the US government to be actively hostile to their interests, the passage of the CLOUD Act gives US Law Enforcement full capability to intercept and store any data that they deem to be within the bounds of any ongoing investigation.
• Shadow IT – There is a principle of least resistance: people use what they know, is easiest to and most used by others. There is no difference with employees. If the tools the internal IT department provides are not known, easy to use, and/or cost too much, they will be ignored and replaced in the daily working process. Sensitive company data will then flow through Dropbox, Slack and WhatsApp without the owner’s consent or even his knowledge. Team applications from companies like Slack make messages available for everyone in that group versus enforcing controlled, need-to-know, and least privileged messaging access. Many enterprise employees have leaked sensitive information this way.
• ‘Secure’ Messaging Apps – WhatsApp, Signal and other consumer-grade secure messaging applications rely on users’ mobile phone numbers as unique identifiers to deliver private key material. Due to the risks outlined above in the SMS and SIM Swapping sections, attackers can temporarily hijack the target user’s SMS number (either virtually through an international carrier or physically through a SIM swap), send a request to the Signal or WhatsApp service and then receive the recovery keys for those applications, giving the attacker full access to messages sent through those systems. U.S. government agencies reportedly are using these methods to gather information on people inside and outside of the United States.

As if these vulnerabilities are not bad enough, there are also some very basic risks for international business travelers. Customs in many countries requires users to provide their devices and passwords prior to leaving the country. Intellectual property is worth a lot to the right buyer, and where money is involved there will be corrupt and malicious officials who will steal information. No institutions can be trusted.

So, we’ve defined several of the challenges and known vulnerabilities in securing current collaboration platforms. We’ll now look at some of the explicit risks associated with “poor” UC security.

The Risks of Poor UC Security

TechVision broadly breaks Unified Communications Security threats into three categories as follows:

• Theft of service – such as toll fraud through the unauthorized use of UC resources
• Denial of service – implies a deliberate or accidental attack against services and applications that render them unusable for IT user;
• Privacy and compliance – focus on interception of communications and confidentiality challenges associated with the conformance of corporate compliance policies and legislation.

Now that we have identified some of areas where mobility, messaging and the cloud are highly vulnerable, we can look at some examples; such as when Cisco’s WebEx team reported a critical security vulnerability that needed an immediate patch. The vulnerability allowed an authenticated, remote attacker to execute arbitrary code on a targeted system due to insufficient input validation by the Cisco WebEx clients.

Another example is when enterprises don’t lock down their guest access accounts. In Microsoft Teams or Slack for example, if guest accounts are not appropriately managed, these accounts can view all communication and associated content occurring within an organization.

VoIP and UC networks are susceptible to a variety of security threats. Hackers and fraudsters may try to manipulate real-time communications signaling or media flows, or they may attempt to disrupt networking infrastructure to impair operations, eavesdrop on conversations, or commit service theft. This is a list of VoIP and UC security threats and their potential implication:

1. Reconnaissance scan – Address or port scan is used to footprint network topology -Targeted denial of service, fraud, theft
2. Man in the middle – Attacker intercepts session to impersonate (spoof) caller -Targeted denial of service, breach of privacy
3. Eavesdropping – Attacker “sniffs” session for the purpose of social engineering – Breach of privacy, fraud, theft
4. Session hijacking – Attacker compromises valuable information by rerouting call – Breach of privacy, fraud, theft
5. Session overload – Excessive signaling or media traffic (malicious, non-malicious) is experienced – Denial of service
6. Protocol fuzzing – Malformed packets, semantically or syntactically incorrect flows are encountered – Denial of service
7. Media injection – Attacker inserts unwanted or corrupted content into messages – Denial of service, fraud

Besides all these technical reasons for UC security threats, the most obvious threats are people. UC involves many people communicating and sharing ideas and content. People are the weak link ensuring that any communication is kept secure, private, and confidential. 80% of enterprise breeches have an internal component whether this is a person or malware, usually installed by an internal person. User security threats are categorized as follows:

• Laziness – Users going with default or common passwords such as 123456 for voice mail access and not taking the few seconds to validate who is on a conference call. Executives are guilty of this too, with many leaving their calendars open for all to see along with the bridge numbers and passwords for their conference calls. By-passing corporate systems or guidelines with external solutions that are virtually free in the name of speed and convenience. While many enterprises have training programs to make users aware of industry best practices, they do not follow-up with any type of enforcement to ensure good behavior and inform managers of bad behavior
• Exploited – Targeting one or a group of users to get information or do something to lead to a vulnerability such as clicking on a fraudulent email. Phishing attacks are growing more sophisticated and targeting specific users and systems. Many salespeople have built up relationships with internal enterprise employees through events and dinners and will use this information to help gather information on an organization. When million or even billion-dollar level sales are on the line, some folks cross the line. The line is usually crossed in telephony or in-person conversations that are not e-discoverable in case there is a lawsuit.
• Malicious – An internal employee or contractor takes external money or favors to do something illegal. Organized crime and hackers are becoming more like spies and recruiting employees and officials to help them exploit enterprises. Exploiting enterprises and government agencies is big business and paying someone a million dollars or more to do something illegal is becoming more common. For instance, a man was charged for bribing an AT&T staff member to illegally unlock phones.

