
Best Practices for Secure Enterprise Mobile Communication


Serge Zenevich, CTO, SoftTeco
While we hear more and more often about high profile incidents involving hacked messengers and leaked call recordings, secure enterprise communication is becoming a hot topic in the field of information security. In the business world where the value of secure communication is as ever important there have to be multiple ways for ensuring it.
“The highest level of security can only be achieved when the enterprise has full control of all the components”
When developing the concept for our own secure enterprise mobile communication solution we have arrived to a conclusion that for an enterprise to achieve a truly secure communication channel it needs to have a full control of all parts of the solution. That includes the server too. Only then, can the company effectively protect the information being transmitted through that channel. This approach entails some advantages and disadvantages.
By owning the server, and not having data going to the cloud, you have a full control over how the data is transmitted from start to finish. Only then, you can be sure that no messages, recordings or file copies are being stored anywhere an unauthorized party can access them. The safest way to set up a VoIP and messenger server is when it does not store any information and the only way to make sure that it does not is by setting it up and controlling it yourself.
When no data is being stored to the server and the backend architecture is smart enough, the server can be put on a device as small as a USB stick, making it mobile, easily concealed and work like a plug-and-play device.
Another important benefit of having your own backend infrastructure is that it gives you ability at any point in time to scan your VoIP network against wiretapping and other types of security breaches.
There are of course some disadvantages with having your own private VoIP server. First, it is limited to communication within its own closed network. Meaning that only the people that have the app and were registered by the administrator could make calls, send messages and files between each other. That means no calls or messages to outside numbers. Of course, this is the price for the high level of security.
Another issue (for some enterprises it is no issue at all) is the responsibility that comes with administering your own VoIP server. While no one can predict what sort of problems may arise in the form of server crashes and malfunctions over a period of time, a well-designed backend architecture can drive these instances to a minimum.
Although, a private server is the backbone of a truly secure communication infrastructure, the whole solution is only as secure as its weakest link. Therefore, a secure client application and an encrypted data transfer channels (for both voice and text) are an integral part of any secure mobile communication solution.
Most experts advocate the use of SRTP protocol for encrypting voice packets. While the level of encryption it provides is one of the best, there are several alternatives, WebRTC becoming most common as it is now supported by Google Chrome team. There is also an option of using IPSec protocol for transferring continues voice packets. Its advantage is that it can be used for transferring other types of data like messages and files. The disadvantage is that IPSec protocol makes voice packets too large for most mobile connections.
Even more options are available for consideration when choosing the protocol for negotiating session keys. ZRTP is usually the obvious choice when paired with an SRTP channel. However, there are other notable options that our team was considering when developing our solution. MICKEY, DTLS and SDES all provide a sophisticated level of security for exchanging session keys, but fall short of the speed and convenience of ZRTP.
The infrastructure for message transfers can vary to a much greater extent. When designing the architecture of SoftTeco’s secure mobile messenger, we were considering two fundamentally different approaches. The first one involved two separate server components for transferring text messages. The first component is for exchanging and verifying public and private keys for identifying senders and recipients through the application’s database. The second server is for transferring the actual text messages. Both, the keys and messages are protected with RSA 2048-bit encryption.
The second approach requires only one server and achieves the same level of security, but with faster message exchange speeds. This is done through utilizing XMPP protocol for near-real-time exchange of data packets secured by TLS 1.2 cryptographic protocol. Through trial and error we have arrived to a conclusion that this approach is superior to the two-server solution as it allows for faster message exchange and enables effective chat sessions with multiple participants, an important feature for many enterprises.
The only two components for securing the whole solution on the client application side are having the application secured by a password and not saving any data on user devices. This, in combination with a private server and a sophisticated encryption of data packets, effectively covers all aspects of a secure enterprise mobile communication solution.
Although, not crucial for some companies, a secure mobile VoIP and messaging service is the base for safe information exchange practices and the highest level of security can only be achieved when the enterprise has full control of all the components.
ON THE DECK
Featured Vendors
Retail Professional & IT Services Inc (RP&IT Services): Affordable IT Services for Retail Professionals
IntelliPoint Technologies: Efficient Operations through Network Automation and Cybersecurity Protection
VisiCore Technology Group, LLC: Certified Splunk Architects Offering Professional Consulting and Managed Services
Agile Transformation: Helping Organizational Leaders Transform their Culture to Healthy, High-Perfor
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Challenges that Compliance Officers face Today
Risk Exposures and How to Tackle them
Creativity Overcomes Scarcity
Putting The Customer At The Centre Of The Energy Transition
The Rise of Algorithmic Trading In The Power Sector
How to Align the Business and Operating Models of an Insurance Company
