The potential risks of communication APIs and CPaaS and secure vendor selection criteria.
By James Ryan, Director of Information Security, BISO, IntelePeer
The pandemic accelerated the demand for various things, from vaccines to virtual telecommunications platforms. Cloud services also rose in use to enrich customer communication channels, from Software as a Service (SaaS) and Infrastructure as a Service (IaaS) to Platform as a Service (PaaS) and Communication Platform as a Service (CPaaS) seeing considerable growth. In 2017, Frost and Sullivan’s researchers found that of 1,695 companies, 81% had already deployed CPaaS, and that number has only increased since the pandemic. Nevertheless, this shift to a cloud-based infrastructure introduced a new attack surface, opening fresh cyber threats to businesses. As part of an organizational security effort, enterprises must select the most secure and reliable providers within the CPaaS space.
What data security risks do communication APIs and CPaaS create?
The integration of CPaaS services and Application programming interfaces (APIs), often used by CPaaS providers to deliver added value, can be infiltrated by sophisticated attackers to modify content during transmission. Sometimes, open APIs leave data exposed, making them vulnerable to attacks such as unwanted access to API infrastructure resulting in potential data leakage. A famous example of a data leak was when Facebook’s API got exploited, compromising users’ information. Although most enterprises won’t have the same level of open API access that caused the Facebook data breach – the same principles apply.
With API abuse, a bad actor, having obtained stolen credentials, can, depending on the level of access, manipulate a company’s budget, steal personal information, and even lock an enterprise out of its own API and CPaaS systems. Similarly, unsecured code can jeopardize a business, leaving it susceptible to further data security risk. Besides the loss of revenue and productivity often associated with data breaches and network downtime, the erosion of customer trust is perhaps the most long-term consequence of a data breach due to compromised APIs and CPaaS solutions.
Having secure communication, and by extension, a secure CPaaS provider is an essential business requirement. Any organization that communicates with its customers, employees and suppliers and collaborates with devices must prioritize the devolvement of a security strategy.
Selecting a safe and secure CPaaS Vendor
When selecting a CPaaS vendor, they must prove their commitment to security – it cannot be an afterthought. Some initial checklist investigations include examining the vendor’s certifications and the maturity of those certifications. Note, some vendors perform self-certification processes to fluff up their resumes. By confirming the level of encryption that the CPaaS provider offers, companies can make a more accurate judgment of the vendor’s security capabilities. Enterprises should also understand what processes and tools CPaaS vendors use to keep communications safe. Likewise, it’s helpful to send a thorough questionnaire to several vendors to rate their security prioritization. Having multiple choices, complete with notes and ratings, will provide an organization’s IT team with a more holistic view of their options.
Beyond these preliminary inquiries, other best security practices for selecting an apt CPaaS vendor involve consistently calculating the risk verse benefit. Given that every company will at one point in time experience an unexpected circumstance after implementation, it’s always suitable to complete a risk/benefit assessment. After companies have selected a CPaaS vendor and the implementation process is complete, organizations must focus their attention on endpoint management (laptops, mobile phones, and PCs) as it is necessary to protect the cloud network and customer data. An ideal CPaaS partner will have available teams ready to assist customers with issues or projects that might arise or direct the client’s attention to necessary system changes and patches. Such updates could include replacing a cipher suite or an algorithm for a certain circuit; it is helpful for organizations themselves to be up-to-date on CPaaS standards.
Benefits of Secure CPaaS and APIs
Although the consequences of having unsecure communication APIs and a less-than-optimal CPaaS vendor can be severe, successfully leveraging a reliable CPaaS provider will be highly beneficial. CPaaS is an invaluable tool for many industries that manage sensitive information – namely, healthcare and financial services. For healthcare specifically, CPaaS can help set appointments, handle payment information and automate various processes. Similarly, communication APIs can optimize employee workflows and organize data within a single platform streamlining efforts and eliminating the need to toggle between apps. Plus, APIs are customizable, allowing enterprises to enhance workflows even more to meet employee needs.
Although having a secure CPaaS vendor is critical to business success and assurance that company and customer information is safe through robust CPaaS and APIs, not all CPaaS vendors are equal. Some providers might be a better fit for one industry but a poor choice for another; security shouldn’t be the only criteria.
About James Ryan
James Ryan, Director of Information Security, BISO, IntelePeer. James can be reached online at his LinkedIn and at our company website https://intelepeer.com/.