Figure 2 illustrates some of the leading use cases for UC Security. Note, that UC security includes privacy and compliance along with security.

Figure 2 Common UC Security Use Cases

The risks to an organization that doesn’t properly secure their UC system(s) include:

• Loss of Data – UC is more than voice and video, there is a lot of data associated with Web conferencing and file sharing. Losing sensitive data can be exceedingly costly to an organization in terms of fines, intellectual property theft, brand damage and so forth.
• Back Doors – Bad actors can bypass standard security controls to gain access to private networks, creating backdoors and leaving them open.
• User Tracking – Using meta-data regarding communications to track who is talking to whom, when, and where, even if the media is encrypted.
• Blackmail – Recording private conversations and threating to make the information public.

UC combines telephony, video, chat, email and presence together into one unified communications system. As the technology has become more complex and more accessible from the public Internet, the security threat has increased. In many ways it’s easier than ever to attack business communications. Companies must be diligent in protecting their Unified Communication services as they are vital to business operations.

Companies have historically relied on the premise that their internal networks were secure as long as they required external users to use a VPN solution to gain access. This premise is no longer valid because:

• No network is secure – It is been proven that the top vector for attacks come from inside the enterprise network. – See the TechVision Research Zero Trust Networking Report
• BYOD – (Bring Your Own Device) UC from personally owned devices including employees, contractors, partners who do not have a VPN or MDM client software protections.
• Speed – The delay or friction caused by setting up a VPN session incents users to bypass the “VPN step” in order to immediately start communicating.
• Public UCaaS – Hosting UC externally at a 3rd party using Internet network connectivity is common, especially with the rise of freemium solutions.
• WebRTC – Supporting standardized clientless UC anywhere and everywhere.

Each of these are avenues that can lead to breach, theft, and brand erosion.

Telephony Denial of Service (TDoS) is also a serious issue. Hackers have flooded enterprises and government entities with false calls that overwhelm their systems, which effectively block all legitimate calls. If the system under attack is an enterprise system, customer service callers cannot get through. More disturbingly, if the system under attack is a government system, citizens cannot reach their local 911 center. TDoS is similar to DDoS used on networks, except this one is specific to phone service.

If securing UC was easy, we probably wouldn’t be writing this report. Next we’ll look at what UC is so difficult to secure and then describe some of the techniques for addressing these challenges.

Why UC is Difficult to Secure

Unified Communication applications have many unique attributes that make them more difficult to secure than standard client server applications. These attributes include:

• Users are Everywhere – Unlike data centers where data can be kept physically in a well-guarded building, users are everywhere, can be anyone, using any device. The locations can include; home, mobile, in an office building, out of country on business travel – basically anyone on the planet. Users can also be anyone including employees, partners, contractors, customers, or guests. To make matters even more challenging, communication occurs across many different devices that have different operating systems. Bring Your Own Device (BYOD) was another challenge introduced about a decade ago where enterprises must support communication across personal devices that they do not own or manage.
• Compliance and Privacy – Regulations create liabilities for those companies which do not implement the proper tools and controls. Recent regulations like GDPR, HIPAA, California Privacy Law and local labor laws require enterprises to have data controls in place to protect sensitive data in all situations, regardless of which systems are used or what infrastructure is relied on. Enterprise compliance and security teams are looking for solutions which will support their objectives of ensuring the traditional ICA requirements for data protection. ICA stands for:
• Integrity: Ensure that the data being shared among team members is trustworthy, accurate and not manipulated by any outside party.
• Confidentiality: Prevent sensitive and regulated data from being accessed by any unauthorized individual, whether a nation/state attacker, service provider or malicious actor.
• Availability: Critical data is available to the right people at the right time in the right location.
• Remote Control – One feature within web collaboration tools is to allow remote users to take control of the end device. This is great for IT support to fix problems and for teams collaborating on a drawing. However, remote control can be exploited by bad actors. For instance, a temporary employee can allow a nation-state to have access to their computer which can reside within an enterprise or government network. This makes it easier for the bad actors to gain access to private information and communication. Another example is a user is invited to a meeting but must download a UC client to participate. UC Client has malware embedded in it that can take over the PC once the user goes home.
• Unique Technology – Communication technology focuses on interactions, while most of our security technology is focused on transactions. The unique technology to support interactions includes:
• Peer-to-peer – WebRTC and proprietary UC stacks allow one device to talk directly to another without going through a centralized service and security stack. Traditional applications are client/server based, where a security stack can reside at the server. This is a challenge to secure because it is reliant on end point security rather than more reliable server security.
• Bi-Directional – Sessions can be established in both directions due to the call/calling nature of UC versus a web application where a user establishes the session request. A home router for instance has a simple firewall rule that states all TCP & UDP sessions must be initiated from within the home network and why, in order to get a Skype call, the home user first must be logged into Skype. This is a challenge to secure because it is difficult to validate the credentials of the source of incoming traffic.
• UDP Transport – Unlike TCP which has connections, sequence numbers, and specific ports for different types of applications, UDP has none of these. Different vendors open up a range of UDP ports and UC sessions cycle through the range of ports. The range of ports must be bigger than the peak number of concurrent UC users. This is a challenge to secure because UDP does not keep state, have handshakes, etc. This means an attacker could easily send a spoofed packet unless there are protections at other layers.
• Multiple services – Voice, video, chat, data – UC uses a range of services, each with their own TCP/UDP port. With conferencing, there can be hundreds of users interacting both internally and externally with the organization. This is a challenge to secure because it is porous, unlike a controlled user group using predictable protocols behind the firewall.
• Jitter Sensitivity – Jitter is the variation in latency, and jitter above 20ms will result in the effective loss of real-time voice/video traffic. With video conferencing, there can be instantaneous spikes in network traffic that are 100x the norm. Firewalls and other security appliances have trouble processing a lot of UC traffic without causing jitter. The primary reason why UC was the last major application to use virtualized infrastructure at scale is due to this.
• Too Many Proprietary Appliances – Legacy PBX, voice mail, conferencing systems use proprietary hardware with purpose-built operating systems. These appliances are subject to known security vulnerabilities.

