One of the most common questions when an SMB is considering using Skype for business is whether it is fit for purpose; specifically is it secure and reliable? In order to examine how well Skype conforms to security best practices and meets reliability and high availability standards it is important to understand how Skype works and the architecture it is built upon – and how that has changed.
Early Skype Peer-to-Peer (P2P) Architecture
Skype since its earliest editions placed great importance on security and privacy. Skype originally was built upon a peer-to-peer network architecture that made use of client computers to form a mesh of connected nodes across a local geographical area over which data could travel from one Skype client to another. Typically, when Skype discovered open high powered PC’s with high bandwidth connections it would assigned them as a super-nodes. Super-nodes acted as central hubs that aggregated traffic locally from other Skype enabled PC’s and passed it onwards to other super-nodes until the traffic reached its destination. The advantage to Skype was that it didn’t need to own any network infrastructure – routers and switches – it simply used its client’s computers and network connections. The more powerful the Skype clients PC and the greater the available bandwidth of their internet connection meant a greater chance that Skype would use it to pass higher quantities of Skype traffic – other peoples’ calls – and usually this was transparent to the client. Therefore, for both Skype and the client it was essential that the traffic, the data, was encrypted so that it could not be intercepted by anyone eavesdropping on any of the multitude of nodes it traversed to its destination. Skype handled the encryption using strong AES 256 bit encryption and signed digital certificates for authentication.
Therefore, Skype met the security challenges that were around at the time. Its P2P network of client nodes made determining a route between Skype end nodes extremely difficult. Furthermore traffic traversing these intermediately customer computers was heavily encrypted and the sessions – both ways – between Skype to Skype callers were authenticated by digital certificates. Therefore, Skype has always been a secure way to communicate. However, how did it mitigate the problems with reliability?
Skype Architecture Evolution
As we have seen, Skype was originally designed to work over a P2P architecture of meshed client computers. This was an elegant and efficient solution for the time, a decade ago. However this strategy relied on customer owned computers at a time when computers were typically always on and always connected. However as technology shifted more towards mobile devices this peer-to-peer model was no longer efficient or sustainable. Client super-nodes could no longer be relied upon to be available 24/7 and more and more clients were using Smartphones and tablets, which could not participate in the P2P network as they relied on battery power, had less processing power than a PC and were not permanently connected to the Internet. This resulted in a period of unreliability and unpredictability of service due to the legacy P2P architecture – reliant on Customer owned super nodes – being unsustainable. It therefore became essential to create Skype’s own super-node network. Skype had already started rolling out its own Linux servers to act as super-nodes before the purchase by Microsoft. However, when it purchased Skype, Microsoft accelerated the transition and moved the super-node functionality of the network to their Data Centers and Skype became resident in the cloud.
The relevance of this change in architecture is that now Skype security and reliability is handled directly through Microsoft data centers in the cloud. The end Skype clients still determine the best path to the recipient through evaluating bandwidth, connectivity and firewall setting to provide the audio and video connections they desire. However, transparent to the end user the role of the super node has been taken inside of the network onto the highly available Data Center servers, which are capable of greater than five nines availability and reliability (99.999%) resolving any historical concerns regards service reliability.
How the Cloud has Mitigated the Risk to Security & Reliability
With the adoption of the new Skype cloud, it has enabled several new security features and more robust registration and account security by using Microsoft accounts. The use of Microsoft Accounts is intended to provide two step authentication bringing improved security as well as tools to assist in retrieving accounts should the credentials be forgotten. In addition, Skype cloud also provide anti-spam and anti-malware filters to protect end computers and devices from harmful and potentially dangerous content. These are both important features as they are typically high on the list of risks identified by corporate IT security managers when they had previously evaluated Skype.
With regards reliability the fact that Skype now controls the network makes it more predictable and performance and reliability can be determined with a high level of confidence. From the moment a customer logs on to their Skype Account, the transaction is handled using Secure Socket Layer (SSL), which encrypts all data leaving the computer destined for Skype, which can only be decrypted by the Skype server. Skype also uses digital certificates to authenticate end users so that you can be confident that you are communicating with whom you think you are and not some fraudulent third party. By utilizing digital certificates on the Skype Cloud servers’ customers can be confident that their communications are genuine, secure and authenticated. However, network security is only one part of the problem, what about security of the client application on the computer, and within the SMB’s corporate walls.
Skype Client Best Practices for the SMB
For the SMB securing Skype is similar to any other application and is primarily about ensuring a strict password policy. Skype just like most applications relies on a username and password as the primary means of authentication and access control. All the other security devices such as digital certificates, SSL authentication are generated by successfully entering a valid username/password. Therefore, these must be protected and employees should be given guidance with regards company password policy.
Virus & Malware
SMB’s should ensure that company computers have up-to-date antivirus protection and have personal firewalls activated. The company security policy should warn against email attachments and other known ways that viruses can get into a computer.
Profiles & Privacy Setting
The profile is public so do not put things in the profile you wish to keep private. The customers email address is secured but can be used in the directory to search for colleagues or business partners.
Avoiding On-line Fraud, Spam and Phishing
Skype cloud services has anti spam and malware filters enabled for all messaging services however caution should always be advised when dealing with messages from unknown sources.
The SMB’s company security policy must be precise on the matter that state clearly the company policy regards distribution of company files and data.
Skype’s early reputation for unreliability and unpredictability was based on its legacy architecture whereby it made use of customer computers to provide network transport. However, by taking responsibility and control of the network, from a security and reliability perspective and bringing those services into the cloud, Skype has mitigated against many of the network reliability issues leveled against older versions of Skype and at the same time created a robust, predictable, reliable and highly available transport network.
Network security, privacy and authentication have always been one of Skype’s strengths through necessity of its design, unfortunately it has often been mistaken for lack security of the client application on the customer’s computer. Skype Cloud’s new architecture brings several security benefits however, the onus as ever, is still on the customer, or SMB to keep the application safe by following a basic security policy.