About Unified Messaging - Usage and New Security Issues (Page 6 of 11 )
When voice messaging is introduced to the data environment, a whole set of new security issues arises. Understanding these issues and how to address them is crucial to a successful transition from legacy voice messaging to unified messaging. Ignoring these security issues and others like them will prevent you from realizing the finer benefits of unified messaging. It should be considered a best practice to address these issues during the planning and design process for any given Unity deployment:
- Privacy and confidentiality in voice messaging across an e-mail enterprise.
- Privacy and confidentiality in text to the speech of electronic mail through the telephone.
- Encrypted messages for the end user regardless if they’re using their GUI e-mail client or the Unity TUI.
* Encrypted calls from Unity to CallManager and then from Unity
to the messaging system it services.
These issues are presented in the following sections so that the awareness of them is raised from the start.
Privacy and Confidentiality in Voice Messaging Across an E-mail Enterprise
In a legacy voice-messaging system, messages do not have the freedom to travel in such an “out-of-control” way as what you might see with an e-mail message. Thus, a confidential voice message left for a voice-mail subscriber is heard only by that person—no one else. Not many options are available for forwarding confidential messages to just anyone, and users do not have the freedom to edit the contents of the confidential voice message and resend it as if it came from the same original sender.
When voice messaging is introduced to a legacy e-mail environment, such as Exchange or Domino, confidentiality parameters must be addressed in the legacy e-mail or messaging environment. To prevent messages marked as confidential from being sent to just anyone, these confidentiality flags (marking a message confidential) must be used and maintained in your messaging environment. Without the support of and use of such confidentiality flags, voice messages can be sent to a wide number of people rapidly, without any capability to control who can receive the messages.
Privacy and Confidentiality in Text to Speech of E-mail Through the Telephone
With unified messaging, new functionality is present that does not exist in a legacy voice-messaging environment. Unified messaging has the capability to “voice-enable” a legacy e-mail environment, enabling the subscriber to play back voice messages and e-mail messages over the telephone. To play back e-mail messages over the telephone, text-to-speech (TTS) technology is used. This certainly sounds like a good idea, but what happens now that an outside caller can dial into a unified messaging system, log in as someone else—say, the CEO—and play back that person’s confidential e-mail messages over the telephone? What happens is a very unhappy CEO.
Fortunately for Unity, it can support two-factor authentication that can then be tied to a class of service that supports TTS for subscribers. This means that subscribers who have the capability to play back their messages can do so only if they authenticate over the telephone using two-factor authentication. In Unity’s case, this is the subscriber’s extension and SecureID pass code entered from the subscriber’s token or FOB. Without a pass code, Unity denies access into the system and prevents unwanted intrusion into mailboxes that have the capability to play back TTS. For more information about Unity’s support for two-factor authentication, see the Unity Administration Guide on the Cisco website at www.cisco.com.
So, here is another paradigm shift. In a legacy voice-messaging environment, an intruder can call into the system and access the CEO’s voice mail if that person can figure out his or her password. This has been an ongoing issue that seems to have been ignored or “played down” in its level of criticality to a business’s daily operations. However, if you have a unified messaging solution and the same intruder accesses the CEO’s voice mail, the issue is considered quite critical because the intruder also has a chance to listen to e-mail messages over the phone (if this feature is enabled). Both issues should be considered critical and they merit equal attention and care. In essence, by adding two-factor authentication capabilities to your unified messaging system, you alleviate both problems equally. As a subscriber, you must use your subscriber ID and SecureID pass code to access the system, whether you are checking voice mail or playing back e-mail. From an authentication standpoint, both are now more secure. This means that, when it is applied, Unity’s support of two-factor authentication for unified messaging is a far more suitable solution for playing back any type of message over the phone. If you will not use two-factor security, you can best keep your e-mail secure by not using TTS for subscribers to check their e-mail messages over the TUI.
 This chapter is from Cisco Unity Deployment and Solutions Guide by Todd Stone (Addison-Wesley, 2004, ISBN: 1587051184). Check it out at your favorite bookstore today. Buy this book now.
|
Next: Encrypted Messages, Encrypted Calls >>
More Administration Articles
More By Addison-Wesley Prentice Hall PTR
/ 3 
