Web Story Blog 9 min read

9 truths about PTT services and security you wish you had known before

Group of business people

Professional organizations and teams can already use push-to-talk over 4G broadband. Soon they will also be able to use 5G. A click on a smartphone button or key can connect teams instantly. This is convenient, but if you also need PTT app security, you need to look out for nine things.

Push-to-x communications means push-to-talk, push-to-text, and push-to-video communications. They are particularly helpful for:

  • Large facilities with multiple personnel and teams
  • "In the field" teams that are constantly on the move
  • Any organization that needs rapid communication.

When your push-to-x communications must also be secure, recognizing these nine truths will help you avoid mistakes:

1. Conversation security is more than a feature
2. A service where users can freely define talk groups is not secure
3. There are regulatory requirements to consider
4. A solution can be secure and easy to use
5. There is no trick to keeping your data secure – you have to work at it
6. Security measures need to match user behaviour
7. There are many deployment options for the service
8. Security is an issue when integrating systems
9. When you link legacy and MCPTT, there are security considerations.
 

The following looks into each of the truths in more detail.

1. Conversation security is more than a feature

To make conversations and text chats on a push-to-talk app secure, you need to look at the big picture. The app may have every security feature, but it is not enough.

For example, you may think that encryption solves all your security issues. It keeps your conversations safe from eavesdropping. Encrypted messages are very difficult to crack. But encryption of a smart PTT service is just the tip of the iceberg. Let’s take another example.

People need to use a password to get into a secure app. The password may need to certain length and include special characters. That is a feature in the app.

In real life, the passwords used depend on human nature. When passwords become difficult to memorize, people start using the same password for different services. This means the password feature becomes a weak link in security.

PTT app security (like all security) must start from people and processes, and must be considered on all levels. You need to be aware of security when introducing new users. You will need to identify people, and protect, monitor, and record conversations in case anything untoward should happen.

2. A service where users can freely define talk groups is not secure

Does your organization use a free chat application for professional communications? If yes, then how do you define and manage talk groups? How do you make sure you’re managing users securely? How do you prevent sensitive data from leaking? Do you know how data is encrypted?

You cannot answer all these questions if you depend on a free app.

A better option is an advanced, professional PTT service. This lets you manage users in a secure and controlled way. You can give users access to talk groups depending on who they work for. Managing every user one by one can cause a lot of errors.

User and group management at an office

Managing user identity and access control centrally is an important security measure. It can also save you money.

3. There are regulatory requirements to consider

People in the European Union must consider GDPR, data privacy and data residency laws – even when the topic is push-to-talk.

Data protection and privacy is important. You must plan your push-to-talk services according to EU directives and your local legislation.

Take GDPR as an example. To comply with the GDPR, you first need to know where your push-to-talk related data is located. Where is the users’ personal data stored? If your legislation says you have to record the calls, where do you store the recordings? Who controls the data? Who processes the data?

If even one of your users is an EU citizen, it is best to store the data on servers (and backup servers) within the EU. Even with a European service, the backup could be located outside EU. So you also need to check where the backup servers are, and which third parties may process the data.

4. A solution can be secure and easy to use

People often think that proper security measures mean the solution will be difficult to use. But does it have to be like that? Could the technical and the practical complement each other?

The short answer is yes. In fact, security will fail if the measures are too difficult for people. Many security measures are invisible to users, like authentication algorithms.

Push-to-talk must be easy for people to use. It is the everyday tool of professional teams - everyone must be able to use it quickly, without thinking. Professional push-to-talk solutions must be secure and usable.

People need their device to be easy to activate for a working shift – but secure, too. Single login will make things easy. You log into the device with your credentials, and it offers you the data and apps you have the rights to use. When you log off, your data and apps are no longer available to another user of the device – you also cannot use them as a private person.

A good push to talk app or PTT solution will also allow one person to login for different roles. It will offer a different set of apps and user rights for each role.

Single sign-on also means that you won’t have to type in or remember different passwords for every app in the device.

5. There is no trick to keeping your data secure – you have to work at it

Professional smart devices and gadgets contain a lot of data. If you lose the device, what happens to all that data? Will it be lost? Can someone else have access to it?

