The rise of the communications platform as a service (CPaaS) model has many enterprises migrating from on-premises communications to cloud platforms and APIs. CPaaS and APIs offer benefits including improved productivity and third-party app integrations, but before proceeding to adopt CPaaS companies should consider the inherent risks.
Remember that the underlying technologies tend to be insecure. Even if an encrypted communications channel is used between the application that initiates the communications with the CPaaS provider, the data is not necessarily secure along the entire path.
CPaaS providers give developers and companies the ability to integrate or embed communications channels such as SMS, MMS, and voice into their applications. SMS and MMS do not define security mechanisms. Ultimately any SMS or MMS message is delivered to the remote endpoint over an unencrypted communications channel. Hence, integration with these services may not be appropriate in all circumstances, because their use may violate regulatory or contractual requirements for some types of sensitive data. In addition a sophisticated attacker may be able to modify the contents during the transmission or replay it at a later time.
MMS also entails additional underlying risks. If a user of the integrated application receives an MMS message, the message could contain malware. So the endpoints running the CPaaS integrated applications and devices must be running anti-malware software where possible.
VoIP and SIP services supported by CPaaS providers also have some inherent security risks. These include being subject to Denial of Service (DoS) attacks, message tampering, impersonation of servers, and registration hijacking of the authentication.
Organizations should also remember that APIs typically add complexity and increase the attack surface area. Attackers might be able to exploit data sent into an API, including URL, query parameters, HTTP headers, and/or post content. Or an attacker might seek to exploit flaws in authentication, authorization, and session tracking. Adding multiple CPaaS providers will increase the complexity and potentially provider attackers with additional opportunities.
Organizations should also be aware that employees might utilize CPaaS features to exfiltrate data. For example, MMS could be used to send a file containing sensitive or confidential data.
There are a variety of compensating controls that can be used. For example, a Cloud Access Security Broker (CASB) could be used to help prevent the exfiltration of sensitive or confidential information. It could also be used to help block and quarantine malware being received or sent.
Some Web Application Firewalls (WAFs) can be used to help secure the use of a CPaaS. A WAF may be able to mitigate the risks of server impersonation, some DoS attacks, or even provide some parameter validation. For example, a WAF can be used to block very large messages, heavily nested data structures, or overly complex data structures.
All of the communications with the CPaaS provider via the APIs should be encrypted using TLS. This can be enforced by properly configured firewall rules.
Intrusion Detection Systems / Intrusion Protection Systems (IDS/IPS) devices should also be deployed on the network to detect and or prevent some of the potential attacks.
Given the security issues in some of the underlying protocols, session management should not solely rely on authentication. If practical for the environment, access should be limited to specific IP address ranges, and where practical perform device authentication as well as user authentication.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.