40 years of experience in Telephony profession and services

June 3, 2025 Last updated : September 29, 2025 admin

Welcome to Azentix. You can discuss on any topic related to IP telephony matters with us.

Many believe that Cloud IP PBX is the future of business communications, and we also provide Cloud IP PBX through our colocation solutions. However, based on our experience, we generally do not recommend deployments exceeding fifty (50) users on a pure cloud setup. The key concern is security exposure.

As the number of users increases, the risk of potential credential leaks, misconfigurations, and unauthorized access grows significantly. With more accounts connecting over the internet, the attack surface becomes wider, making it more challenging to maintain the same level of protection. For larger organizations, we advise either a hybrid or dedicated on-premises PBX solution, where additional security controls and isolation can be implemented to safeguard users more effectively.

"I only told a few friends" claims a man on a computer connected to a multitude of friends.

Cloud PBX vs On-Premises PBX: A Security Perspective

In the evolving world of business communications, one of the most debated topics is whether to adopt a Cloud PBX or maintain an On-Premises PBX. While cost, scalability, and flexibility are often highlighted, security is a critical factor that influences decision-making. Both solutions come with strengths and weaknesses, and the right choice depends largely on the company’s resources, compliance requirements, and risk tolerance.

Security in Cloud PBX

Cloud PBX systems are hosted in remote data centers, managed by service providers. From a security standpoint, they offer several advantages. First, providers usually operate from enterprise-grade facilities, equipped with advanced firewalls, intrusion detection systems, and DDoS protection. Second, regular patching and updates are handled centrally, which reduces the risk of known vulnerabilities being exploited. Third, most providers implement encryption protocols such as TLS and SRTP, ensuring that calls and signaling data are protected from interception.

However, Cloud PBX also comes with challenges. Because it relies on the public internet, all communications are exposed to SIP scanning, toll fraud attempts, and potential man-in-the-middle attacks if not properly encrypted. Furthermore, most cloud systems are multi-tenant, meaning multiple customers share the same infrastructure. While strong isolation mechanisms exist, a breach in one tenant could, in rare cases, spill over to others. Finally, data jurisdiction becomes an issue: call records, voicemails, and recordings may reside in servers located in another country, which can raise compliance concerns for industries with strict data protection rules.

Security in On-Premises PBX

On-Premises PBX, hosted within the organization’s own network, offers a different security model. The primary advantage is control. Businesses decide their own firewall rules, access policies, and storage locations. For industries such as banking, government, or healthcare, this ensures that sensitive call data never leaves the premises. Another benefit is local isolation: calls made within the office stay within the LAN, never traversing the internet, which greatly reduces exposure to external attacks.

The Security Risks of Stolen SIP Credentials in Cloud and On-Premises PBX Systems

In the realm of modern business communications, SIP credentials (the username and password used to register a phone extension to a PBX system) are the keys to the kingdom. They allow a device—whether a desk phone, softphone, or mobile app—to authenticate with the PBX and make or receive calls. While both Cloud PBX and On-Premises PBX systems rely on SIP credentials, the security implications of a breach are more severe in a cloud environment because it is inherently exposed to the internet.

What Happens When SIP Credentials Are Stolen

If hackers obtain valid SIP credentials, they can impersonate the legitimate user. By registering a fake phone, attackers can intercept incoming calls, hijack business conversations, and impersonate staff members. At the same time, they can initiate outgoing calls, often committing toll fraud by routing large volumes of expensive international or premium-rate calls. Such fraud can generate losses amounting to thousands of dollars within hours.

Beyond financial risks, privacy and compliance issues arise. Without proper encryption, attackers can eavesdrop on sensitive calls, capturing confidential information or trade secrets. Additionally, when an attacker registers with stolen credentials, they may “kick out” the real user, creating a denial of service and disrupting business operations.

Cloud PBX: A Larger Attack Surface

In a Cloud PBX system, every extension must be reachable from the public internet. The more users a company has, the larger the attack surface becomes. Each account becomes a potential entry point for hackers, and with hundreds or thousands of users, the probability of a weak password or misconfigured extension increases significantly.

This exposure makes Cloud PBX an attractive target. Hackers often run automated SIP scans across the internet, looking for vulnerable accounts. If even one set of credentials is weak or reused, the entire organization is put at risk.

On-Premises PBX: More Control, Different Risks

On-Premises PBX systems differ in that internal calls within the local area network (LAN) never leave the building. In such cases, SIP credentials are far less exposed, since external attackers would need access to the company’s internal network. This reduces the risk of credential theft significantly.

