This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Critical UC Security Questions to Ask Your Vendors
Whether or not any individual or organization identifies with the valid concerns raised by recent communications industry security happenings, we can all agree that the horse has left the barn when it comes to IT teams effectively approving and managing every single communications service, app, or SaaS tool that makes its way into the business. However, enterprises cannot afford to treat governance and security in freemium land-and-expand scenarios, where employees download or purchase their own communications tools, differently than they do in front-door IT decisions and procurement processes.
That uniformity in treatment includes asking the right security questions of any vendor providing communications technology, regardless of whether the tool is introduced and implemented by individual employees or IT. Questions need to go beyond the cosmetic “what” and revolve around the “how” and “why.” Your enterprise needs to look beyond communications vendors’ security and privacy certifications and instead dig deeper into how their engineering culture designs for security as well as into what they do automatically to ensure the security of their apps and services.
It’s incumbent upon vendors to educate and remind customers of key criteria, but ultimately customers must be consistent in asking the right questions of their current and prospective vendors to verify their security. Here are some suggested questions and areas of focus to get the right conversations sparked:
- Does the vendor’s engineering culture prioritize security? It’s easy to say so, but do their actions reflect it or do they take shortcuts in pursuit of customer acquisition and feature delivery?
- Who comprises the engineering teams developing and operating the service? Are they accessible and transparent? Do they engage with customers and are they responsive to customer needs?
- Where do the vendor’s security mechanisms end and where are we expected (or obligated) to pick up and provide our own mitigation of security threats? For example, is all media, signaling and stored content within my communications encrypted? Is that automatic or is it left to us to discover and enable manually?
- Is the product or service built on top of WebRTC so it can run natively in popular browsers, and does it adhere to those browsers’ security controls? Is the core of their application open to inspection and testing by the broader security community?
- How does the vendor ensure that bugs and vulnerabilities are addressed through software updates? Are apps and systems updated automatically by the vendor to be sure that they’re on the latest version, or do we have to discover that an update is available and install it ourselves? If the latter, can we deploy it everywhere centrally or are we dependent on users manually updating apps themselves?
- Fundamentally, can we trust this vendor’s security philosophy and business practices?
This isn’t meant to be a comprehensive list, but it can serve as a good starting point. There are rarely simple answers to these complex questions, to be sure, but they’re still worth asking. As a vendor in the video communications space, we ask ourselves these questions every day. To see how we address them, visit our website or reach out to strike up a conversation – that’s the type of healthy customer/vendor dialog we should all encourage and welcome.