5. User Experience – Users of communication technology are very particular about their experience. They want it to be easy to use with a simple menu of functions, quick to set-up, with quality voice and video and minimal latency so that when someone tells a joke you are not waiting half a second to hear people laugh. Many of the new Freemium platforms such as Slack and Zoom.us have gained popularity by offering a great user experience. Enterprise IT wants a single solution to support, but users by-pass the IT solution. These Freemium solutions are usually not tightly managed, yet proprietary and confidential information commonly flows through them.

Figure 3 – Why UC is Difficult to Secure

6. Phone Number Spoofing – We can no longer trust that someone’s phone number and the sound of someone’s voice as truly that person. Phone number spoofing is a known problem, one that has been around for years. It is addressable via solutions from companies such as Pindrop that help determine the probability that the caller’s number is legitimate. Through white and blacklists of phone numbers, testing network delay, and other audio heuristics, the confidence rates are in the high 90s. For instance, if a call comes in from a U.S. area code, but the network delay is over 100 milliseconds, then odds are high that the caller is really overseas.

This technology is beneficial in contact centers. Enterprise call centers deploy this technology to reduce the number of security questions they must ask, in turn reducing the average call handle time, saving money and providing a better caller experience.

A newer problem, thanks to artificial intelligence (AI) in the speech world, is voice spoofing. We hear on the late-night talk shows people using these tools to mock our president and other officials.

Voice verification technology has been around for at least 20 years, in use at many banks and stock trading companies as part of the multifactor authentication strategies they put in place to protect funds transfers. Voice verification systems require large base-line sample sizes for optimal performance, so work best when used regularly. Given that voice-spoofing capabilities are becoming more mainstream, enterprises that use voice verification technology should look at additional security controls for validating callers.

Bad actors can easily use a site like spoofvoice.com to change their voices and phone numbers to remain anonymous. A more sophisticated bad actor can grab audio clips from YouTube and mimic someone else’s voice. In many ways, this level of spoofing is mirroring the frightening onslaught of “deep fakes” of audio-video content.

So what do we do about these challenges? In the next section we’ll introduce a specialized UC security device called the Session Border Controller (SBC). Given the magnitude and variety of threats we’ve discussed (and many we haven’t touched on), TechVision recommends considering this “fit for purpose” approach to securing your Unified Communication portfolio.

The Role of the Session Border Controller in Securing UC

As a specialized UC security device, the SBC offers fundamental advantages over a conventional data firewall for VoIP or UC DoS/DDoS protection. Traditional data firewalls limit traffic by using static or dynamic thresholds and applying access control lists. Adaptive rate limiters are vulnerable to false positives and negatives when handling real-time communications traffic. When presented with a new peak traffic load, the firewall may assume that a DoS attack is in progress. Conversely, an attacker can send traffic below the threshold to thwart detection.

So why not just rely on traditional firewalls? Firewalls protect IP data networks, servers, and applications against a variety of threats by performing stateful inspection and filtering at Layers 2 through 4 of the Open System Interconnection (OSI) model. A firewall can provide rudimentary support for Voice over IP (VoIP) and UC by opening one or more User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) ports for SIP or H.323 signaling and a wide range of UDP ports (thousands in some cases) for real-time media. For all intents and purposes, the firewall acts as a pass-through device for the media. It can block real-time IP communications sessions, but it cannot actively manipulate signaling or media streams to detect or protect against sophisticated threats. We see firewalls as part of the mix, but not the entire package in consistently securing UC.

Many firewalls perform NAT, which changes Layer 3 IP addresses and Layer 4 port numbers without altering the corresponding information contained in SIP signaling messages. This causes user agents to send media to the wrong IP address, which is manifested in one-way audio or video. Some firewall manufacturers have added SIP ALG functionality to translate IP addresses within the SIP or Session Description Protocol (SDP) messaging, which enables the firewall to maintain the integrity of SIP addresses while performing NAT. However, SIP ALGs do not generally perform dynamic port management to open or close media ports based on SIP session state. What’s more, current research shows that many ALGs can easily be bypassed. An attacker can simply set up a valid session, for which the firewall inserts a rule allowing any traffic to pass between the hosts using these ports, regardless of whether the traffic contains the protocol that was initially negotiated.

