Polycom RealAccess Security White Paper The Polycom RealAccess service is delivered using the Software as a Service (SaaS) model. This white paper outlines how the service protects sensitive customer data from unauthorized access. RealAccess provides a subscribing customer access to a dedicated web portal, which includes a broad range of on-demand monitoring and managing of videoconferencing services along with in-depth reporting capabilities. Reports are based on data collected from a customer s Polycom RealPresence Platform and automatically uploaded to the cloud-based RealAccess portal using a data extraction agent installed on the customer s premises. Potential Points of Vulnerability The following potential points of vulnerability with the RealAccess portal are outlined in this white paper: Connectivity to Polycom RealPresence Platform source data Transfer of customer data over the Internet to the RealAccess data store Storage of information on the RealAccess cloud-based database server Display and delivery of information between the RealAccess portal and end users via web browsers User authentication to access information Connectivity to Polycom RealPresence Platform Source Data The RealAccess agent gathers data from various RealPresence Platform sources and transports it to the RealAccess data store. The following diagram is an overview of the security provided by RealAccess. August 2015 3725-71965-001A 1
RealAccess software agent The agent is an instance operating as a virtual machine. The agent s OS has been hardened with the latest security patches, best practices for software configurations, and the removal of unnecessary services. Additionally, the OS security has been verified using security scan tools, including Nessus, Nexpose, and Nmap, as well as manual testing. The agent resides in the customer s DMZ, with access to the cloud and the RealPresence Platform component(s) on the customer s RealPresence video network. The agent has only one login for administrative access by the Polycom administrator. There is a service on the agent that uses device-specific credentials to make API calls on specific ports to access data from sources such as call servers (Polycom RealPresence Distributed Media Application (DMA )), scheduling and provisioning servers (Polycom RealPresence Resource Manager), and media controllers (MCU). While accessing these devices, all credentials are encrypted via https tunnel using TLS with 256-bit encryption. The agent does not store data collected from the RealPresence Platform in any shape or form (cache or storage) in its archives. If you would like to perform penetration testing of the agent prior to deployment, contact your Polycom Representative for more information. Transfer of Customer Data Over the Internet to the RealAccess Data Store The next step in the data delivery process is to transport and deposit customer data to the RealAccess data store, located in an SSAE 16 Type II certified data center. All communication with the RealAccess Polycom, Inc. 2
agent and data store is via an OpenVPN tunnel. Any attempt to monitor the link between the agent and data center servers will only show encrypted data packets instead of cleartext information. All maintenance activities, OS patching, code updates, and NTP time synchronization for the agent are handled via this OpenVPN tunnel from the data center. Storage of Information on the RealAccess Cloud-Based Database Server The RealAccess database server is located in an SSAE 16 Type II certified data center that runs dedicated databases and application servers. When the RealAccess database server receives data from the customer, it is verified for integrity, processed, and saved onto the database. The RealAccess database and application servers reside in the data center behind a fully patched Check Point firewall. Access for any services not required by RealAccess is blocked. Each customer s data resides in the multitenant system and is compartmentalized using access controls to provide data isolation between RealAccess customers. Servers are located in a secure data center, with only authorized data center staff members having access. The servers are not directly accessible from outside the data center, and all customer data is backed up on a daily basis. Customer data is encrypted at rest and will be anonymized upon customer request at the end of a subscription. The anonymization process includes and is not limited to searching and sanitizing all customer-specific data (such as name, site information, and IP address) with randomly generated alphanumeric characters. Display and Delivery of Information Between the RealAccess Portal and End Users via Web Browsers All communication with the RealAccess portal web servers and client browsers is over a standard secure SSL connection that encrypts all requests and responses. This is achieved with an https connection that uses TLS1.2 with a 256-bit encryption layer of SSL using certificates. This connection is encrypted and authenticated using AES_128GCM with DHE_RSA as the key exchange mechanism. Anyone snooping packets traveling between the web server and the user s browser will only see strongly encrypted data packets. Additionally, thorough penetration tests were conducted using automated and manual methods to ensure that the portal is free of cross-site scripting (XSS), cross-site request forgery (XSRF), and cookie-sniffing vulnerabilities, as well as other security bugs. User Authentication to Access Information User authentication for RealAccess is done two ways. The simplest is to use the authorized customer domain. Users who are part of this domain can use their email address to register at the self sign-in portal. They then authenticate themselves with the emailed activation link and choose a password. The other way is to use the RealAccess portal authentication service, which supports Active Directory Federation Services (AD FS).With this method, the portal already is set up for single sign-on (SSO) and Polycom, Inc. 3
integrated with the customer s active directory via SAML. The user can then use their network credentials to log into the portal. With this method, the user first logs into the portal with their enterprise network credentials. The request is forwarded on a secure https connection that uses TLS1.2 with 256-bit encryption to the customer federation services, which look up the user. The response is then passed to the portal with an allow/deny message. Both authentication methods were tested manually and automatically for security weaknesses using tools such as Burp Suite and AppScan. The following diagram is an overview of the SSO message flow in RealAccess. RealAccess SSO message flow Contact Information For more information, contact your Polycom Representative. Polycom, Inc. 4
Copyright 2015, Polycom, Inc. All rights reserved. No part of this document may be reproduced, translated into another language or format, or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Polycom, Inc. 6001 America Center Drive San Jose, CA 95002 USA Polycom, the Polycom logo and the names and marks associated with Polycom products are trademarks and/or service marks of Polycom, Inc. and are registered and/or common law marks in the United States and various other countries. All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient's personal use, without the express written permission of Polycom. End User License Agreement By installing, copying, or otherwise using this product, you acknowledge that you have read, understand and agree to be bound by the terms and conditions of the End User License Agreement for this product. Patent Information The accompanying product may be protected by one or more U.S. and foreign patents and/or pending patent applications held by Polycom, Inc. Open Source Software Used in this Product This product may contain open source software. You may receive the open source software from Polycom up to three (3) years after the distribution date of the applicable product or software at a charge not greater than the cost to Polycom of shipping or distributing the software to you. To receive software information, as well as the open source software code used in this product, contact Polycom by email at OpenSourceVideo@polycom.com. Disclaimer While Polycom uses reasonable efforts to include accurate and up-to-date information in this document, Polycom makes no warranties or representations as to its accuracy. Polycom assumes no liability or responsibility for any typographical or other errors or omissions in the content of this document. Limitation of Liability Polycom and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided as is without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Polycom and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Polycom has been advised of the possibility of such damages. Customer Feedback We are striving to improve our documentation quality and we appreciate your feedback. Email your opinions and comments to DocumentationFeedback@polycom.com. Visit the Polycom Support Center for End User License Agreements, software downloads, product documents, product licenses, troubleshooting tips, service requests, and more. Polycom, Inc. 5