Cloud telephony systems have been increasingly employed by companies as they have proven to be an efficient resource for full outsourced infrastructure, or just for remote hosting and collocation data centers. It has also proven to be effective cost wise, especially in reducing key infrastructure costs that require high investments.

However, as any user connected to the Internet is aware, the risk of getting malicious content such as spam, worms, and viruses is high. As cloud telephony systems become increasingly popular, the threats have evolved here as well. Since cloud telephony system is an integral part of the business, cloud telephony risk management is necessary to ensure that data is not loss and data security is maintained.

Evaluate the risks

As with any problem, the first step is determining the risks your business faces. A network security expert may be useful to assist you with determining these risks. Once the risks are determined, the most appropriate security framework can be chosen to fit your company.

Specific considerations with CSP (Cloud Service Provider)

The best way to safeguard any system is to know it inside and out. A discussion with the specifics of the system must be had with the cloud service provider. You must have information on what the basic systems architecture is, where the data is held, and who has access to the data.

Other information that needs to be clear is the following:

  • How, when and where is the data encrypted?

  • Are text protocols allowed and in use on the network?

  • How are incident responses handled?

  • What are the fault tolerance capabilities of the CSP?

The considerations do not stop there. You should also check what applications the CSP will be hosting, the information they contain, the internal technical standards that need to be replicated by the CSP, and the regulatory requirements that need to be met.

And of course, you should also check the security measures they support. The CSP must provide information such as the following:

  • Where encryption keys are stored and managed and who has access to them?

  • Are anti-virus and anti-malware installed on the server and workstations?

  • The password policy in place?

  • The firewalls and web filtering technologies in place?

  • The data leakage prevention controls in place?

  • The baseline security requirements installed for the applications, databases, systems, network infrastructure and information processing?

  • The wireless network encryption and are these networks isolated from other internal networks?

  • Is there is a two-factor authentication required for remote administration on all networking and infrastructure devices?

Selecting and applying the appropriate risk framework

After knowing the specifics of your cloud telephony system and then determining the risks, the next step is to select the appropriate risk framework to fit your system and then applying it. There are several frameworks to choose from to ensure cloud telephony risk management is effective.

Some of these frameworks are COBIT or Control Objectives for Information and Related Technology, ITIL or the IT Infrastructure Library, the ISO 27000x and the PCI-DSS or Payment Card Industry Data security Standard, and the CSA or the Cloud Security Alliance.

CSP Due Diligence

Cloud telephony risk management does not stop with the application of the security framework. CSP must still perform due diligence according to elements such as third-party reviews, documentation of information security and continuity programs, financial and insurance information, references and independent research, and vendor history.

Michelle Patterson is an avid technology blogger and writes extensively about IP/VoIP and Unified Communication. She works with some leading companies to understand the trends of these modern communication technologies.