Compare Plans

Security in Avaya Enterprise and cloud-based solutions

Avaya delivers extensive protection for data and access through design, compliance, best practices, hardening, and controls. 

Spanning our entire portfolio of solutions that support contact centers and unified communications and collaboration for companies worldwide, on premise or cloud-based, Avaya builds security and protections into every product. 

Authentication and access controls

Avaya incorporates industry standards-based authentication and authorization mechanisms to enable secure access to system resources. 

  • No clear text passwords, PINs, or pass phrases—we encrypt or hash each when stored. 
  • Display of a password is blocked or hidden to prevent discovery. 
  • Authentication of all human and programmatic access. 
  • Default passwords changed after initial use. 
  • Strong password policies for human and programmatic accounts. 
  • Password/PIN aging and lockout policies for human and programmatic accounts. 
  • SSO and IAM integration support (for example, OAuth2 and SAMLv2). 
  • Customer-configurable security warning banners and last login display. 
  • Role-based access control for Privileged users. 
  • No required shared logins. 
  • Application services authenticate and authorize users, devices, and applications. 

Trust and certificate management

PKI certificates play a central role in securing enterprise and cloud-based deployments. Avaya delivers TLS-based secure communications (for example, HTTPS, SIP-TLS), code signing, user authentication, and more. 

  • Participation in customers’ PKI and use of private and/or third-party CA certificates. 
  • Lifecycle management of unique identity certificates. 
  • Signed software/firmware validation. 
  • Secure storage of private/public key pairs. 
  • Issuance, validation, and revocation of certificates. 
  • Centralized management of trust certificates and trust domains. 

Encryption

To drive consistent encryption, message and data encryption, digital signature, message integrity, and authentication all must leverage high-strength industry-standard algorithms and key lengths. 

  • Symmetric encryption - AES 256. 
  • Asymmetric encryption - RSA 4096/3072/2048, DH 4096/2048, ECC secp384r1 and secp256r1, Hash SHA3/SHA2, HMAC HMAC-SHA2. 
  • TLS1.3 and TLS1.2 with strong ciphers suites. 
  • Use of approved random number generation. 
  • SSH version 2. 
  • Sensitive data encrypted in transit and at rest. 

DoS, firewall, and malware protection

Firewall management of ports and data flows, DoS, and malware protection are essential to ensuring a system’s strong security posture and operational health. 

  • Inbound, outbound, and role-based access control to network firewall configuration. 
  • DoS recovery. 
  • Application session resource management. 
  • Antivirus and malware scanning support. 
  • Buffer overflow, cross-site scripting, and XML/SQL/Command Injection Protection (OWASP Top 10 security risks). 

Web app, services and API protection

Avaya leverages secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others. 

  • Enforced HTTP content type, safe character set, and encoding. 
  • Session identifier properties and timeout. 
  • Web session identifiers are different before and after authentication. 
  • Limited total concurrent sessions and sessions per user. 
  • Input validation and enforced input data type and length restrictions. 
  • Proper cookie usage. 
  • Web security event logging and error/debugging messages (STIG requirements). 
  • Security-related header usage. 
  • Disabled auto-complete on sensitive form fields. 
  • Sensitive or personal information sent in the URI or its parameters is dropped. 
  • Re-authentication for changes to user account ownership information. 
  • Disallow web crawler access and directory listings. 
  • Consumption of internal and public APIs secured through authorization tokens and industry best practices. 

Secure software development lifecycle

Avaya products are assessed for compliance against our continuously evolving set of requirements, which are based on industry benchmarks and regulations. 

  • Portfolio management and production readiness reviews ensure our software security objectives and standards are met. 
  • Security architecture, threat assessment, and modeling are part of our software design process. 
  • Secure coding practices, code reviews, Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST) are built into our software development and build process. 
  • Our Product Security Vulnerability Response Policy ensures risk assessment, threat prioritization, response, proactive customer contact, and expedited remediation. Avaya is also a MITRE-recognized CVE Numbering Authority (CNA). 
  • Developers are regularly trained on web application security protocols, including the Security Project (OWASP) and SANS Top 25 common vulnerabilities. 
Loading page...
Error: There was a problem processing your request.