Compare Plans

Security

Meet business-critical mandates with communications that are secure, compliant, and accredited by major regulatory bodies. 

Comprehensive Security in the Avaya Portfolio 

Avaya prioritizes security across its infrastructure, from data centers to digital services, enabling you to protect sensitive and private data. Extensive, proven, scalable security capabilities are built into every Avaya Enterprise product and Avaya OneCloud solution. In addition, Avaya OneCloud solutions include specific capabilities for security, business continuity, and quality controls. 

Avaya Portfolio Security

Keeping our customers’ data secure is a primary requirement in product development. 

Security by Design

Avaya OneCloud Security

Learn how we meet the unique needs for securing data in our cloud-based solutions. 

Security for Cloud

Frequently Asked Questions

Does Avaya’s CCaaS Public solution/service support Security Posture Management? icon-dropdown-arrow

Avaya recognizes that cloud solution security is a primary customer concern. The Avaya OneCloud Public Security Playbook illustrates our: 

  • 360º security visibility  
  • Global security intelligence 
  • Sophisticated customer-facing controls
  • Secure and hardened CCaaS solution 
Does Avaya’s CCaaS Public solution support access control methods? icon-dropdown-arrow

The supported access control methods are:

  • Role-based access control (RBAC)
  • Mandatory access control (MAC)
  • Discretionary access control (DAC)

Multi-tenant RBAC provides fine-grained access management of Contact Center resources. Using RBAC, a customer may segregate duties within your organization and grant only the amount of access to users and applications that they need to perform their roles. Between you the Customer and Avaya the Provider, we employ Segregation of Duties (SoD) as a security strategy and to maintain compliance regulations. 

Avaya OneCloud solutions provide RBAC for granular control of users. The Admin Center uses a unique account ID across all APIs, events, and data to prevent unauthorized access to the data of a customer. These roles are pre-configured or built-in to cover different job functions related to administration and contact center operations. You can define permissions on the protected resources and map these permissions to built-in roles during installation. The built-in roles are:

  • System administrator 
  • Auditor 
  • Security administrator 
  • Tenant administrator 
  • Supervisor 
  • Reporting user 
  • Operations manager or analyst 
Does Avaya’s CCaaS Public solution/service support access control by IP address or range we specify? icon-dropdown-arrow

Yes, however, the list of IP addresses may change over time as per Azure range assignments for various cloud components and regions.  Inbound traffic through public APIs and Admin panels can be restricted at Avaya OneCloud solution level.

Do Avaya OneCloud solutions/services embrace AOSSL (Always On SSL)? icon-dropdown-arrow

Avaya OneCloud solutions use encryption to protect all data in transit and at rest. Data in transit uses Transport Layer Security (TLS) version 1.2+. The Cloud platform complies to Federal Information Processing Standards (FIPS) 140-2 and National Institute of Standards and Technology (NIST) standards to underpin our security protocols, standards, and encryption practices. Key Vault Technology is used to maintain trust and to ensure the security and integrity of:

  • Secrets Management: tokens, passwords, certificates, and API keys
  • Key Management: controlling the encryption keys used to encrypt your data
  • Certificate Management: deploy the platform that supports public and private TLS/SSL certificates
  • Strong encryption is achieved by using 2048-bit public/private key pairs to create unreadable records that may be safely stored
  • Keys support the encryption of API transactions, passwords, certificates, or cryptographic exchanges
Does Avaya implement IDS/IPS to detect and block malicious network traffic that can exploit vulnerabilities in OS and middleware? If so, describe the conditions for monitoring and operation. icon-dropdown-arrow

We proactively identify and monitor threats utilizing User and Entity Behavior Analytics (UEBA) to detect:  

  • Zero-day
  • Targeted attacks
  • Advanced persistent threats

Our partners, security teams, and tools continuously monitor and isolate threats in real-time via operational proactive response 24x7x365 and incident handling processes.

Do Avaya OneCloud solutions/services record access and authentication logs of our cloud service users (all administrative users and general users, etc.)? icon-dropdown-arrow

To maintain security and to ensure trust and integrity, we maintain security change audit logging of our entire Cloud real estate: 

• Restricting change via pipeline and maintaining:  

• Active audit trail 

• Activity logs 

• Audit reports 

• Diagnostic services, logs, and metrics (such as key vault audit) 

• Network Security Group (NSG) flow logs and event logs 

• Cloud monitoring, Cloud network watching, and Cloud real-time scanning  

• Audit data retention and archiving to meet sovereignty and regulatory processes  

• Retention period for monitor logs is 365 days and we can configure with a maximum of two years 

Describe the solution provider’s process to report an incident. icon-dropdown-arrow

Support for Avaya OneCloud solutions is based on ITIL®️ processes, including service desk, service management, incident management, problem management, and change management.

Describe the solution provider’s reporting mechanism for security and/or other incidents. In what format do notifications go out and what information do they contain? icon-dropdown-arrow

For Avaya OneCloud solutions, customers receive an email with details of the updates being applied to the environment through the standard notification processes for all planned maintenance and emergency changes.

Is it possible to obtain my administrator's operation log? icon-dropdown-arrow

Avaya enables the export of audit trace logs to integrate a customer SIEM. RWS admin can download application configuration change logs, Product activity and resource logs aren't exportable, and the retention period is 90 days, but it is configurable.

Does the solution provider conduct infrastructure (OS/Middleware/Network) vulnerability scanning (inspection) regularly and take countermeasures swiftly when the vulnerability is detected? icon-dropdown-arrow

Yes. Systems are scanned with Qualys and patched according to Avaya’s vulnerability and patch management security standard. Avaya conducts vulnerability assessment and penetration testing on a regular cadence to maintain targeted regulatory compliances. Please note: Avaya doesn’t allow our customers to conduct vulnerability assessment and penetrating testing on Avaya OneCloud Public platforms.