When an attack is detected, a data firewall responds by throttling or dropping all traffic, including legitimate traffic, because it cannot inspect and intelligently classify real-time communications sessions.

For voice and other UC traffic, a Session Border Controller (SBC) should be utilized to provide security. The role of an SBC is to be a voice application aware security solution that can control and log all voice sessions. The unique security attributes of an SBC include:

• Layer 5 SIP Network Address Translation (NAT) – Firewalls can provide layer 3 NAT services, but they are not generally aware of the NAT services required within the SIP signaling messages that run at layer 5. Because each voice session utilizes its own UDP port, and that fact that UDP is a stateless protocol and is utilized for voice/video media, securing these ports requires session awareness at the layer 5 level.
• Layer 5 Topology Hiding – Ensuring that any external scan or monitoring never sees any of the internal IP addresses, ports, and services utilized
• Telephony Denial of Service Protection (TDoS) – Denying or throttling of new SIP session requests so the system does not become overwhelmed. TDoS attacks can be malicious, or accidental such as a system malfunction that causes everyone to lose their voice session and everyone immediately hangs up and re-dials.
• End-to-end Encryption – Encrypting the SIP signaling utilizing TLS, along with encryption of the media with Secure RTP. While an IPsec tunnel will secure the network connection between devices, the voice/video encryption ensures device to device communication encryption that helps prevent attacks such as MITM attacks that lead to eavesdropping and impersonation.
• Access Controls Specific to Voice Services – Filter specific devices and/or networks on a per session and application basis including accepting media requests for only authorized sessions
• Recording – Certain types of calls need to be recorded for legal compliance reasons including lawful intercept in certain environments. The recording of the media requires that the meta-data associated with the recording be included so that the call can be indexed and searchable.
• Voice Monitoring – Monitoring the media session for fraud, the signaling for mal-formed messages, additional data added to the SIP Session Description Protocol, enforcing authentication codes (commonly used for expensive overseas calls), and providing an audit trail are all required.
• Inspection – Inspecting the SIP signaling and associated RTP streams to ensure they are valid and block SDP that contains Message Session Relay Protocol (MSRP) or other potential sources for malicious traffic. If an intrusion protection system (IPS) is utilized, enterprises run the risk of service disruption. One example, SIP Option messaging that is used for service verification, can be seen by an IPS as malicious traffic and create false-positive matches that can disable the communication services.

Now let’s look at an example of how the combination of the elements we’ve described can fit together as part of a cohesive line of defense.

Figure 4 – Security Example Using Firewall’s & SBC

Figure 4 above shows an example of incorporating Firewalls, SBC’s, and a video proxy into a tiered architecture model. Voice traffic can enter the enterprise in this example in 3 different ways:

1. PSTN Connectivity via SIP Trunking – The Public Switched Telephone Network connects phone traffic that goes through carriers network to an enterprise’s UC/telephony solution. For large enterprises, Ethernet connectivity using non-routed IP addressing should be used. A firewall is optional in this configuration. The value of a firewall would be to provide generic IP controls and logging and implementation of it is based on level of trust on this network. The SBC is required to provide voice specific security as outlined earlier. For smaller enterprises, Internet Connectivity can be used running an IPsec tunnel between the SIP trunking provider and the Enterprise router. In this configuration, a firewall is recommended in conjunction with the SBC. In both scenarios, SIP-TLS and media encryption are not recommended, since it is not end to end, only from the service provider to the Enterprise.
2. WAN Connectivity– Devices such as company owned hard phones, PCs, Video Terminals, and Tablets that run over a company secured and trusted Wide Area Network. These devices fall into two categories, those that are trusted, and those that are not trusted. Trust is based on a certificate method and standards such as 802.1X. Those devices that are not authenticated and trusted should be routed to the DMZ and come in like any other untrusted client coming in over the Internet. A firewall is optional in this configuration. A firewall can provide the Enterprise generic IP controls and logging, such as minimizing the propagation of a virus.
3. Internet Connectivity – Devices such as personally owned smartphones, tablets, and PCs that come in over the Internet or the untrusted network within an enterprise. There are three ways for communication to transit the DMZ; VPN, SBC, or a proxy.

In all three cases, the traffic must first come in through an outside DMZ firewall that provides rudimentary support for Voice over IP (VoIP) by opening and range of UDP or TCP ports for SIP signaling and a wide range of UDP ports for RTP media. Initial NAT traversal is done, and ICE/STUN are utilized to pass the traffic from the Internet into the DMZ. The initial firewall is there to prevent IP based attacks. The second level of the DMZ is utilized to prevent SIP/RTP specific attacks.

With this architectural framework in mind, let’s summarize our enterprise recommendations for providing a consistent, multi-layered security approach in addressing UC security challenges.

