February 3, 2017
Got mobile? If you are like most businesses looking for an edge (becoming more productive, increasing customer engagement) you are evaluating migrating to a ‘mobile first’ strategy so that your employees can access the business applications they need for daily job functions as well as communicate with customers and colleagues whenever, wherever. It’s easy to just focus on ‘making it work’ as there are plenty of challenges to solve in this category but making it work without building in the appropriate amount of security means you are leaving yourself open to risk. Just ask Target, Home Depot or even Oracle.
In this blog we focus on securing mobile voice communications from employee mobile devices, both corporate liable and personal liable (BYOD). Mobile devices are inherently harder to secure as unlike desk phones they cannot simply be placed behind the corporate firewall. So how then do we securely connect them to enterprise applications such as Unified Communications solutions, recording systems, and workforce optimization platforms that are behind the corporate firewall? There are four mechanisms to consider:
- Session Border Controllers (SBCs) – SBCs were originally introduced to secure the border between enterprise networks and those of public Internet Telephony Service Providers (ITSPs). These same SBCs, however, can be used to allow secure access to/from mobile voice apps. By locking down access to known protocols such as SIPS and HTTPS and providing robust, 2-factor authentication, SBCs can provide both lightweight and highly secure access for mobile voice apps.
- Mobile Device Management (MDM) – MDM solutions sprang up in response to the IT department’s need to manage corporate mobile devices. They can perform a range of functions including securing data stored on the device, regulating installation of mobile apps, and providing a secure IP tunnel (generally IPsec) into the enterprise so that data applications can access enterprise applications. Mobile voice applications can utilize this secure access to connect to UC, recording and other voice solutions within the enterprise.
- Mobile Network VPN/APN – But what if you want a secure data pipe to the mobile device without having to deploy an SBC or MDM solution? Some mobile operators offer secure VPNs that provide secure connections from their IP networks to yours. This is generally implemented as an IPsec connection to your enterprise security appliance while over the air security is via standard 3G/4G mechanisms. This mechanism is more appropriate for corporate liable devices as all data, including that from personal apps, is routed from the device to the enterprise using a special Access Point Name (APN). Note that while VoLTE capable devices send voice calls over LTE as packet data, calls are routed via a specific VoLTE APN and are therefore not redirected to the enterprise. The voice media for enterprise bound calls is routed via the Public Switched Telephone Network (PSTN) instead.
- Mobile Voice Network Peering – While Mobile Network VPN/APNs provide a mechanism for securely transporting data from the mobile device to the enterprise, Mobile Voice Network Peering allows the mobile voice media alone to be securely transported to the enterprise where it can be routed by the corporate networks. This is usually implemented via an MPLS-based VPN between the mobile operator and the enterprise. In this model mobile data to and from the mobile device continues to flow directly to the public internet through the mobile operator network. This model supports both VoLTE as well as legacy 3G/4G cellular voice.
Choosing one of the above mechanisms helps ensure only the good guys get into your network. But what happens when a bad guy sneaks past your well-thought-out defenses or a good guy goes bad? In that case you need to record usage patterns and use big data analytics tools to identify bad behavior, alert the appropriate resources, and optionally block it from occurring.
As an example, let’s look at a case where an employee has been socially engineered out of their user name and password credentials. Let’s further assume you weren’t able to implement 2-factor authentication. At this point the bad guy begins using your corporate voice network and PBX to route outbound international calls for all his friends. Being smart, you’ve blocked the known fraudulent country codes but you’ve had to allow access to other countries where you do business. This is where big data analytics comes in. Your voice security solution should have already established normal calling patterns for each user account and should therefore be able to identify this new, non-conforming behavior. It will then block the fraudulent calls while simultaneously alerting your security and IT resources.
Security often focuses on keeping bad guys out and maintaining system integrity. You can, however, use the same analytics tools to mitigate other risks. For example, would you like to be alerted if your employees are calling phone numbers associated with competitors or head hunters? Things get even more interesting when you combine big data analytics with the Internet of Things (IoT). How about monitoring the mobile usage of your fleet drivers while they are operating a company vehicle? Not only can you track that risky behavior, you can mitigate it by redirecting inbound calls made to those employees while they are driving. We offer a range of solutions to ensure that policies like that can be enforced seamlessly, even if the employee is using a personal device.
So don’t be afraid to go mobile but make sure you consider security at each step and invest in the right infrastructure to allow you to go mobile safely.