Security

Meet business-critical mandates with communications that are secure, compliant, and accredited by major regulatory bodies. 

Related links

Avaya portfolio security

Keeping our customers’ data secure is a primary requirement in product development. 

Security by design

Avaya cloud security

Learn how we meet the unique needs for securing data in our cloud-based solutions. 

Security for cloud

Frequently asked questions:

Does Avaya Experience Platform solution/service support Security Posture Management?

Avaya recognizes that security is a key customer concern for a Cloud Solution - and obtaining accurate and information about our solution security is paramount. Available through an account representative under NDA, the Avaya Experience Platform (AXP) Public Security Playbook illustrates our:

  • 360º security visibility  
  • Global security intelligence 
  • Sophisticated customer-facing controls
  • Secure and hardened CCaaS solution 

Does the AXP Public solution support access control methods?

Yes, and it includes: role-based access control (RBAC), mandatory access control (MAC), and discretionary access control (DAC). Multi-tenant Role Based Access Control (RBAC) provides fine-grained access management of Contact Center resources. Using RBAC, a customer may segregate duties within an organization and grant only the amount of access to Users and Applications needed to perform their role.

Avaya’s AXP solution provides role-based access control (RBAC) for granular control of users. Admin Center uses a unique account/tenant ID across all APIs, events, and data to prevent unauthorized access to the data of a customer. These roles are pre-configured or built-in to cover different job functions related to administration and contact center operations. You can define permissions on the protected resources and map these permissions to built-in roles during installation. Examples of the built-in roles include:

  • System administrator
  • Auditor
  • Security Administrator
  • Tenant Administrator
  • Supervisor
  • Reporting User
  • Operations Manager or Analyst

Does the AXP solution embrace AOSSL (Always On SSL)?

AXP uses encryption to protect all data in transit and at rest. Data in transit use Transport Layer Security (TLS) version 1.2+. The cloud platform aligns with National Institute of Standards and Technology (NIST) standards to underpin our security protocols, standards & encryption practices, and maintains ISO 27001, 27017, and 27018 certifications as well as PCI compliancy. Key Vault Technology is used to maintain Trust and ensure the security and integrity of: 

Secrets Management - tokens, passwords, certificates, & API keys 
Key Management – controlling the encryption keys used to encrypt your data 
Certificate Management - deploy the platform that supports public and private TLS/SSL certificates 
 

Additionally, strong encryption is achieved by using 2048-bit public/private key pairs to create unreadable records that may be safely stored.

Does Solution Provider implement IDS / IPS to detect and block malicious network traffic that exploits vulnerabilities in OS and middleware? If so, describe the conditions for monitoring and operation.

We proactively identify and monitor threats utilizing User and Entity Behavior Analytics (UEBA) to detect:  

  • Zero-day,
  • Targeted attacks, and
  • Advanced persistent threats.

Our Partners, Security Teams and Tools continuously monitor and isolate threats in real-time via through 24x7x365 proactive monitoring, response, and incident handling processes.  

Are activity logs in our environment maintained?

To maintain security and to ensure trust and integrity, Avaya maintains a variety of audit logging within the AXP solution, including:

Retention period for Monitor Logs is 365 days, and we can configure with a maximum of two years

  • Active Audit Trail
  • Activity logs
  • Audit reports
  • Diagnostic services, logs, & metrics (such as Key Vault audit)
  • Network Security Group (NSG) flow logs & event logs
  • Cloud Monitoring, Cloud Network Watching & Cloud Real-time scanning
  • Audit data retention & archiving to meet Sovereignty & Regulatory Processes
  • Retention period for Monitor Logs is 365 days, and we can configure with a maximum of two years

Describe the Solution Provider’s process to report an incident.

Support for AXP is based on ITIL®️ processes, including Service Desk, Service Management, Incident Management, Problem Management, and Change Management.  

Describe the Solution Provider’s reporting mechanism for security and/or other incidents. In what format do notifications go out, and what information do they contain?

In case of a incident, customers of AXP will receive an email with details of the updates being applied to the environment through the standard notification processes for all Planned Maintenance and Emergency Changes. Customers will be notified of any security incident in accordance with contracted obligations.

Is it possible to obtain my administrator's operation log?

Avaya enables the export of audit trace logs to integrate customer SIEM. RWS admin can download application configuration change logs, although product activity and resource logs aren't exportable. By default, the retention period within the platform is 90 days but can be expanded up to one year.

Does Avaya conduct infrastructure (OS/Middleware/Network) vulnerability scanning regularly and take countermeasures swiftly when the vulnerability is detected?

AXP is scanned regularly with a third-party, industry standard solution, and pen tests are conducted as least annually. Vulnerabilities identified as a part of Avaya’s Vulnerability and Penetration Testing (VAPT) processes will be addressed in accordance with Avaya’s vulnerability patching guidelines and processes.