UC Security Recommendations

In this section, we’ll leave you with our best practices advice for securing your Unified Communication services. While this list can be overwhelming, these are our recommended best practices to follow regarding security UC. These best practices include:

• Encrypt Everything – It is no longer good enough to just encrypt data at rest, data and communication in motion must be encrypted because users and applications can be anywhere and everywhere. Use 256-bit Transport Layer Security (TLS) encryption on sensitive data and communications. For instance, using 128-bit encryption still allows someone to understand if it is a male of female talking, what language, how long the conversation is and the interaction amount between users.
• Adopt Zero Trust Architecture – Zero Trust means that nothing on the network, resource, or application is trusted. Implement A “deny all” policy, with a whitelist that is integrated with the identity and access management systems. Use anomaly detection to alert when something abnormal is occurring.
• Ensure Identity – Great security starts with great identity and access management. Multi-factor authentication, least privilege access, and comprehensive logs to account for who accessed what are industry best practices that are not always applied to UC. Password management for voice mail and other services should be multi-factor and require 2 factor tokens for system administrators. The password reset process should be as rigorous as the organization’s network password policy dictates.
• Proxy All Services – proxies provide the following features:
  1. Packet Inspection – Unencrypt each session and inspect the signaling packets and scan each packet and stream
  2. Secure Firewall Transversal – Set up specific TCP ports to go through a firewall and handle the NAT required at both layer 3 and layer 5
  3. Log & Alarm – Gather a log of all sessions and generate real-time alerts when there are anomalies such as a spike in traffic, malware detection, multiple session failed attempts, …
  4. DLP – When required, record the session – Important for screen share logging.

While web and email proxies are common and SBCs act as a voice proxy, other proxies must be added. You’ll want to be sure to add chat/presence and video proxies. That said, at present these proxies are proprietary. A few examples include Microsoft with their Edge & Reverse proxies and Cisco with their Expressway offering. For example, let’s look at a WebRTC Gateway with ICE, STUN and TURN services used as appropriate. To add to this list, with the use the Communication Platform as a Service (CPaaS), all API’s should also have a proxy so an enterprise can enforce governance and compliance of all data going in and out of the organization. Figure 5 is a high-level example of this.

Figure 5. Proxy In The Middle Model

• Securing the UC appliances – Scanning on a regular basis and applying vendor security patches immediately, plus turning off unused services. While this may seem obvious, many enterprises fail to do this because they have end of life equipment and the UC infrastructure does not always reside in the security managed part of the data center.
• Log & event monitoring – Every large enterprise has Security Information and Event Management system. The UC systems should tie into this.
• Audit – While all large enterprises and government agencies get 3^rd party audits of their critical or sensitive transactions, this is rarely done for interactions. Getting a 3^rd party to audit UC security and interactions is an emerging best practice. Penetration testing should be part of the audit process. Too often, UC applications run on proprietary hardware with locked variations of Linus or other OSs that is not regularly patched.
• Training – No matter how secure your systems are, users can be lazy and not take security seriously. If they or the people they are talking to are on an unsecured session, confidential, private, or regulated information should not be shared.
• Phone Number Authentication – Phone numbers can be spoofed, but there are cloud based services that can help validate a phone number. CAaaS, Call Authentication as a Service — While basic telephony security is aimed at mitigating things such as telephony denial-of-service attacks, robo-calling and call spoofing are becoming more prevalent threats. More enterprises are reporting robo-calls coming into the enterprise and tying up network and telephony resources. Cloud-delivered call authentication services can block these calls before they get into the enterprise. The nice thing about these CAaaS solutions is that they can provide different levels of authentication based on business risks and call origination or destination. To give you a real world example, the following is an overview of a CAaaS from SecureLogix, a well-known vendor in this space:

Figure 6. How SecureLogix’s Call Authentication Service works

The FCC has recently mandated that telephone carriers stop robocalls. The standards to do this are based on: STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) standards. This will make it so that every phone has a certificate of authenticity attached to it, a kind of digital signature, that would provide trust again in caller ID.

While the adoption of STIR/SHAKEN by the major phone companies will help, it still will be years before this is fully implemented and the number of robocalls go down. For instance, a lot of the inter-telephone networks are still based on legacy TDM technology. STIR/SHAKEN only work on VoIP calls were a X.509 certificate can be added to the call.

• Tiered Solutions – Different users and use cases dictate using a different UC platform. Enterprises and government agencies should adopt a 3 tier UC model and ensure uses are using the right tier for the communication based on costs, privacy, confidentiality, security, and performance requirements. More details on this recommendation are in the section below.

Using NIST as a Framework for UC Security

Consistent with TechVision’s recommendations in other reports, we recommend using the NIST Cybersecurity Framework as a foundation for your overall security program and look to apply it to your UC security approach. The NIST 800-53r5 is a foundation of what the Government and government contractors use for their security. While NIST does not cover UC security specifically, we are utilizing their framework as a foundation.

Figure 7: The Five Core Functions of the NIST Cybersecurity Framework

For more information on the NIST framework and how to use it, see TechVision’s report Evolving Against Vulnerabilities, Breaches, and The Next Cyber Attack by Nick Nikols and Gary Rowe.

