Security considerations when choosing a Cloud Telephony provider

Just like email, many companies are now providing cloud based telephony which includes regular extensions to complex contact centers. A key component to lookout for when choosing your provider is of course security. Anything residing on the internet can possible pose risk to your organization, as you can clearly see these days.

Choosing the right provider is simple, consider this basic checklist and you are good to go. Take note that this is not an extensive checklist but it will generally cover most of the important ones.


Always start by figuring out how much of experience the company has in building and setting up cloud based infrastructure. Cloud VoIP or telephony requires deep knowledge and skills. It is easy for many to setup servers today on cloud, sometimes as easy as a single click. Basically, do ensure that the company operating the service has sufficient knowledge, certification and reputation

Look at some of the basic information provided by the company such as years of experience, their clientele list and their support. Then, you can likely help you make your decision.

Processes and documentation

Request the processes in place such as the security responses when there’s an incident, how they recover from a threat or attack. Equally important is how they can provide a redundant infrastructure when the attack persists, like a continuous DDoS. Read through their SLA for service recovery and request your cloud telephony operator to provide you with documents related to incident management.

It might also be important to request how the data center is setup, where they are located and how access is managed. Reputable providers place servers in certified datacenter like on Amazon AWS, Microsoft Azure or even our local providers in Malaysia like at AIMS and Cyberjaya by companies like TM, IPServerone, NTT etc.

Data and transport encryption

Ensure that storage of call recordings and other sensitive data is stored on encrypted storage or databases. This will ensure should the drive or file(s) get extracted out of the data centers they will remain private and secure and only accessible by authorised personnel.

Next, ensure that calls are also encrypted between your IP deskphone or softphone to the provider’s servers. This ensures the conversations cannot be easily wiretapped. Spying on IP calls are quite easy on a local network and the entire conversation can be replayed by using tools like Wireshark. Someone with adequate knowledge can easily grab all calls originating from your network out to the provider if calls are not encrypted.

License to operate

VoIP and other cloud service providers need to have specific licenses from authorities. In Malaysia, the body that provides these licenses is MCMC. Failing to have certificates and permission from authorities may end up having your service disrupted by seize of operations by authorities. The most basic license required for a cloud VoIP provider is the ASP license awarded by MCMC.

Logs and audits

Your provider should be able to provide you detailed logs on the activities made from using the service. This can help ensure that everything can be traced back incase this is needed, for example, to audit calls made from you and not that it was infiltrated by someone else to impersonate you or to use your facilities to make calls to exotic locations or use it for illegal operations like scamming. Logs ensure that legit locations e.g. IP addresses are logged on all major activities done with your service.

Access management and controls

Request for documentation on the standards that are used to protect your account(s) such as how and when they can be used. Ensure that passwords, access controls and restrictions are applied to the service you are subscribing to by means of audited standards. Standards that are used will help ensure that the provider adheres to common and reputable guidelines.

Leave a Comment

Your email address will not be published. Required fields are marked *