Best practices for securing the CPaaS technology stack

Like everything that’s connected to the cloud, Communications Platform-as-a-Service (CPaaS) solutions are vulnerable to hacking, which increased dramatically as workforces shifted to remote and hybrid models because of the pandemic.


For this reason and others, such a platform must be built secure by design. This means taking the time necessary to examine and re-examine code and configuration, then make appropriate changes prior to deployment. Several things must happen in tandem for this to be successful.

From authenticating to an API for advanced features to credential management, it is critical to have a deep understanding and awareness of data protection best practices.

Calculating risk vs benefit is an important first step before considering a CPaaS solution. It should also be part of an ongoing security practice after implementation given that each organization has a unique set of circumstances and requirements that can change unexpectedly. From the start, it is essential to obtain as much information as possible regarding a vendor’s maturity and understanding of the processes and tools that keep CPaaS communications secure. Does the company design and implement their system with protection as a driving principle? If so, what are these principles?

Certifications are certainly important to consider when evaluating options, but even so, certifications don’t mean security. It is a best practice to check on the maturity of these vendor-specific certifications, as some companies go through a process of self-certification that doesn’t necessarily ensure the level of security your organization needs. Sending a thoughtful questionnaire to multiple vendors can be helpful for scoring these vendor’s security, offering a holistic and specific viewpoint to be considered by an organization’s IT team.

On the customer end, in-house security and engineering staff can prep for CPaaS implementation by becoming familiar with the use of APIs and the authentication methods, communications protocols and the data that flows to and from them. Hackers routinely perform reconnaissance to find unprotected APIs and exploit them.

Once CPaaS is incorporated into the hybrid work model technology stack, it is a best practice for an organization to focus its sights on its endpoint management. The use of a centralized endpoint management system that pushes patches for BIOS, operating systems, and applications is necessary for protecting the cloud network and customer data once a laptop connects.

VPN security should include a quarantine feature that prevents laptops from joining until they are confirmed to be patched and that their anti-virus is still running. Furthermore, it’s necessary to go one step further and check that end users are not administrators on their work laptops so anti-virus programs continue to run, and potential virus attacks are blocked.

After CPaaS implementation, security protocols should continue to be thoroughly reviewed and updated each year along with technology standards, including examining Transport Layer Security (TLS) to make certain the cipher suite and algorithms in use meet or exceed requirements for data encryption.

It is the responsibility of the CPaaS partner and its security and technology teams to work with customers and bring to their attention recommended changes, such as replacing a cipher suite or an algorithm (or encryption key that supports it) for a particular circuit to make sure that the most appropriate and recent standards are in place.

In many instances, the deployment of the right CPaaS solution into an existing communication infrastructure can bolster data security. Here’s why: it puts call flow and data flow configurations right in the hands of business users, enabling them to know and understand where the data flows are without having to work through big implementation projects with engineering teams and digging into multiple legacy systems.

If they try to do the same type of work through their own programming, or through old legacy interactive voice response (IVR) solutions, those data flows are likely to get lost to the people that need to know about them most. By consolidating all that information into one platform, it helps a business not only understand where data is and where data flows but also talk more intelligently about privacy and confidentiality.

The financial sector is one industry seeing the real benefits of CPaaS in helping customers activate credit cards and set PINs while simultaneously using AI and real-time speech recognition to verify data necessary to prevent fraud. Similarly, in healthcare, various states, counties and healthcare organizations across the U.S. that have been able to quickly launch COVID-19 vaccine programs for scheduling and general information through CPaaS.

Through automated prompts and responses, people can easily access information and get answers to vaccine questions that otherwise may require a long and complex conversation with a healthcare provider. They can even schedule appointments safely and securely thanks to encryption in transit and encryption at rest, which has become common configuration in session initiation protocol (SIP) telephony only in the last couple of years.

Looking toward the future, there is undoubtedly more work to be done regarding security, particularly around identity management, access controls and two-factor authentication. This is especially important with the unpredictability of individual user and device security. There may be clever ways to improve unique person identifiers, like making the use of Secure Shell (SSH) keys very easy.

In addition to allowing for remote login from one system into another, SSH keys contain strong encryption, which makes them ideal not only for tasks associated with cloud computing but also securing remote workforces.

Right now, only engineers—and very few of them—use SSH keys, which are foundational to IaaS platforms such as Google Cloud, Microsoft Azure and AWS. With business objectives shifting and evolving, SSH keys may lay an invaluable role in further securing CPaaS. Until then, choosing a CPaaS partner wisely will help ensure the benefits far outweigh the risks.

Don't miss