The National Institute of Standards and Technology (NIST) recommends is a three-factor MFA strategy for highly secure transactions and interactions. TVR added a 4^th. As shown below, the four factors should be based on:

• Something you know – password, mother’s middle name
• Something you have – smartphone, token, certificate on device
• Something you are – fingerprint, voice print
• Something you’ve done – previous transaction, discussion topic, context

With each of these factors, you’ll need additional verification. For example, just last week Google announced its advancing research on fake audio detection.

Personally, when my stockbroker calls with the latest stock tip and buy recommendation, these days I do more upfront vetting, so to speak – spending more time in the introduction and catching up on our personal lives, before giving out any financial information. Besides registering my stockbroker’s phone number and voice, I validate that he is who he says he is by discussing things that only he knows about me and my previous transactions.

Tiers of Unified Communications Security

Many enterprises try to have a single collaboration platform. The challenge with this model is that enterprise grade security is not good enough for highly sensitive information or the level of compliance and privacy required. More and more enterprises and government institutions are adopting multiple platform strategy to balance costs, ease of user experience with the appropriate level of security and compliance required for a team or group of employees and their associated external partners.

Techvision Research recommends that enterprises adopt a tiered security model as shown below in figure 8. Figure 8, shows a three-tiered UC security model with consumer, enterprise, and ultra-security grades. Ultra-security is required for protecting intellectual property, for compliance requirements such as M&A deals, and to ensure privacy.

Figure 8. Tiers of UC Security

In each of the tiers, there are 6 areas that we focus on for setting the level of security as follows:

• Identity – Ensuring the people who are collaborating are, who they say they are.
  1. Tier 1 – Users enter the username and/or phone number to join a conference call.
  2. Tier 2 – Users must enter a username and password to join a collaboration session. This information is validated against a directory with associated permissions.
  3. Tier 3 – Users must enter a username and password to join a collaboration session along with MFA. The very most secure systems add time and location as part of the MFA validation. For more on MFA, see the TVR research report on MFA.
• Network – Ensuring the network that the communication is going across is secure.
  1. Tier 1 – Any network including the public IP network or a cellular network.
  2. Tier 2 – Use of a private network and associated private IP address. Remote uses outside of the enterprise offices must use VPN solution to connect to the private network. Also, mobile enterprise managed devices are use a Mobile Device Manager to ensure the mobile network being used is secure.
  3. Tier 3 – A zero trust networking approach where users must have defined network access to collaborate.
• Encryption – Type and use of encryption on the UC collaboration application
  1. Tier 1 – Encryption is optional. Most encryption used on telephony systems such as SIP trunks is point-to-point.
  2. Tier 2 – Requiring application encryption on the UC client. TLS is the most common with D-TLS being used on WebRTC. This encryption is end-to-end for the entire collaboration session
  3. Tier 3 – Requiring each message or file within a collaboration session to have its own encryption and user permissions.
• Device – The device being used for communication and collaboration
  1. Tier 1 – Any device can be used, whether it is a person or enterprise managed or own device
  2. Tier 2 – An enterprise managed device that uses MDM to control and log what a user has access to and does.
  3. Tier 3 – A enterprise or government agency owned device that is locked down where a user cannot add any software to the device
• Proxy – Using a proxy when services are going from a private network to another public or entities network.
  1. Tier 1 – Optional capability and not required
  2. Tier 2 – Proxy for each service used in communication and collaboration – email, voice, video, chat
  3. Tier 3 – Ability to track information coming in and out of an organization and the feature of adding watermarks to audio, video, and content. For instance, Zoom.us has the ability to add watermarks to a conference call, so that if it gets leaked to YouTube, the person on the call who leaked it can be identified.
• SIEM – Ensuring all security events are recorded and managed
  1. Tier 1 – Optional capability and not required
  2. Tier 2 – Required that all of the UC system components are tied into the corporate SIEM and that all events are defined and categorized.
  3. Tier 3 – Adding artificial intelligence to the SIEM to be able to detect abnormalities in the communication and collaboration.

Another way to look at the UC Security framework is as a pyramid, because only a small percentage of use cases need ultra-secure communications. For many large enterprises, 70% of calls can leverage consumer grade security, 25% enterprise grade, and the final 5% is military grade, ultra-secure.

Figure 9 – UC Security Framework Pyramid

Some common enterprise examples requiring ultra-secure communications include:

1. Protecting Intellectual Property: R&D team chats, files, and interactions are secured and controlled via strictly defined access rules including location such as R&D facility and manufacturing plant in foreign country.
2. Ensuring Privileged Company Communications: CEO and Exec Management interactions regarding M&A deals, Investor relations, Sensitive HR comms, CxO status meetings.
3. Providing Ultra-Secure Communications: In the event of a cyber-security breach or suspected attack, being able to communicate in a secure, out-of-band, trusted-circle or channel is critical so hackers cannot be part of your remediation actions.
4. Securing Sensitive Customer Service Interactions: Some external customer and frontline communications need to be kept from going rogue under any circumstances due to potential brand and reputational damage implications.
5. Compliance: Manage GDPR cross-border PII data transfers without hassles, comply with labor laws such as “right to be forgotten,” or “right to disconnect,” be able to offer CCPA protection to customers with the ability to provide compliance audits such as HIPAA related communications.

