Ask Ash: How to keep UCaaS secure in the era of hybrid work

Last week, we talked about the benefits of integrating office phone services with Unified Communications as a Service (UCaaS) platforms, like Microsoft Teams and Webex. But if you’re worried about the risks associated with sharing confidential information over these platforms- across various networks, and multiple devices, you’re not alone.

This week, we asked Ash Brar, director of product and solution engineering at Beanfield about the cybersecurity risks you may face when adopting and deploying fully integrated UCaaS across your business.


Can integrating an office phone system into a UCaaS platform cause more cybersecurity risks?

Integrating PSTN integration into UCaaS creates a new, larger and more complex “attack surface” than if you keep your phone system separate. Like anything else that lives on the Internet, both Voice Over IP (VOIP) phone services and UCaaS platforms face cybersecurity risks. With Integrated calling, calls happen over the internet, from any device, and running as an app, so there are more vectors by which bad actors can access sensitive data, whether in storage or in transit.


Here are the biggest areas of concern:


Compromise of content store

Most UCaaS platforms store administrative tools and login information, as well as collaboration content (think shared files, chat logs, and call recordings) in their own networks. Whether it’s locally, or on the Cloud, you need to be confident that their network storage is secure.


Data intercept

The calls you’re receiving or making if you have integrated PSTN probably hold the most sensitive information, since they are likely with customers and suppliers. Un-encrypted voice and media streams are more vulnerable to intercept than calls on a traditional PSTN network because they happen over the internet. Intercepts can expose calling and called party information, instant messages, and other content data, as well as the actual voice or video calls themselves.


That sounds scary! How can we avoid that?


In terms of securing stored content…

The good news here is the most popular, commercially-successful UCaaS solutions happen to be the best at keeping data safe – so a data breach coming from their side is unlikely. They ensure end-to-end encryption and have a reputation for keeping their networks secure. Some of the top UCaaS providers can even let you take advantage of your existing secured cloud and integrate it with their platform, so you don’t have to worry about having data on multiple networks.

UCaaS platforms with less-robust security quickly fell out of favour since 2020, in no small part because they couldn’t cut it in terms of security. For this reason, you should be weary of smaller, less reputable players.

Another important aspect to consider when migrating to a UCaaS: No one should have unnecessary access to data, especially collaborators from outside your organization!

It’s important to be able to set up the right permissions for each user accessing the system. A reputable UCaaS will provide exceptional support for setting up user authentication rules and access permissions.


To protect data while it’s in transit…

The best way to protect data in transit is to encrypt it. Encrypting data ensures that anyone who would intercept it would find it to be unusable. To ensure that the data is encrypted through its entire journey, it needs to be encrypted at the endpoints (be it hard endpoints like desktop phones, or a software endpoint like an app running on a computer or mobile device) with encryption protocols.

There are two encryption protocols needed to ensure that safe travels for session data: Secure Real-time Transport Protocol (SRTP), which encrypts the actual contents of the calls, control using Transport Layer Security (TLS) protocol, which encrypts call party information, instant messages and other content data.


But what about folks working from home?

Endpoint security should be huge concern for any company that enables remote work, and work on mobile devices. In these circumstances, it’s difficult to know (a) if the individuals accessing your network resources remotely are who they say they are; (b) if the devices they’re using to access your network are compromised in any way; and (c) if the users are using unverified third-party apps (like generic VoIP apps) to access company resources by entering their credentials.

One way to mitigate these risks is to adopt a Zero-Trust Network Administration (ZTNA) security model. In a Zero-Trust environment, users have to identify themselves on a centralized system using two-factor authentication, and they have an obligation to make sure their devices are approved and secure. At the IT level, the framework allows for constant evaluation and authentication of users, gives them visibility into what resources a user is accessing, and the ability to spot suspicious behaviour.

If you have employees working from away, the Mobile Device Management (MDM) software should be integrated with your ZTNA strategy. Your IT team should have ability to control what apps can be installed on company devices and be able to assess the security posture of those devices  – which is hugely important – because a sketchy app or malware from an infected device could potentially intercept data.


Ash Brar is the Director of Product & Solution Engineering at Beanfield. With over 23 years of experience, he has worked in the service provider space covering a range of infrastructure and customer focused roles.
Do you have a question for Ash? Email us at

Share this article

articles related by: