Include:
Tech
Cybersecurity
Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.

Location

333 West San Carlos Street
San Jose, California 95110
United States

WWW: acer.com

ChannelPro Network Awards

hello 2
hello 3

News & Articles

December 21, 2020 | Robert Cooper

The Need for Secure-by-Design Architecture in UCC

Communications systems must have security measures built into their core design—not simply tacked on through updates.

The harsh truth for all things IT is that, as any given user base increases, so too do bad actors on the platform. With the pandemic-driven boom in videoconferencing and VoIP, we’re seeing this principle hold true in unified communications (UCC).

As concerns over security gaps have grown, it’s been left up to MSPs to focus more on securing UCC systems—no easy task, even under the best of circumstances. But even so, responses have often been lacking. The typical answer is to say that existing systems need to “beef up” their security: create more sophisticated firewalls, use a more complex VPN, or take other steps that will supposedly turn an unsecured system into a secured one. The logic is that a system with insufficient protection just needs more security added on, as if you’re installing extra alarm systems in an office building.

Add-on security doesn’t work in practice, however. While an extra alarm or two might add some security to an office, bad actors can always find a way to break into a building that wasn’t designed with security in mind. The same is true when it comes to UCC. All the patches, upgrades, and add-ons in the world won’t do much good if the platform lacks security as an inherent part in its design. This entails encryption integrated from the ground up, direct peer-to-peer network connections, secure logins, and password storage systems.

Anything less is just a security breach waiting to happen, and there are three big reasons why.

1. The So-Called “User Error” Problem

This phrase gets thrown around a lot to explain cases where an end user’s mistake causes a larger security issue in a UCC solution. Someone’s password was guessed by hackers? “User error.” People forgot to check a box and now their videoconference is hijacked? “User error.”

Let’s not mince words: Chalking up security breaches to “user error” is irresponsible at best, and at worst represents an outright dereliction of responsibility by the UCC vendor.

Cybersecurity is far too complicated to leave up to the end user alone. What’s more, human error and simple mistakes are some of the toughest things to guard a system against; they are the single biggest attack surfaces for digital systems. While there are basic online security principles that every user should be taught, consumers expect developers to do most of the legwork in keeping them safe online.

The fix is to eliminate the possibility of so-called “user error” right from the beginning with secure password requirements, inflexible network security, standard videoconference limitation settings, and other features. Anything short of that means the platform is leaving far too much up to the end user, and therefore to chance.

2. The User Experience

Even with all those parts of user implementation that developers can’t predict, there’s one thing they can assume: If a system is complex or annoying to use, end users simply won’t use it, no matter what company guidelines say.

In practice, bad usability most typically arises when security elements are tacked on: A VPN forces users to take extra tedious steps before using their system while also sapping bandwidth; meanwhile, an external SBC adds further management requirements onto the system and more hoops to jump through in setting up a UCC network. The same headaches are presented by other added-on measures, like external security programs or security update patches that require multiple steps to install.

The solution is much like in the first point: Don’t give end users the option to disable these features. And that simply can’t be done if you tack the features on like duct tape over a leaky pipe; the measures have to be integrated into the core design. Anything else runs the risk of affecting the usability of that system, and therefore risks frustrating users to the point of circumventing (and therefore invalidating) those efforts.

3. The Threat of Obsolescence

Finally, it’s worth addressing the ever-present issue of keeping a UCC security system updated. After all, the first thing any cybersecurity expert will tell you is that the online threats are always changing. Along the same lines of the usability issue, if patching in updates depend on the end user’s request, there may be those who miss the update or just feel installing it is too much of a hassle. The catch is keeping the system updated in a way that’s actually effective.

So on the one hand, there’s a clear need for updates to come in smoothly, invisibly, and without any chance for end users to disrupt them. But at the same time, we must question exactly what kind of updates should be made at all.

Grafting on an extra little bit of security is rarely a solution that affects a system in its totality; most often, it just adds a tiny bit of extra protection, patching one vulnerable hole without doing anything to affect the rest of the platform. And if the rest of the platform itself is susceptible to attack, then this approach is lacking overall.

As an alternative, updates should apply to the foundation of security already built for the system: its method of encryption, its secure peer-to-peer connections, its integrations, and so on. Implemented this way, security updates wouldn’t be just a quick patch, but a thoroughly applied upgrade that affects the entire system, leaving no elements compromised.

Modernizing Conceptions of Security

The bottom line is that quick upgrades won’t do much to amp up security if said security wasn’t there to begin with. It’s more vital than ever that MSPs do their utmost to ensure high security for their customers. That simply will not happen with a “release it now, patch it later” approach to designing a UCC platform. MSPs should seek a system that has security built directly into its foundation.

ROBERT COOPER is the managing director of Wildix, where he leads the charge toward a channel-focused approach to unified communications. In addition to his military background, he has over 20 years of experience in leading technology sales teams and has served on the White House Conference on Small Business.

Related News & Articles

Growing the MSP

Editor’s Choice


Explore ChannelPro

Events

Reach Our Audience