Plantronics RealAccess User Manual

SECURITY AND PRIVACY WHITE PAPER

Part 3725-85367-001
Version 1.3
September 2018

Polycom RealAccess

™

Analytics

SECURITY AND PRIVACY WHITE PAPER FOR POLYCOM REALACCESS ANALYTICS

2

INTRODUCTION

This white paper addresses security and privacy
related information for

Polycom

RealAccess™

Analytics

. It also describes the security features and

access controls in Poly’s processing of personally
identifiable information or personal data (“personal

data”) and customer data in connection with the
provisioning and delivery of the Polycom RealAccess
product, and the location and transfers of personal
and other customer data. Poly uses such data in a
manner consistent with the Poly Privacy Policy and
this white paper (as may be updated from time to
time). This white paper is supplemental to the Poly

Privacy Policy. The most current version of this white

paper will be available on Poly’s website.

OVERVIEW

Polycom RealAccess provides a subscribing
customer access to a dedicated web portal, which
includes a broad range of on-demand monitoring and
management of video conferencing services, along
with in-depth reporting capabilities. Reports are
based on data (including certain personal data of
customer as described below) collected from a

customer’s Polycom RealPresence Platform and

automatically uploaded to the cloud-based
RealAccess portal using a data extraction agent
installed on the customer’s premises.

SECURITY AT POLY

Security is always a critical consideration for any
product. Poly aligns with ISO/IEC 27001:2013
practices for our Information Security Management
System (ISMS). ISO/IEC 27001 is the most widely
accepted international standard for information
security best practices and a tangible measure by
which existing and potential customers can be
reassured that Poly has established and
implemented best-practice information security
processes. ISO/IEC 27001:2013 not only reinforces
our commitment to information security best practices
and controls, but it explicitly includes the product
development process.

Product security at Poly is managed through the Poly
Security Office (PSO), which oversees secure
software development standards and guidelines. The

Poly Product Security Standards align with NIST
Special Publication 800-53, ISO/IEC 27001:2013 and
OWASP for application security.

Guidelines, standards, and policies are implemented
to provide our developers industry-approved methods
for adhering to the Poly Product Security Standards.

SECURE SOFTWARE DEVELOPMENT
LIFE CYCLE

Poly follows a Secure Software Development Life
Cycle (S-SDLC) with an emphasis on security
throughout the product development process. Every
phase of the development process ensures security
by establishing security requirements alongside
functional requirements as part of initial design.
Architecture reviews, code reviews, internal
penetration testing, and attack surface analysis are
performed to verify the implementation.

The S-SDLC implemented by Poly also includes a
significant emphasis on risk analysis and vulnerability
management. To increase the security posture of
Poly products, a defense-in-depth model is
systematically incorporated through layered
defenses. The principle of least privilege is always
followed. Access is disabled or restricted to system
services nonessential to standard operation.
Additional testing, in the form of standards-based
Static Application Security Testing and patch
management, is a cornerstone of our S-SDLC.

PRIVACY BY DESIGN

Poly implements internal policies and measures
based on perceived risks which meet the principles of
data protection by design and data protection by
default. Such measures consist of minimizing the
processing of personal data, anonymizing personal
data as soon as possible, transparently documenting
the functions, and processing of personal data and
providing features which enable the data subject to
monitor the data processing while also enabling the
data controller to create and improve security
features.

When developing, designing, selecting, and using
applications, services and products that are based on

SECURITY AND PRIVACY WHITE PAPER FOR POLYCOM REALACCESS ANALYTICS

3

the processing of personal data or process personal
data to fulfill their task, Poly considers the right to
data protection with due regard to making sure that
data controllers and processors can fulfill their data
protection obligations.

REALACCESS SOFTWARE AGENT

The agent is an instance operation as a virtual
machine. The agents Operating System (OS) has
been hardened with the latest security patches, best
practices for software configurations, and he removal
of unnecessary services. Additionally, the OS
security has been verified using several industry­leading security and vulnerability scan tools, as well
as manual testing.

The agent may reside in the customer’s DMZ if

required, with access to the cloud and the
RealPresence Platform component(s) on the
customer’s RealPresence video network.

There is a service on the agent that uses device­specific credentials to make API calls on specific
ports to access data from sources such as call
servers (Polycom RealPresence Distributed Media
Application™ (DMA)), and scheduling and
provisioning servers (Polycom RealPresence
Resource Manager). While accessing these devices,
all credentials are encrypted via HTTPS tunnel using
TLS with 256-bit encryption.

The agent does not stored data collected from the
RealPresence Platform in any shape or form (cache
or storage) in the agent.

The next step in the data delivery process is to
transport and deposit customer data to the
RealAccess data store, located in an SSAE 16 Type
II certified data center in California. All
communication between the RealAccess agent and
data store is via an OpenVPN tunnel. Any attempt to
monitor the link between the agent and data center
servers will only show encrypted packets instead of
cleartext information.

All maintenance activities, OS patching, code
updates, and NTP time synchronization for the agent

are handled via this OpenVPN tunnel from the data
center. All OS patches, updates or other necessary
hot fixes will be performed on a regular basis as
needed.

SECURE DEPLOYMENT

The RealAccess agent gathers data from various
RealPresence Platform sources and transports it to
the RealAccess data store. The following information
and architecture diagram provide an overview of the
secure deployment configuration:

• Secure and bi-directional tunnel

o Open VPN/SSL
o All packets are encrypted
o The tunnel is encrypted

• RealAccess software agent

o Deployed on virtual server (in your

environment)

• Supported virtual machine formats

o VMware
o KVM
o Xen
o HyperV

USER AUTHENTICATION:

User authentication for RealAccess can be performed
in two ways. The simplest is to use the authorized
customer domain. Members of the domain can user
their email address to register at the self-sign-in
portal. The system will send a verification email to the
email address provided for the user to authentication
and choose a password.