Advancing the UC Security Model

One of the fundamental problems with IT security (and Identity Management) is that there are a bunch of point solutions or pillars that are often not well integrated. These solutions are binary (allow or deny) and use a smaller rule set when allowing access. While Identity and Access Management (IAM) and firewalls using IP address (location) and protocol are mature markets, there are some gaps. UC specific needs include:

• Context Using Call History – Has this person called me before and did I accept the call and talk for more than 3 minutes? The products on the market will see if a phone number is valid and authenticated or look in my contacts file to see if the number is there.
• Per Message Encryption – Today the encryption on communication is constant. A key is defined, and then used perpetually. This is similar to encrypting all customer data with the same key, so if an attacker gets one key, they have access to all the data. Every communication session should use a different encryption key
• Physical Location – Only allow communication to occur or messages to be read if one is at a physical location that can be validated using GPS, Wi-Fi, or Near Field Communication (NFC).
• Time – Critical messages and data should have an expiration time on them. While they can be stored centrally if need be for compliance reasons, on end user devices the key that is used to open the information should expire.
• Rules – Instead of utilizing and binary decision of allow or deny, moving to a multi-variable scoring model and based on criticality of communication. Tracking anomalies is a great way of spotting an attacker.
• UC Biometrics – Video/Facial recognition and voice recognition are becoming more mainstream. While these can be spoofed, it is not easy, and when combined with other forms of authentication, they are a value add.

In figure 10 is a list of criteria that we have use for determining the level of security. For highly secure communication, each of the 6 areas must have a score above 99.9% assurance. If one area is missing, then additional then communications is either denied or additional security rules should be applied.

Figure 10. Conditional Access Security Criteria

Using all these variables in a dynamic environment allows enterprise and government agencies to provide conditionalaccess. Conditional access automatically accesses trust and risk for every interaction and puts time limits on this access

What to Look for In A Secure UC Platform

A secure messaging and collaboration platform solves the security and compliance problems that businesses face today. This includes providing direct messaging, group chat channels and file sharing with easy-to-configure policy and management controls that exceed the toughest ICA requirements.

Integrity: All message content is controlled within a closed-loop system, with each message digitally signed, fully auditable and traceable and no reliance on usernames and passwords, eliminating the spoofing and phishing problems that email suffers from.

Confidentiality: Every message is end-to-end encrypted, and the entire system is based on a zero-trust architecture. No data is ever exposed to back-end servers or to untrusted parties while in transit or at rest.

Availability: Application administrators can set policies which control access to data according to time and location-based restrictions. This helps with compliance and policy enforcement, only allowing data access WHEN and WHERE appropriate. Data retention policies can be set which allow administrators to retrieve data for compliance purposes.

The specific features of the solution include:

Encryption Specifications

• Per-message 256-bit AES encryption
• User-to-user mutual authentication with 512-bit secp256k1 elliptic curve cryptography
• SHA256 hashing for message and authentication packet integrity

Zero Trust Architecture

• Servers are merely ‘dumb switchboards’ serving to connect two users without any insight into message content or files shared
• All encryption keys are maintained at the endpoints and under control of the company administrator
• All application traffic is end-to-end encrypted
• No unencrypted application data is ever exposed on back-end servers

Time and Location Policy Enforcement

• Using a unique combination of on-device sensors, locks all data in the app based upon schedule restriction policies
• Time restrictions can be set to comply with labor law requirements, preventing off-the-clock compensation claims due to salaried employees contacting hourly employees after work hours
• A UC application which complies with the new French Labor Code Article 55 or ‘right to disconnect’
• Exceeds the requirements for US labor law compliance for preventing employee work-related communications outside of paid work hours for hourly employees
• Location restrictions can be configured to assure that data is only available either at specific company locations or within approved countries
• Country-level location restriction policy for enterprise collaboration applications to facilitate endpoint data compliance with GDPR
• Exceeds even the most-stringent requirements of data portability laws such as ITAR, CCPA and HIPAA

Integrated with Enterprise IAM

• MFA for identification
• Access controls for who can access what features
• Periodic access governance
• Perhaps privileged access management (PAM) integration for managing all UC configuration and administration

UC Security, like most security, should be constructed with a layered defense. Figure 11 shows one such model.

Figure 11 Layered UC Security Defense Model

UC Security Vendors

The challenge with the UC security market is that it is still evolving and there is not a single vendor that provides an entire suite. We have broken the UC Security market up into six categories and highlighted a few vendors that enterprises and government agencies may want to consider as they implement their UC security strategy.

