Is an SBC the Essential Umbrella in a Cloud UCaaS Deployment?

21 May 2014

Cloud, CaaS and UCaaS (UC as a Service) solutions are exploding. With the advances in bandwidth and reliability of the internet today, a decision to move the communications control systems off the premises and to the cloud is getting easier. Deployment options vary, from so-called "private clouds" to a full-blown UCaaS solution where the only equipment on the enterprise site are endpoint devices. The reasons for moving to the cloud for communications are varied. While there are ongoing arguments over the relative TCO of cloud versus premise solutions, many are finding the cloud model, with reduced Capex and the elimination of long term vendor lock-in, to be a better option for their organization.

Installing a cloud communications service is simple, right? We just drop a few IP endpoints for our users, they connect to the cloud service, and off we go. While this may work, it requires the security appliances at the edge of the enterprise to be opened up to enable the VoIP traffic. While this may seem similar to SIP trunking, there are fundamental differences. The traffic does not all come from or through a single point in the enterprise, as is often the case in a SIP trunk solution. Both the signaling and the RTP media traffic will come from each end point with the device IP address (or NAT translation). This is complicated enough, but is even more complicated when the peer to peer makes the far end point of the IP flow an end user device or multiple locations. These can be different VoIP-to-PSTN access points based on country or location that are used to optimize the traffic from the UCaaS vendor. Or, increasingly, they may actually be IP end points with direct peer-to-peer RTP media flow, which is common in systems like Lync. And these flows and endpoints use the same ports as other IP communications systems like Skype, so opening those IP ports may enable other systems that organizations do not want open for security reasons. The answer to this challenge is to deploy an SBC at the edge of the enterprise to manage the UCaaS traffic.

For most organizations deploying a cloud or other off-site UC (or VoIP) platform opens the organization to a variety of attacks. As we all know, there are a wide range of miscreants that are continually looking for a path into your enterprise. The recent events at Target and other companies show how hackers target any weakness. With the explosion of cloud-based communications services and SIP, it is only a matter of time until these folks begin to see that there is a new potential path to valuable data. The danger is exacerbated by the peer capabilities of UCaaS, including file and screen sharing. Much of the enhanced value of a UCaaS service is often in the ability to extend the benefits of UC outside of the organization's boundaries. As these protocols and devices open holes through your security fabric, they may also open doors to viruses and other security issues. Also, enabling video on access IP pipes may have a major impact on the available bandwidth for other business processes. By blocking these capabilities and limiting your users to a simple set of internal services and PSTN access, you may be missing much of the potential value and profit-increasing potential of the solution you are buying.

For many organizations looking to take advantage of the emerging cloud models, whether for cost, capability, or other reasons, including an SBC into the investment model is a valuable consideration.

This paper is sponsored by Sonus.