When it comes to cloud platforms, there are many elements to a good security posture, grouped into the broad categories of technology, process, and people. These areas need to be thought about hard and carefully by the most senior architects, IT leaders, and senior executives at a modern company. Let’s face it, security is critical to any company, and must be treated in a thoughtful and earnest manner, not as a checkbox on an RFP or something to be accomplished as cheaply as possible.
Let’s now talk about each of these broad categories in turn.
Technology aspects of security includes hardening servers, tightly constraining firewalls, having file integrity checks, and intrusion monitoring. But it doesn’t just mean “protecting the perimeter.” Good security means locking down internal attack surfaces so that if someone does get into an internal network, they still can’t easily compromise systems or access information.
To effectively protect the telecom network and sensitive customer data, a key process is the operations of a 24×7 Security Operations Centre with AI-based monitoring on syslogs, net flows, system access, and other system events. Such systems are known in the industry as “SIEM”, and can be built and operated internally or outsourced, but regardless represent a foundational aspect of security. Processes also must consist of solid and documented change management, periodic scanning and penetration testing, keeping operating systems and networking devices current with vendor security patches, and comprehensive reviews and audits.
But proper telecom company security also means “people” by designing an architecture that differentiates roles, permits the most possible work to be done with the least amount of access, and allows a company to closely vet, restrict, and monitor those that access sensitive data and systems. It also means frequently training staff on proper security practices and simplifying and automating as many maintenance and administrative activities as possible, reducing the need for human access to critical systems and the concomitant opportunity for human error, the weak link in many security breaches.
Lastly, end-to-end encryption of communication paths, combined with disciplined and stringent management of cryptographic keys, remains the most reliable way to protect communications while in transit and at rest.
Data privacy is a closely related topic. Data privacy requires good security but also encompasses issues surrounding where data is stored, how it is tracked, whether it can be obfuscated, redacted, or removed; and for what purposes the data can be used. Various data standards such as HIPAA for U.S. healthcare and GDPR, CCPA, and NY Shield all spell out the legal requirements for those managing patient and/or consumer data.
Security, privacy and compliance are not “fire and forget” activities for any size telecom company. Regulations, standards, policies, and best practices are continually evolving. Any telecom company, regardless of being a carrier, hosted provider, UCaaS, CPaaS, CCaaS, or collaboration and conferencing supplier (or increasingly, more than one of the above!), has to dedicate itself to staying abreast – or better yet – ahead of the curve.
For instance, when it comes to voice calls in the U.S., the FCC is moving quickly ahead with STIR/SHAKEN, a technical and regulatory framework that has been under development since 2013. This advance will enable end-to-end call signing, allowing carriers and call centres to authenticate that a received call is from a legitimate, non-spoofed, source; and permitting traceback to guilty parties if illegally spoofed calls are placed. Firms involved in enterprise and consumer communications need to be implementing solutions for this today, before the FCC mandated enforcement begins in July 2021.
By starting things off with a security-first posture that includes technology, process, people, and development, a cloud communications provider can sleep well at night. They’ll know full well they are meeting the requirements that regulatory compliant communications demands, by keeping the communications and data safe and secure for customers and their end-user customers as well.
Guest Blog by Steve Smith, Founder and CEO, Fonative
Fonative helps businesses connect with customers through voice and text, providing compliant communications as a Communications Platform as a Service (CPaaS). The company’s technology enables developers to easily incorporate calling and messaging capabilities into business applications, without the need to maintain servers, infrastructure, network, and telecommunication carriers. Combining carrier-grade technology with advanced call center capabilities and regulatory compliance, Fonative is the only suite of telecommunication services to meet the stringent requirements necessary in key industries such as medical, financial services, and government. For more information about Fonative’s Compliant Communications™ efforts, visit the company’s website.