• Session Border Controllers (SBCs) – SBCs are used primarily to secure an enterprises VoIP telephony connection to a service provider. They ensure the SIP signaling is valid, have the option of encrypting the voice media, can throttle number of in and outbound calls to keep back systems from being overwhelmed. Examples of leading vendors in this space include: Cisco, Oracle/Acmepacket, and Ribbon (The merger of Sonus, Geneband, and Edgewater).
• Phone Number Authentication (PNA) – PNA’s are used to validate if a phone number is valid and the percentage likely hood that the assigned device/user to that phone number is them. Examples of leading vendors in this space include: Neustar, Nuance, Pindrop, SecureLogix
• Telephony Denial of Service (TDoS) – With cloud-based Communication Platform as a Service (CPaaS) it is easier and cheaper now than ever to be able to set up an outbound dialer and send thousands of calls per second to specific number and overwhelm an enterprise or government agency’s phone number. An example of a leading vendor in this space is SecureLogix.
• UC Security Client – A client that resides on a user’s device that augments or replaces the security that comes with that standard device and/or UC clients. Examples of some new vendors in this space include: Journey.ai and Hotshot.mobi
• Data Loss Prevention (DLP) – Some level of analytics to spot fraud and anomalies along with the ability to add watermarks to audio and video. Examples of vendors in this emerging space include Zoom for watermarks and Ribbon for UC security analytics.
• UC Biometrics – The uses of voice and video/facial recognition in conjunction with a unified communications session. An example of a leading vendor in this space is Nuance for voice and NEC for facial recognition incorporated with UC.

Of all the vendors in the UC security space, Nuance has the most comprehensive suite currently. While they currently focus on the contact center portion of UC, it is reasonable to expect them to create a cloud solution with APIs that are available for enterprises and UC vendors to incorporate. Below is an overview of the UC/CC Nuance security suite.

Figure 12 Nuance Security Suite

UC Security Realizations

In researching and writing this paper, and few things have come to light which represent opportunities in the market.

• UC Ultra-Secure Client – Standard security that comes with today’s devices and UC apps is not good enough for all use cases. Which vendors will drive and own this Ultra-Secure client is TBD. Because security is end-to-end and has many integration points, the solution will be complex. Lack of standardization will slow down this market, but there is a need and demand for more secure unified communications.
• UC Security Rules Engine – Every UC session has different security requirements. Today, we leave this up to enterprise UC admins in conjunction with users to determine the best approach on an ad-hoc basis. As we move to conditional access, the security rules will need to be dynamic and treated as a case-by-case basis.
• Moving to Industry Leading Security – Most enterprises and government agencies are minimally compliant and meet or have plans in place to meet the regulations in their industry. The problem with this approach is that it lags what is actually happening by a few years. The speed at which attack vectors will occur will only grow. Since the UC space has fewer regulations, up until now it has largely been ignored. Since security also has compliance and privacy implications it will become the number one priority of most global organizations.

Going forth more enterprises will start selecting UC platforms based on their security capabilities, not just their features, price, and usability.

Conclusion

The drive for business agility is stimulating companies of all sizes to adopt unified communications as a primary vector for enhanced communication and collaboration capabilities between remotely located and mobile employees, its supply chain and partner ecosystem, and with customers. Organizations recognize the value of UC technologies for improving end user productivity, increasing customer satisfaction and reducing communication costs. These benefits, however, do not come without risks.

IT companies are dealing with three categories of threats when they adopt a unified communications solution: theft of service, denial of service, and privacy and compliance. Typical threats in these domains of risks for the dominant technologies used in unified communications were identified and mitigated.

Enterprises that have deployed unified communications solutions to increase productivity, improve collaboration, and reduce capital equipment and operating expenses, need a strategy for protecting communications. UC & Security architects, engineers, and managers will have to work together to incorporate UC’s unique security challenges into the overall enterprise security program

Conventional IP security products (such as firewalls and intrusion detection and prevention systems) were not designed with these kinds of real-time communications in mind—leaving organizations vulnerable to security threats. When introducing UC platforms, IT teams must craft new strategies and identify new security solutions to protect and control real-time communications flows. Session Border Controllers (SBCs) were designed to overcome the unique security challenges enterprises typically encounter when introducing VoIP/SIP. Other security products are coming to market to enable enterprises to enhance the security over and above what comes natively with their UC solution.

Unfortunately, there is not a “one size fits all” model for UC security, so enterprises must select which users, under which circumstances should use which levels of security. TechVision Research recommends a 3-tiered model. The ultra-secure communication offering utilizes location, time, and context on-top of the traditional three MFA model of something you know, are, and have.

Too many enterprises rely on SMS messages as part of their MFA strategy. While this is OK for standard access, there are too many vulnerabilities when using a mobile device and SMS to gain privileged access. While a phone number can be used as part of one’s identity and as a way to call someone, it can be easily spoofed so should not be solely relied upon.

About TechVision

World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skillsets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

About the Authors

Sorell Slaymaker has 30 years of experience designing, building, securing, and operating IP networks and the communication services that run across them. His mission is to help make communication easier, cheaper and more secure since he believes that the more we communicate, the better we are. Prior to joining TechVision Research, Sorell was an Evangelist for 128 Technology which is a routing and security software company. Prior to that, Sorell was a Gartner analyst covering enterprise networking, security, and communications.

Sorell is an IT Architect with a focus on network, security, and communications architecture. He specializes in IT Architecture – Network Architecture, SIP Trunking, Contact Centers, Unified Communications, and Security Architecture.