You need to remember that the data inside a smart device will not be secured by magic. You need to plan for its security and take care of it.

security-looks-as-police-points

For example, make sure that the data you exchange with others stays secure in its storage. You must also make sure you have a secure storage for all the new data you create – photos and videos, for example.

Consider user rights and authorization, too. A strong PTT solution will support different levels of rights for users and admins. It is a good idea to keep people’s access rights to a minimum. The levels help you with that.

6. Security measures need to match user behaviour

Many security measures are invisible to users. For example, a user does not have to think about how authentication works. They just need to be able to trust that the system does the job.

Group of business people

This is an interesting thing to realize about people’s behaviour. If something is too difficult, people will find their own ways to do the job more easily. This is often something that is not secure, such as writing passwords on sticky notes on their displays.

There are security measures that can prevent this non-secure user behaviour.
One way is to limit the users’ access to data based on their location. Thanks to geofencing, they can only access certain data when they are physically within an area. This also prevents unauthorized people from using the duty phone that someone carries off site.

Another way is to use the lock-down mode on the device. This is an extreme measure that can block all but one app from running on the smart device. In effect, the device becomes a walkie-talkie, and that is it.

7. There are many deployment options for the service

Many professional organizations think it could be useful to host their communication services in the cloud, but have some concerns about data security.


Handpicked related content

According to the latest Airbus survey into the professional apps market, organizations are open to the potential of services provided by the cloud.


Overall, the internet and cloud services are great solutions, and they can manage many security-related issues. You need to be vigilant, however, and continually evaluate your options. Your best choice depends on your needs: what you want to do yourself; what your security team is like; how you monitor security; and how you respond to multiple security threats.

The best PTT solutions offer a variety of deployment options. Whatever your choice, you must ensure that the cloud is reliable and has built-in redundancy. These are important characteristics when you are running a mission-critical solution on top. You must have a backup if your primary solution fails.


Handpicked related content

Should you be afraid of the cloud? Do cloud services bring more benefits than they raise security concerns? Learn more in this blog post: “Fear? Not if you secure your push-to-talk cloud the right way!”


8. Security is an issue when integrating systems

Integrations between systems and apps are very useful because they make things easier for users. Be sure that the integrations are secure, though. The identity and access control of other systems must be managed together, like user identities in the system.

Let’s take an example. You will integrate your communications with a system that can provide a lot of data and information to help decision-making. Proper integration means that authorized people can find the additional information in an easy-to-understand format.

A secure API gateway facilitates the interface between strong MCPTT - mission-critical PTT - and the integrated systems. It handles authentication and authorization for the integrated systems only and blocks others.

9. When you link legacy and MCPTT, there are security considerations

Many organizations are moving from narrowband radio to mission-critical broadband communications, MCPTT. They have the existing legacy communication system, and they may have a broadband system.

It makes sense to have the existing and the new system working together, at least for a while. Even organizations that want to move to broadband quickly may want to keep an existing radio communications system as a backup.

Organizations can use a gateway to connect smartphone users and radio users in interoperable groups. When there is a secure connection through the gateway, this is a good solution. There is a potential risk to security, though. You need to be careful with interoperable groups because you do not control the gateway group. This means you cannot see which smartphone users are included in the group. This is why a gateway-connected interoperable group requires special attention.

Users will be even happier if the two communication systems work together seamlessly. Agnet, for example, is a seamless solution that connects smartphone users to TETRA groups.

Airport worker with smartphone and radio

Handpicked related content

Critical communications continue to migrate to broadband, and the pace is getting quicker. How should you go about adopting broadband capabilities? This blog post has good answers: "TETRA to 4G/5G broadband migration - 14 ways to ensure success".


Conversation security is similar to information security. They both have a much larger scope than technology and features. Secure conversations and secure information are based on people and processes. You need to control access and identity, and figure out how to protect and monitor things. You also need to have a record or a log in case something untoward should happen. This will allow you to investigate and resolve situations. Security breaches are embarrassing and expensive. Your PTT service must detect and respond to threats quickly and efficiently.

 

Why not learn more about a PTT service that ticks all the boxes when it comes to conversation security. Take a look at Agnet, which delivers efficient group communications! It is available as a flexible end-to-end service.

Find more about Agnet