Security in Avaya Enterprise and cloud-based solutions

Avaya delivers extensive protection for data and access through design, compliance, best practices, hardening, and controls. 

Spanning our entire portfolio of solutions that support contact centers and unified communications and collaboration for companies worldwide, on premise or cloud-based, Avaya builds security and protections into every product. 

Data privacy and protection

Avaya solutions are designed to protect all personal data and to enable enterprise customers to comply with national and international regulations that protect personal data and PII (GDPR, CCPA, PIPEDA, and more). 

  • Default settings within Avaya applications maximize personal data protection. 
  • Personal data minimization is implemented for collection, processing, and retention activities. 
  • Avaya architectures track the location and flow of all instances of personal data. 
  • Avaya provides fulfillment of data subject rights, consent management, data subject request, and fulfillment logging. 
  • Avaya encrypts personal data in transit and at rest, with NIST-approved encryption enabled by default. 
  • Avaya solutions enable the controller to maintain compliance after a restore operation. 
  • Avaya provides documentation so the controller can benchmark privacy controls and conduct risk assessments.

More on privacy

Authentication and access controls

Avaya incorporates industry standards-based authentication and authorization mechanisms to enable secure access to system resources. 

  • No clear text passwords, PINs, or pass phrases—we encrypt or hash each when stored. 
  • Display of a password is blocked or hidden to prevent discovery. 
  • Authentication of all human and programmatic access. 
  • Default passwords changed after initial use. 
  • Strong password policies for human and programmatic accounts. 
  • Password/PIN aging and lockout policies for human and programmatic accounts. 
  • SSO and IAM integration support (for example, OAuth2 and SAMLv2). 
  • Customer-configurable security warning banners and last login display. 
  • Role-based access control for Privileged users. 
  • No required shared logins. 
  • Application services authenticate and authorize users, devices, and applications.

Trust and certificate management

PKI certificates play a central role in securing enterprise and cloud-based deployments. Avaya delivers TLS-based secure communications (for example, HTTPS, SIP-TLS), code signing, user authentication, and more. 

  • Participation in customers’ PKI and use of private and/or third-party CA certificates. 
  • Lifecycle management of unique identity certificates. 
  • Signed software/firmware validation. 
  • Secure storage of private/public key pairs. 
  • Issuance, validation, and revocation of certificates. 
  • Centralized management of trust certificates and trust domains. 

Encryption

To drive consistent encryption, message and data encryption, digital signature, message integrity, and authentication all must leverage high-strength industry-standard algorithms and key lengths. 

  • Symmetric encryption - AES 256. 
  • Asymmetric encryption - RSA 4096/3072/2048, DH 4096/2048, ECC secp384r1 and secp256r1, Hash SHA3/SHA2, HMAC HMAC-SHA2. 
  • TLS1.3 and TLS1.2 with strong ciphers suites. 
  • Use of approved random number generation. 
  • SSH version 2. 
  • Sensitive data encrypted in transit and at rest. 

DoS, firewall, and malware protection

Firewall management of ports and data flows, DoS, and malware protection are essential to ensuring a system’s strong security posture and operational health. 

  • Inbound, outbound, and role-based access control to network firewall configuration. 
  • DoS recovery. 
  • Application session resource management. 
  • Antivirus and malware scanning support. 
  • Buffer overflow, cross-site scripting, and XML/SQL/Command Injection Protection (OWASP Top 10 security risks). 

Operating system and container hardening

Hardening is essential to ensuring a systems’ strong security posture and operational health.  

  • Minimal installation: only the network and operating system services, applications, libraries, and files needed for correct operation. 
  • Maintenance of the operating system, third-party software, and package currency. 
  • Least privilege: install and enable only what’s necessary for the correct operation of the product or application. 
  • Isolated security function. 
  • Separate disk partitions for executables, data, and users. 
  • No world read, write, or execute privilege for sensitive files and directories. 
  • SSH service hardening and use of secure services (no telnet, ftp, echo, etc.). 
  • Best practices for building, securing and operating containers. 
  • Public cloud vendor container platforms configured according to published guidelines. 
  • Compliance with industry regulations and standards, including PCI DSS and HIPAA. 

Web app, services and API protection

Avaya leverages secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others. 

  • Enforced HTTP content type, safe character set, and encoding. 
  • Session identifier properties and timeout. 
  • Web session identifiers are different before and after authentication. 
  • Limited total concurrent sessions and sessions per user. 
  • Input validation and enforced input data type and length restrictions. 
  • Proper cookie usage. 
  • Web security event logging and error/debugging messages (STIG requirements). 
  • Security-related header usage. 
  • Disabled auto-complete on sensitive form fields. 
  • Sensitive or personal information sent in the URI or its parameters is dropped. 
  • Re-authentication for changes to user account ownership information. 
  • Disallow web crawler access and directory listings. 
  • Consumption of internal and public APIs secured through authorization tokens and industry best practices. 

Secure software development lifecycle

Avaya products are assessed for compliance against our continuously evolving set of requirements, which are based on industry benchmarks and regulations. 

  • Portfolio management and production readiness reviews ensure our software security objectives and standards are met. 
  • Security architecture, threat assessment, and modeling are part of our software design process. 
  • Secure coding practices, code reviews, Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST) are built into our software development and build process. 
  • Our Product Security Vulnerability Response Policyopens in a new tab ensures risk assessment, threat prioritization, response, proactive customer contact, and expedited remediation. Avaya is also a MITRE-recognized CVE Numbering Authority (CNA). 
  • Developers are regularly trained on web application security protocols, including the Security Project (OWASP) and SANS Top 25 common vulnerabilities. 
AvayaTop