In response to my previous post and the reference to implementing application security for UC and multimodal smart-phone devices, Andy Zmolek, Avaya Sr. Mgr. for Security Planning and Strategy, sent in this comment.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
We believe that the most important security for unified communications will reside at the application layer. The most powerful communications scenarios need to tie together three elements: identity, i.e. who's involved in the communication; presence and availability, i.e. can and how should we communicate; and a reasonable policy, i.e.who's allowed to see one's presence, who is allowed to connect to my servers.
Trying to make those kind of increasingly fine-grained decisions at a firewall or IP network device in a way that works with real-time communications is not going to lead to a scalable or user-friendly experience. So while network-based and border-oriented solutions can work well as a temporary solution, they will ultimately prove to be too brittle to meet the security needs of broadly-deployed unified communications solutions.
We also find that many IT organizations are not operationally ready to integrate their directory and identity systems into their communication systems, although we've been supporting that capability for several years in many of our products. Mobile devices like the iPhone are replaying the same battles that IT organizations had in the mainframe era with the emergence of the PC: that same desire for central control and approval of communications device hardware is just as doomed as that era's fight to preserve the mainframe as the only approved platform for programming and computing.
Successful IT shops will embrace and find appropriate ways to protect that mobile infrastructure just as they have done for the PC. And yes, while it’s a difficult job, who would argue that businesses would run more effectively without PCs - the same process is now happening with mobile devices.
Andy Zmolek, AVAYA
Senior Manager,
Security Planning and Strategy