Points of Failure for SIP Client Users in Cloud and On-Premises PBX Systems

When businesses evaluate Cloud PBX versus On-Premises PBX solutions, the focus often falls on cost, scalability, and features. However, from a user’s perspective, the most critical factor is reliability: what can cause a SIP client—a desk phone, softphone, or mobile application—to fail? Understanding the points of failure in each deployment model helps organizations choose a solution that matches their risk tolerance and business continuity needs.

Internet Connectivity

For Cloud PBX, the most obvious point of failure is internet access. Every SIP client must communicate with the provider’s servers over the public internet. If a user’s ISP is unstable, calls may drop or fail to connect. Worse, if the company’s internet service goes down completely, all users lose access to the PBX at once. This makes Cloud PBX heavily dependent on reliable broadband or redundant connections.

On the other hand, On-Premises PBX offers resilience in this area. Users connected through the local area network (LAN) can continue to make internal calls even if the internet connection is lost. Only external calls, such as those routed through a SIP trunk or PSTN, are disrupted. This local continuity makes on-premises systems attractive for organizations where uninterrupted internal communication is vital.

PBX System Availability

In Cloud PBX, system availability depends on the provider’s data centers. High-quality providers host their platforms in redundant, geographically distributed facilities, backed by service-level agreements (SLAs) promising uptime above 99.9%. While this minimizes downtime, the risk is that if the provider experiences a global outage, all customers are affected simultaneously.

In contrast, an On-Premises PBX is only as reliable as the hardware and environment supporting it. Failures can arise from server crashes, power interruptions, or software corruption. Larger organizations may design redundancy with clustering and backup servers, but many small and medium enterprises operate with a single PBX, creating a single point of failure.

SIP Credentials and Authentication

Every SIP client must authenticate with the PBX. In Cloud PBX, this process always occurs over the internet, making credentials a critical vulnerability. If stolen, attackers can impersonate users, intercept calls, or commit toll fraud from anywhere in the world. Cloud providers mitigate these risks with fraud detection, IP restrictions, and monitoring, but the exposure remains significant.

For On-Premises PBX, if users operate only within the LAN, credentials never leave the private network, reducing exposure. However, once remote access is enabled, the same risks apply as with cloud systems. The key difference is that the burden of securing authentication—through firewalls, VPNs, or strong password policies—falls entirely on the organization’s IT team.

Security Attacks

Cloud PBX systems are frequent targets for SIP scans, brute-force attacks, and denial-of-service attempts simply because they are exposed to the public internet by design. Providers counter these with session border controllers (SBCs), enterprise-grade firewalls, and traffic anomaly detection. Still, if these defenses fail, users may experience dropped calls or blocked access.

On-Premises PBX systems can be less exposed if SIP services are confined to the internal network. In such cases, attackers would need access to the local infrastructure to launch an attack. However, when remote SIP access is enabled without proper safeguards, the system becomes just as vulnerable as a cloud solution—often without the same sophisticated layers of protection.

Device Dependency

Regardless of deployment model, SIP client devices themselves remain a common point of failure. Misconfigured phones, expired certificates, or buggy softphone applications can disrupt user service. The difference lies in support: in a cloud environment, providers often assist with troubleshooting, while in an on-premises setup, the responsibility rests entirely on internal IT staff.

Cloud PBX only for SME

  1. OPEX vs CAPEX – No big upfront server/hardware costs. You just pay monthly (like a subscription).
  2. Scalability – Add/remove users easily without buying new hardware.
  3. Remote Work Friendly – Staff can connect from anywhere (important post-COVID).
  4. Less IT Maintenance – The provider maintains servers, updates, security patches.
  5. Fast Deployment – Can be up and running in days instead of months.

⚠️ On-Premises PBX for larger Organization

  1. Control – You own the system, control every setting, integration, and security policy.
  2. Call Quality – On-prem often has better, more stable quality if the local network is good (cloud depends heavily on internet).
  3. Cost in the Long Run – For large organizations with stable headcount, on-prem may be cheaper after 3–5 years.
  4. Regulatory / Security Needs – Some industries (banks, government, telcos) still prefer keeping data and call records inside their own premise/data center.
  5. Internet Dependency – If internet is unstable or expensive (common in some areas), cloud PBX can become unreliable.

🔮 Real Trend Today

  • SMEs (small–medium enterprises) are adopting cloud PBX because it’s cheap, flexible, and easy.
  • Large enterprises & critical industries still invest in on-prem or hybrid PBX (part in cloud, part local) for better control and redundancy.

Which countries do VoIP attackers commonly route hacked/compromised calls to (or originate calls from) when they break into VoIP systems?

    Categories
    Cloud IP PBX Malaysia CX

    Leave a Reply

    Your email address will not be published. Required fields are marked *