Transcription
Fuze SecurityIntroductionSecurity and privacy requirements areextremely important when it comes to businesscommunications. Unauthorized access ormishandling of information could have asignificant negative impact on an organization. Aleaked product roadmap or a breach of financial,personally-identifiable, or health informationcould cause irreparable damage to a company’sreputation, financial position, and/or competitiveadvantage in the marketplace.Fuze considers the protection of customer dataand the transparency of our security posture ofthe utmost importance. We make every effortto ensure that data is secure and shieldedfrom eavesdropping and unauthorized access.A defense-in-depth approach is employed acrossthe Fuze platform whereby multiple layers ofsecurity work together to deliver reliable servicein a trusted environment.Security in DepthPhysical SecuritySystem SecurityNetwork SecurityManagementComplianceApplicationCustomer DataAll data created in the Fuze platform belongs to ourcustomers. Under no circumstances does Fuze sell this datato third parties. Details of the Fuze Privacy Policy can befound at fuze.com/product-privacy-statement.
FUZE SECURITYSecurity OrganizationPeople SecurityA dedicated security team manages our comprehensivesecurity program and reports on a quarterly rhythm toa security council of cross-functional leadership and tothe board of directors’ audit committee. The securityteam conducts regular audits of operational processes,coordinates all penetration testing activity, and worksclosely with engineering to provide information securitygovernance for the Software Development Life Cycle(SDLC). Personnel Verification - Fuze completes backgroundchecks on all employees and contractors. Information Security Training & Education - All newFuze employees are required to complete securityawareness training during their on-boarding, andall employees are mandated to complete annualsecurity awareness and data privacy training. Access Management - We actively reduce theattack surface of our platform by limiting thenumber of personnel with access to production. Weemploy a role-based access control (RBAC) model,the principle of least privilege, and multi-factorauthentication for access to production systems. Feedback and Reporting - Fuze understands theimportant role that security researchers play inkeeping our systems and software secure. Wepublish guidelines for the responsible disclosure ofproduct vulnerabilities on our website and respondto all inquiries within 24 hours.
FUZE SECURITYProduct Security Secure by design - We inject security best practicesinto every step of our development lifecycle. Securityis built into checkpoints from when a developerbegins design and checks in code to when a build isvalidated and deployed. Vulnerability Management - We aggressively huntfor bugs and weaknesses in our software using thefollowing security rigor:SDLC processes include adherence to theOWASP Top 10 listPeer reviews of source code are conducted priorto product buildsAutomated Software Scanning with Veracode- Source code vulnerability scanning- Open source scanning to ensure licensecompliance and vulnerability management Internal Penetration Testing - As a continuous effort,Fuze’s internal security team regularly tests the Fuzeplatform against the latest security threats. 3rd party Penetration Testing - Unauthenticatedand authenticated third party penetration testing iscommissioned for every client endpoint and all webproperties.Page 3 Threat Modeling - Optimizes security by identifyingthreats and vulnerabilities, and then definingcountermeasures to prevent, or mitigate the effects of,those threats to the platform. Encryption-in-transit - For all Fuze endpoints withoutrequiring VPN. Encryption-at-rest - For certain data stored in theplatform. Data Retention - Customer data is retained based ondefined retention periods or retained only as requiredto deliver Fuze platform services. Change Management - Regular change reviews,documented change requests and approval, postdeployment verification, and roll-back procedures. Patch Management - Required and deployed patchesare documented and tested on non-productionenvironments before production deployment andinclude roll-back contingencies. Account Security - Fuze can integrate with thecustomer’s directory service through SAML 2.0.Alternatively, if native Fuze authentication is used,passwords are stored in a salted, one-way hash. Data Isolation - Customer data is logically separatedand secured through access control lists.
FUZE SECURITYCloud and Network Infrastructure SecurityPhysical Security Defense-in-Depth - Multiple layers of security areimplemented to ensure customer data remains safe.These layers include physical, network, system, andapplication levels of security protocol. Tier 4 Data Centers - Our data centers equipredundant HVAC and power, raised floors, electronicaccess control, biometric scanners, alarms and videosurveillance, 24/7 guard presence, and geographicredundancy. Infrastructure Management - Access to platformnetworks, data, and infrastructure is limited toemployees with proper authentication, authorization,and documentation. Configuration Management - Automatically identifyconfiguration changes to assets to ensure nounauthorized changes to production systems occur. Network Monitoring - All data center assets arecontinuously monitored to ensure adequateperformance and capacity are available for ourcustomers. Fraud Prevention - Default disabling of premium,international, and voicemail dial out calling, as well asautomated blacklist functionality. Fraud Detection - Fuze personnel are notified whenthe carrier detects aberrations on their networks, andalerted when the platform detects potential fraudulentactivity. AWS - More information on the physical andoperational security processes for network and serverinfrastructure under the management of AWS can befound at hitepaper.pdf. Offices - Physical security controls include accesscontrol and audit trail for employees and visitors,video monitoring of all entrance and exit points,delimited security perimeters with additional securityfor places such as storage rooms, power and ACrooms, employee awareness training, and periodictesting of physical controls.Data Encryption - In Transit UC Voice - TLS for SIP (session) and AES 128-bit forSRTP (media) Fuze Meeting – TLS for SIP (session) and AES 128-bitfor SRTP (media) Customer Portal - HTTPS with TLS Mobile Application - HTTPS with TLS Fuze Desktop - HTTPS with TLSData Encryption - At Rest Call Recording AES 256-bit Uploaded Fuze Meeting Content AES 256-bit Fuze Meeting Recordings AES 256-bit Fuze Chat History AES 256-bitPage 4
FUZE SECURITYVulnerability Management & MonitoringDisaster Recovery & Business Continuity Incident Response Program - Fuze has a clearlydefined process for classifying, assessing,prioritizing, and mitigating security incidents. Recovery Planning - Fuze regularly reviews andupdates the defined Disaster Recovery and BusinessContinuity plans. Continuous Monitoring - Fuze is committed to trustand transparency. In addition to the monitoring at theinfrastructure level, we provide communication andupdates on any incidents via status.fuze.com. Regional & Global Resiliency - Geographically andglobally redundant data center locations combinedwith services delivered from multiple AWS regions.Incident LogsDDoS Detection and Prevention Customer Data Backups - Fuze utilizes securebackups of customer data and replicates data to asecondary Fuze data center for full redundancy.Security Assessments and ComplianceIndependent audit and verification is essential in any security framework. Fuze undergoes assessmentthrough third parties and major industry parties. These assessments provide assurance that Fuze has thesecurity controls in place to safeguard customer data.Visit fuze.com/why-fuze.SOC 1 (Type II)SOC 2 (Type II)EU-US & Swiss-USPRIVACY SHIELD FRAMEWORKSPage 5
the Fuze platform whereby multiple layers of security work together to deliver reliable service in a trusted environment. Physical Security System Security Network Security Management Compliance Application Customer Data All data created in the Fuze platform belongs to our customers. Under no circumstances does Fuze sell this data to third parties.
